Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729464 - [Future EAPI] Change sandbox path matching order
Summary: [Future EAPI] Change sandbox path matching order
Status: CONFIRMED
Alias: None
Product: Gentoo Hosted Projects
Classification: Unclassified
Component: PMS/EAPI (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: PMS/EAPI
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: future-eapi
  Show dependency tree
 
Reported: 2020-06-24 18:12 UTC by Michał Górny
Modified: 2020-06-24 23:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-24 18:12:25 UTC
I'd like to change the way path matching is ordered in sandbox, and while at it formally define it for EAPI 8.

Currently, the behavior is not formally defined in the PMS.  Furthermore, use of multiple lists is non-trivial and makes it hard to override restrictions in subdirectories.

What I'd like to define instead is something along the lines of:

  Sandbox maintains a single ACL list.  add* functions add the new ACL to the end
  of the list.  When an operation is performed, the path is matched against all
  ACL entries in order, with the later entries overriding the earlier.

In my opinion, this is both more flexible and simpler than the current behavior.  It makes it possible to create overrides like:

  adddeny /foo           # denied
  addwrite /foo/bar      # read-write
  adddeny /foo/bar/baz   # (denied)
  addread /foo/bar/baz   # read-only
Comment 1 Mike Gilbert gentoo-dev 2020-06-24 18:21:15 UTC
Have you filed a feature request or written a patch to actually implement this in sys-apps/sandbox?

This is a pretty significant change in behavior, and I think it would be useful to see a reference implementation working before it gets added in PMS.

I am especially interested in how the default lists would be maintained; currently these are 3 separate variables in sandbox.conf, and I think these would need to be merged somehow.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-24 18:29:48 UTC
This bug serves for the feature request but I'd like to query some more opinion before proceeding with the patch.

(In reply to Mike Gilbert from comment #1)
> I am especially interested in how the default lists would be maintained;
> currently these are 3 separate variables in sandbox.conf, and I think these
> would need to be merged somehow.

I suppose it wouldn't be hard to merge them into SANDBOX_ACL at start, with order matching current sandbox logic.