diff -Nur --exclude '.*' portage-2.0.51.20.orig/bin/ebuild.sh portage-2.0.51.20.installwatch/bin/ebuild.sh
--- portage-2.0.51.20.orig/bin/ebuild.sh	2005-04-20 08:19:03.000000000 -0700
+++ portage-2.0.51.20.installwatch/bin/ebuild.sh	2005-04-27 17:18:17.000000000 -0700
@@ -1119,12 +1119,42 @@
 	trap SIGINT SIGQUIT
 }
 
+iw_begin() {
+	export SANDBOX_ON="1"
+	export SANDBOX_WRITE="/"
+	export SANDBOX_DEBUG="1"
+	export SANDBOX_DEBUG_LOG="$INSTALLWATCHFILE"
+}
+
+iw_end() {
+	export SANDBOX_ON="0"
+	unset SANDBOX_DEBUG
+	unset SANDBOX_DEBUG_LOG
+
+	# forget read only operations
+	sed -i \
+		-e 's/^open_rd:.*//' \
+		-e 's/^execve:.*//' \
+		-e 's/^opendir:.*//' \
+		-e 's/^open_wr: *\/dev\/null$//' \
+		$INSTALLWATCHFILE
+
+	# remove the empty lines
+	local TMPFILE="`tempfile`"
+	egrep -v '^$' $INSTALLWATCHFILE > $TMPFILE
+	cat $TMPFILE > $INSTALLWATCHFILE
+	rm $TMPFILE
+
+	unset INSTALLWATCHFILE
+}
+
 dyn_preinst() {
 	# set IMAGE depending if this is a binary or compile merge
 	[ "${EMERGE_FROM}" == "binary" ] && IMAGE=${PKG_TMPDIR}/${PF}/bin \
 					|| IMAGE=${D}
-
+	[ -n "$INSTALLWATCHFILE" ] && iw_begin
 	pkg_preinst
+	[ -n "$INSTALLWATCHFILE" ] && iw_end
 
 	# hopefully this will someday allow us to get rid of the no* feature flags
 	# we don't want globbing for initial expansion, but afterwards, we do
@@ -1749,6 +1779,7 @@
 		;;
 	prerm|postrm|postinst|config)
 		export SANDBOX_ON="0"
+		[ -n "$INSTALLWATCHFILE" ] && iw_begin
 		if [ "$PORTAGE_DEBUG" != "1" ]; then
 			pkg_${myarg}
 			#Allow non-zero return codes since they can be caused by &&
@@ -1758,6 +1789,7 @@
 			#Allow non-zero return codes since they can be caused by &&
 			set +x
 		fi
+		[ -n "$INSTALLWATCHFILE" ] && iw_end
 		;;
 	unpack|compile|test|clean|install)
 		if [ "${SANDBOX_DISABLED="0"}" == "0" ]; then
diff -Nur --exclude '.*' portage-2.0.51.20.orig/pym/portage.py portage-2.0.51.20.installwatch/pym/portage.py
--- portage-2.0.51.20.orig/pym/portage.py	2005-04-23 00:39:43.000000000 -0700
+++ portage-2.0.51.20.installwatch/pym/portage.py	2005-04-27 16:19:58.000000000 -0700
@@ -1564,7 +1564,7 @@
 
 # XXX This would be to replace getstatusoutput completely.
 # XXX Issue: cannot block execution. Deadlock condition.
-def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,**keywords):
+def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,iw_log=None,**keywords):
 	"""spawn a subprocess with optional sandbox protection, 
 	depending on whether sandbox is enabled.  The "free" argument,
 	when set to 1, will disable sandboxing.  This allows us to 
@@ -1589,7 +1589,9 @@
 
 	if ("sandbox" in features) and (not free):
 		keywords["opt_name"] += " sandbox"
-		if droppriv and portage_gid and portage_uid:
+		if iw_log:
+			env["INSTALLWATCHFILE"]=iw_log
+		elif droppriv and portage_gid and portage_uid:
 			keywords.update({"uid":portage_uid,"gid":portage_gid,"groups":[portage_gid],"umask":002})
 		return portage_exec.spawn_sandbox(mystring,env=env,**keywords)
 	else:
@@ -2314,7 +2316,7 @@
 				droppriv=actionmap[mydo]["args"][1],logfile=logfile)
 	return retval
 
-def doebuild(myebuild,mydo,myroot,mysettings,debug=0,listonly=0,fetchonly=0,cleanup=0,dbkey=None,use_cache=1,fetchall=0,tree="porttree"):
+def doebuild(myebuild,mydo,myroot,mysettings,debug=0,listonly=0,fetchonly=0,cleanup=0,dbkey=None,use_cache=1,fetchall=0,tree="porttree",iw_log=None):
 	global db
 	
 	ebuild_path = os.path.abspath(myebuild)
@@ -2595,7 +2597,10 @@
 		return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=1,logfile=logfile)
 	elif mydo in ["prerm","postrm","preinst","postinst","config"]:
 		mysettings.load_infodir(pkg_dir)
-		return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=1,logfile=logfile)
+		free=1
+		if iw_log:
+			free=0
+		return spawn(EBUILD_SH_BINARY+" "+mydo,mysettings,debug=debug,free=free,logfile=logfile,iw_log=iw_log)
 	
 	try: 
 		mysettings["SLOT"],mysettings["RESTRICT"] = db["/"]["porttree"].dbapi.aux_get(mycpv,["SLOT","RESTRICT"])
@@ -6428,12 +6433,15 @@
 		print ">>> Merging",self.mycpv,"to",destroot
 
 		# run preinst script
+		iw_log=None
+		if "installwatch" in features:
+			iw_log=self.dbtmpdir+"/PREINST"
 		if myebuild:
 			# if we are merging a new ebuild, use *its* pre/postinst rather than using the one in /var/db/pkg
 			# (if any).
-			a=doebuild(myebuild,"preinst",root,self.settings,cleanup=cleanup,use_cache=0)
+			a=doebuild(myebuild,"preinst",root,self.settings,cleanup=cleanup,use_cache=0,iw_log=iw_log)
 		else:
-			a=doebuild(inforoot+"/"+self.pkg+".ebuild","preinst",root,self.settings,cleanup=cleanup,use_cache=0)
+			a=doebuild(inforoot+"/"+self.pkg+".ebuild","preinst",root,self.settings,cleanup=cleanup,use_cache=0,iw_log=iw_log)
 
 		# XXX: Decide how to handle failures here.
 		if a != 0:
@@ -6514,13 +6522,6 @@
 			self.dbdir = self.dbtmpdir
 			print ">>> original instance of package unmerged safely."	
 
-		# We hold both directory locks.
-		self.dbdir = self.dbpkgdir
-		self.delete()
-		movefile(self.dbtmpdir, self.dbpkgdir, mysettings=self.settings)
-
-		self.unlockdb()
-
 		#write out our collection of md5sums
 		if cfgfiledict.has_key("IGNORE"):
 			del cfgfiledict["IGNORE"]
@@ -6545,12 +6546,22 @@
 		portage_locks.unlockfile(mylock)
 		
 		#do postinst script
+		iw_log=None
+		if "installwatch" in features:
+			iw_log=self.dbtmpdir+"/POSTINST"
 		if myebuild:
 			# if we are merging a new ebuild, use *its* pre/postinst rather than using the one in /var/db/pkg 
 			# (if any).
-			a=doebuild(myebuild,"postinst",root,self.settings,use_cache=0)
+			a=doebuild(myebuild,"postinst",root,self.settings,use_cache=0,iw_log=iw_log)
 		else:
-			a=doebuild(inforoot+"/"+self.pkg+".ebuild","postinst",root,self.settings,use_cache=0)
+			a=doebuild(inforoot+"/"+self.pkg+".ebuild","postinst",root,self.settings,use_cache=0,iw_log=iw_log)
+
+		# We hold both directory locks.
+		self.dbdir = self.dbpkgdir
+		self.delete()
+		movefile(self.dbtmpdir, self.dbpkgdir, mysettings=self.settings)
+
+		self.unlockdb()
 
 		# XXX: Decide how to handle failures here.
 		if a != 0: