sandbox's rename checks only the newpath while renaming. This mean that a sandbox'ed process can move every file/directory they want from the system to a sandbox'ed write path. e.g.: "rm /etc/passwd" inside the sandbox will not work, but something like: "mv /etc/passwd . && rm passwd" will (assuming the current directory is in SANDBOX_WRITE). I've made a small patch which checks the oldpath. Seems to work here, but i don't know if it'll break some packages.
Created attachment 19147 [details, diff] libsandbox.c patch to make sandbox check the oldpath
Fixed in CVS. Nick, I guess we can mark this as an possible security exploit, although that is not really what sandbox is used for ? Anyhow, could you push for next portage revision ? thanks.
Out in -r15