Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729464

Summary: [Future EAPI] Change sandbox path matching order
Product: Gentoo Hosted Projects Reporter: Michał Górny <mgorny>
Component: PMS/EAPIAssignee: Package Manager Specification <pms>
Status: CONFIRMED ---    
Severity: normal CC: esigra, sam, sandbox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=630422
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 174380    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-24 18:12:25 UTC 
I'd like to change the way path matching is ordered in sandbox, and while at it formally define it for EAPI 8.

Currently, the behavior is not formally defined in the PMS.  Furthermore, use of multiple lists is non-trivial and makes it hard to override restrictions in subdirectories.

What I'd like to define instead is something along the lines of:

  Sandbox maintains a single ACL list.  add* functions add the new ACL to the end
  of the list.  When an operation is performed, the path is matched against all
  ACL entries in order, with the later entries overriding the earlier.

In my opinion, this is both more flexible and simpler than the current behavior.  It makes it possible to create overrides like:

  adddeny /foo           # denied
  addwrite /foo/bar      # read-write
  adddeny /foo/bar/baz   # (denied)
  addread /foo/bar/baz   # read-only
Comment 1 Mike Gilbert gentoo-dev 2020-06-24 18:21:15 UTC 
Have you filed a feature request or written a patch to actually implement this in sys-apps/sandbox?

This is a pretty significant change in behavior, and I think it would be useful to see a reference implementation working before it gets added in PMS.

I am especially interested in how the default lists would be maintained; currently these are 3 separate variables in sandbox.conf, and I think these would need to be merged somehow.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-24 18:29:48 UTC 
This bug serves for the feature request but I'd like to query some more opinion before proceeding with the patch.

(In reply to Mike Gilbert from comment #1)
> I am especially interested in how the default lists would be maintained;
> currently these are 3 separate variables in sandbox.conf, and I think these
> would need to be merged somehow.

I suppose it wouldn't be hard to merge them into SANDBOX_ACL at start, with order matching current sandbox logic.