From 7cb30c002dcd842472a5f3d604dba299da175b38 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Fri, 23 Oct 2020 08:07:55 +0100
Subject: [PATCH] etc/sandbox.conf: allow /usr/tmp/ for write

In bug #737220 sandbox was debying write access to /usr/tmp
(a symlink to /var/tmp) for statically linked binaries.

It happens because erealpath() helper conservatively does not
resolve any symlink for external traced processes (to avoid
symlink confusion via /proc/ that could refer to tracer and not
tracee).

Instead of fixing erealpath() to handle more cases of symlinks
let's just allow /usr/tmp as it it was /var/tmp.

Reported-by: Kirill Chibisov
Bug: https://bugs.gentoo.org/737220
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
 etc/sandbox.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/sandbox.conf b/etc/sandbox.conf
index 5f09ee4..2501e11 100644
--- a/etc/sandbox.conf
+++ b/etc/sandbox.conf
@@ -86,7 +86,7 @@ SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
 # Device filesystems
 SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
 # Tempory storage
-SANDBOX_WRITE="/tmp/:/var/tmp/"
+SANDBOX_WRITE="/tmp/:/var/tmp/:/usr/tmp/"
 # Needed for shells
 SANDBOX_WRITE="${HOME}/.bash_history"
 
-- 
2.29.0