From efe2c5b55f60660e9ddb2b57381d11261f59e502 Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Fri, 17 Jan 2020 19:23:16 -0800
Subject: [PATCH] pid-sandbox: mount private /var/log/sandbox (bug 704848)

Create a private /var/log/sandbox since the pid namespace triggers
log file name collision with a process in another pid namespace with
the same pid.

TODO: Patch sandbox to allow portage to override SANDBOX_LOG, since
otherwise sandbox violation messages will output a log path located
in /var/log/sandbox instead of the true location which is in
${PORTAGE_BUILDDIR}/sandbox_log.

Bug: https://bugs.gentoo.org/704848
Signed-off-by: Zac Medico <zmedico@gentoo.org>
---
 lib/portage/process.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/lib/portage/process.py b/lib/portage/process.py
index c1fc4bcf6..7ce2b3c4d 100644
--- a/lib/portage/process.py
+++ b/lib/portage/process.py
@@ -562,6 +562,10 @@ def _exec(binary, mycommand, opt_name, fd_pipes,
 	@return: Never returns (calls os.execve)
 	"""
 
+	sandbox_enabled = binary is SANDBOX_BINARY
+	effective_uid = -1 if uid is None else uid
+	effective_gid = -1 if gid is None else gid
+
 	# If the process we're creating hasn't been given a name
 	# assign it the name of the executable.
 	if not opt_name:
@@ -703,6 +707,26 @@ def _exec(binary, mycommand, opt_name, fd_pipes,
 								writemsg("Unable to mount new /proc: %d\n" % (mount_ret,),
 									noiselevel=-1)
 								os._exit(1)
+
+							if sandbox_enabled:
+								# Create a private /var/log/sandbox since the pid namespace
+								# triggers log file name collision with a process in another
+								# pid namespace with the same pid.
+								portage_builddir = env.get('PORTAGE_BUILDDIR')
+								if portage_builddir is not None:
+									sandbox_log_dir = os.path.join(portage_builddir, 'sandbox_log')
+									global_log_dir = '/var/log/sandbox'
+									portage.util.ensure_dirs(global_log_dir)
+									portage.util.ensure_dirs(sandbox_log_dir,
+										uid=effective_uid, gid=effective_gid)
+									s = subprocess.Popen(['mount',
+										'--bind', sandbox_log_dir, global_log_dir])
+									mount_ret = s.wait()
+									if mount_ret != 0:
+										writemsg("Unable to mount %s: %d\n" % (global_log_dir, mount_ret,),
+											noiselevel=-1)
+										os._exit(1)
+
 						if unshare_net:
 							_configure_loopback_interface()
 				except AttributeError:
-- 
2.24.1