Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 891531

Summary: [Future EAPI] Support RESTRICT=usersandbox
Product: Gentoo Hosted Projects Reporter: Peter Levine <plevine457>
Component: PMS/EAPIAssignee: PMS/EAPI <pms>
Status: RESOLVED INVALID    
Severity: normal CC: mgorny, plevine457
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Peter Levine 2023-01-21 06:01:30 UTC
The majority of problems I've encountered involving sandbox actually relate to usersandbox, in particular failing testcases like https://github.com/gentoo/gentoo/pull/29187/commits/61cd9aec7b088e75be368aa85c436785e39a99c0.  I don't know how feasible it would be or what effect it might have on unprivileged prefixed Gentoo, but I would be more inclined to use RESTRICT="test?( usersandbox )" than to continue disabling unittests.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-21 06:05:46 UTC
Note that PMS doesn't cover sandbox restriction at all: https://dev.gentoo.org/~ulm/pms/head/pms.html#section-7.3.6. It's a Portageism.
Comment 2 Peter Levine 2023-01-21 06:18:31 UTC
I see. It used to be a part of PMS (https://bugs.gentoo.org/161045) and given that the PMS already includes a 'Sandbox commands' section, it seems strange not to either sever it off completely or support if fully.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-01-21 07:53:07 UTC
The majority of "problems involving sandbox" are due to the specific sandbox implementation (and often even sandbox version) rather than the general idea of restricting filesystem access.  General "restrict sandbox" is a bad idea because it prevents people from using a better implementation in the future (e.g. sydbox that's based on ptrace or fusebox that's based on FUSE).
Comment 4 Peter Levine 2023-01-21 09:41:06 UTC
I see.