aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAvatar Ali Polatel <polatel@gmail.com> 2009-05-27 01:22:12 +0300
committerAvatar Ali Polatel <polatel@gmail.com> 2009-06-28 22:54:05 +0300
commit273d1e571ac3dae1c60dfdd0803f281c2482abb5 (patch)
tree82fb1d58600eae7456048d39ede567b0b44eb492
parentf6a567c271a904c0834177691b61bb74692577f9 (diff)
downloadpaludis-273d1e571ac3dae1c60dfdd0803f281c2482abb5.tar.gz
paludis-273d1e571ac3dae1c60dfdd0803f281c2482abb5.tar.xz
Add sydbox support
-rw-r--r--AUTHORS2
-rw-r--r--configure.ac16
-rw-r--r--paludis/repositories/e/e_installed_repository.cc2
-rw-r--r--paludis/repositories/e/ebuild.cc4
-rw-r--r--paludis/repositories/e/ebuild.hh2
-rw-r--r--paludis/repositories/e/ebuild/Makefile.am1
-rwxr-xr-xpaludis/repositories/e/ebuild/ebuild.bash42
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/builtin_loadenv.bash9
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/builtin_saveenv.bash11
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_config.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_nofetch.bash12
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_postinst.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_postrm.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_preinst.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_prerm.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/pkg_setup.bash10
-rw-r--r--paludis/repositories/e/ebuild/exheres-0/src_test.bash10
-rw-r--r--paludis/repositories/e/ebuild/sydbox.bash73
-rw-r--r--paludis/repositories/e/ebuild_entries.cc6
-rw-r--r--paludis/repositories/e/ebuild_id.cc1
-rw-r--r--paludis/repositories/e/exndbam_repository.cc1
-rw-r--r--paludis/repositories/e/qa/restrict_key.cc1
-rw-r--r--paludis/repositories/e/vdb_repository.cc1
-rw-r--r--paludis/util/system.cc19
-rw-r--r--paludis/util/system.hh7
25 files changed, 252 insertions, 28 deletions
diff --git a/AUTHORS b/AUTHORS
index b35bc03..8cc7970 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -61,3 +61,5 @@ Tiziano Müller <dev-zero@gentoo.org>
Bo Ørsted Andresen <bo.andresen@zlin.dk>
Contributor
+Ali Polatel <polatel@gmail.com>
+ Contributor, sydbox
diff --git a/configure.ac b/configure.ac
index 1ee74a3..9959723 100644
--- a/configure.ac
+++ b/configure.ac
@@ -900,7 +900,7 @@ AC_SUBST([PALUDIS_CXXFLAGS_NO_DEBUGGING])
dnl }}}
-dnl {{{ sandbox
+dnl {{{ sandbox and sydbox
AC_MSG_CHECKING([whether to enable sandbox])
AC_ARG_ENABLE([sandbox],
AS_HELP_STRING([--enable-sandbox], [Enable sandbox]),
@@ -915,6 +915,20 @@ if test x"$HAVE_SANDBOX" = "xyes" ; then
else
AC_DEFINE([HAVE_SANDBOX], 0)
fi
+AC_MSG_CHECKING([whether to enable sydbox])
+AC_ARG_ENABLE([sydbox],
+ AS_HELP_STRING([--enable-sydbox], [Enable sydbox]),
+ [HAVE_SYDBOX=$enableval
+ AC_MSG_RESULT([$enableval])],
+ [AC_MSG_RESULT([autodetect])
+ AC_CHECK_PROG(HAVE_SYDBOX, [sydbox], [yes], [no])])
+AC_SUBST([HAVE_SYDBOX])
+AM_CONDITIONAL([HAVE_SYDBOX], test "x$HAVE_SYDBOX" = "xyes")
+if test x"$HAVE_SYDBOX" = "xyes" ; then
+ AC_DEFINE([HAVE_SYDBOX], 1, [Do we have sydbox?])
+else
+ AC_DEFINE([HAVE_SYDBOX], 0)
+fi
dnl }}}
dnl {{{ doxygen
diff --git a/paludis/repositories/e/e_installed_repository.cc b/paludis/repositories/e/e_installed_repository.cc
index 75f479f..21ed732 100644
--- a/paludis/repositories/e/e_installed_repository.cc
+++ b/paludis/repositories/e/e_installed_repository.cc
@@ -286,6 +286,7 @@ EInstalledRepository::perform_config(
value_for<n::package_id>(id),
value_for<n::portdir>(ver_dir),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv"))
),
@@ -392,6 +393,7 @@ EInstalledRepository::perform_info(
value_for<n::package_id>(id),
value_for<n::portdir>(ver_dir),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv"))
),
diff --git a/paludis/repositories/e/ebuild.cc b/paludis/repositories/e/ebuild.cc
index 970d737..f52259c 100644
--- a/paludis/repositories/e/ebuild.cc
+++ b/paludis/repositories/e/ebuild.cc
@@ -103,7 +103,9 @@ EbuildCommand::operator() ()
if (params.clearenv())
cmd.with_clearenv();
- if (params.sandbox())
+ if (params.sydbox())
+ cmd.with_sydbox();
+ else if (params.sandbox())
cmd.with_sandbox();
if (params.userpriv())
diff --git a/paludis/repositories/e/ebuild.hh b/paludis/repositories/e/ebuild.hh
index 0e923b5..945cca4 100644
--- a/paludis/repositories/e/ebuild.hh
+++ b/paludis/repositories/e/ebuild.hh
@@ -77,6 +77,7 @@ namespace paludis
struct replacing_ids;
struct root;
struct sandbox;
+ struct sydbox;
struct slot;
struct unmerge_only;
struct unmet_requirements;
@@ -116,6 +117,7 @@ namespace paludis
NamedValue<n::package_id, std::tr1::shared_ptr<const erepository::ERepositoryID> > package_id;
NamedValue<n::portdir, FSEntry> portdir;
NamedValue<n::sandbox, bool> sandbox;
+ NamedValue<n::sydbox, bool> sydbox;
NamedValue<n::userpriv, bool> userpriv;
};
diff --git a/paludis/repositories/e/ebuild/Makefile.am b/paludis/repositories/e/ebuild/Makefile.am
index 25543af..05a7c16 100644
--- a/paludis/repositories/e/ebuild/Makefile.am
+++ b/paludis/repositories/e/ebuild/Makefile.am
@@ -16,6 +16,7 @@ libexecprog_SCRIPTS = \
output_functions.bash \
pipe_functions.bash \
sandbox.bash \
+ sydbox.bash \
source_functions.bash \
usage_error.bash \
write_vdb_entry.bash \
diff --git a/paludis/repositories/e/ebuild/ebuild.bash b/paludis/repositories/e/ebuild/ebuild.bash
index e54e22d..28d239a 100755
--- a/paludis/repositories/e/ebuild/ebuild.bash
+++ b/paludis/repositories/e/ebuild/ebuild.bash
@@ -144,7 +144,7 @@ ebuild_load_module source_functions
if [[ -z ${PALUDIS_LOAD_MODULES} ]]; then
PALUDIS_LOAD_MODULES="
- conditional_functions kernel_functions sandbox portage_stubs
+ conditional_functions kernel_functions sandbox sydbox portage_stubs
multilib_functions install_functions build_functions"
for m in eclass_functions exlib_functions ever_functions; do
for d in ${EBUILD_MODULES_DIRS}; do
@@ -448,7 +448,14 @@ perform_hook()
ebuild_notice "debug" "Starting hook '${HOOK}'"
local old_sandbox_on="${SANDBOX_ON}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && export SANDBOX_ON="0"
+ local old_sydbox_enabled
+ sydboxcheck enabled 2>/dev/null && old_sydbox_enabled=true || old_sydbox_enabled=false
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ export SANDBOX_ON="0"
+ if sydboxcheck 2>/dev/null; then
+ sydboxcmd off || ebuild_notice "warning" "sydboxcmd off returned failure"
+ fi
+ fi
local hook_dir
for hook_dir in ${PALUDIS_HOOK_DIRS} ; do
@@ -465,7 +472,16 @@ perform_hook()
done
done
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && export SANDBOX_ON="${old_sandbox_on}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ export SANDBOX_ON="${old_sandbox_on}"
+ if sydboxcheck 2>/dev/null; then
+ if $old_sydbox_enabled; then
+ sydboxcmd on || ebuild_notice "warning" "sydboxcmd on returned failure"
+ else
+ sydboxcmd off || ebuild_notice "warning" "sydboxcmd off returned failure"
+ fi
+ fi
+ fi
true
}
@@ -500,6 +516,11 @@ ebuild_main()
ebuild_notice "debug" "Using ebuild '${EBUILD}', EAPI before source is '${EAPI}'"
+ # If we're running under sydbox lock magic commands when execve() is called.
+ if sydboxcheck 2>/dev/null; then
+ sydboxcmd exec_lock || ebuild_notice "warning" "sydboxcmd exec_lock returned failure"
+ fi
+
if [[ ${#@} -ge 2 ]] ; then
ebuild_section "Running ebuild phases $@ as $(id -un ):$(id -gn )..."
elif [[ ${1} != variable ]] && [[ ${1} != metadata ]] && \
@@ -516,13 +537,22 @@ ebuild_main()
export ${PALUDIS_EBUILD_PHASE_VAR}="${1}"
perform_hook ebuild_${action}_pre
if [[ $1 == metadata ]]; then
- for f in cut tr date ; do
- eval "${f}() { ebuild_notice qa 'global scope ${f}' ; $(type -P ${f} ) \"\$@\" ; }"
- done
+ # Ban execve() calls if we're running under sydbox
+ if sydboxcheck 2>/dev/null; then
+ sydboxcmd sandbox_exec || ebuild_notice "warning" "sydboxcmd sandbox_exec returned failure"
+ else
+ for f in cut tr date ; do
+ eval "${f}() { ebuild_notice qa 'global scope ${f}' ; $(type -P ${f} ) \"\$@\" ; }"
+ done
+ fi
for f in locked_pipe_command ; do
eval "${f}() { $(type -P ${f} ) \"\$@\" ; }"
done
PATH="" ebuild_load_ebuild "${EBUILD}"
+ # Unban execve() calls if we're running under sydbox
+ if sydboxcheck 2>/dev/null; then
+ sydboxcmd unsandbox_exec || ebuild_notice "warning" "sydboxcmd unsandbox_exec returned failure"
+ fi
else
ebuild_load_em_up_dan
fi
diff --git a/paludis/repositories/e/ebuild/exheres-0/builtin_loadenv.bash b/paludis/repositories/e/ebuild/exheres-0/builtin_loadenv.bash
index 322ce9a..fdf9ba3 100644
--- a/paludis/repositories/e/ebuild/exheres-0/builtin_loadenv.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/builtin_loadenv.bash
@@ -28,8 +28,10 @@ builtin_loadenv()
exheres_internal_loadenv()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && \
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${PALUDIS_LOADSAVEENV_DIR%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${PALUDIS_LOADSAVEENV_DIR}"
+ fi
if hasq "loadenv" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping builtin_loadenv (SKIP_FUNCTIONS)"
@@ -39,7 +41,10 @@ exheres_internal_loadenv()
ebuild_section "Done builtin_loadenv"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${PALUDIS_LOADSAVEENV_DIR}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/builtin_saveenv.bash b/paludis/repositories/e/ebuild/exheres-0/builtin_saveenv.bash
index 6d373ce..fcda49c 100644
--- a/paludis/repositories/e/ebuild/exheres-0/builtin_saveenv.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/builtin_saveenv.bash
@@ -26,7 +26,11 @@ builtin_saveenv()
exheres_internal_saveenv()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${PALUDIS_LOADSAVEENV_DIR%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${PALUDIS_LOADSAVEENV_DIR%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${PALUDIS_LOADSAVEENV_DIR}"
+ fi
+
if hasq "saveenv" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping builtin_saveenv (SKIP_FUNCTIONS)"
@@ -36,7 +40,10 @@ exheres_internal_saveenv()
ebuild_section "Done builtin_saveenv"
fi
- SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${PALUDIS_LOADSAVEENV_DIR}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_config.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_config.bash
index bd13220..6c57351 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_config.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_config.bash
@@ -33,7 +33,10 @@ pkg_config()
exheres_internal_config()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "config" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_config (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_config()
ebuild_section "Done pkg_config"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_nofetch.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_nofetch.bash
index e8c15eb..4e27f7a 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_nofetch.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_nofetch.bash
@@ -43,7 +43,11 @@ pkg_nofetch()
exheres_internal_nofetch()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${FETCHEDDIR}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${FETCHEDDIR}"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${FETCHEDDIR}"
+ fi
+
if hasq "nofetch" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_nofetch (SKIP_FUNCTIONS)"
else
@@ -51,6 +55,10 @@ exheres_internal_nofetch()
pkg_nofetch
ebuild_section "Done pkg_nofetch"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${FETCHEDDIR}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_postinst.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_postinst.bash
index 896afb6..ea5d457 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_postinst.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_postinst.bash
@@ -33,7 +33,10 @@ pkg_postinst()
exheres_internal_postinst()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "postinst" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_postinst (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_postinst()
ebuild_section "Done pkg_postinst"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_postrm.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_postrm.bash
index 503a823..c0777d3 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_postrm.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_postrm.bash
@@ -33,7 +33,10 @@ pkg_postrm()
exheres_internal_postrm()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "postrm" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_postrm (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_postrm()
ebuild_section "Done pkg_postrm"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_preinst.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_preinst.bash
index b01cd81..ee70aab 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_preinst.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_preinst.bash
@@ -33,7 +33,10 @@ pkg_preinst()
exheres_internal_preinst()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "preinst" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_preinst (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_preinst()
ebuild_section "Done pkg_preinst"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_prerm.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_prerm.bash
index 30e373c..65ef54b 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_prerm.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_prerm.bash
@@ -33,7 +33,10 @@ pkg_prerm()
exheres_internal_prerm()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "prerm" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_prerm (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_prerm()
ebuild_section "Done pkg_prerm"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/pkg_setup.bash b/paludis/repositories/e/ebuild/exheres-0/pkg_setup.bash
index 7978153..82bd300 100644
--- a/paludis/repositories/e/ebuild/exheres-0/pkg_setup.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/pkg_setup.bash
@@ -33,7 +33,10 @@ pkg_setup()
exheres_internal_setup()
{
local old_sandbox_write="${SANDBOX_WRITE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${SANDBOX_WRITE+${SANDBOX_WRITE}:}${ROOT%/}/"
+ sydboxcheck >/dev/null 2>&1 && addwrite "${ROOT}"
+ fi
if hasq "setup" ${SKIP_FUNCTIONS} ; then
ebuild_section "Skipping pkg_setup (SKIP_FUNCTIONS)"
@@ -43,6 +46,9 @@ exheres_internal_setup()
ebuild_section "Done pkg_setup"
fi
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_WRITE="${old_sandbox_write}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_WRITE="${old_sandbox_write}"
+ sydboxcheck >/dev/null 2>&1 && rmwrite "${ROOT}"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/exheres-0/src_test.bash b/paludis/repositories/e/ebuild/exheres-0/src_test.bash
index e4d6e82..161f254 100644
--- a/paludis/repositories/e/ebuild/exheres-0/src_test.bash
+++ b/paludis/repositories/e/ebuild/exheres-0/src_test.bash
@@ -48,7 +48,10 @@ src_test()
exheres_internal_test()
{
local old_sandbox_predict="${SANDBOX_PREDICT}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_PREDICT="${SANDBOX_PREDICT+${SANDBOX_PREDICT}:}/"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_PREDICT="${SANDBOX_PREDICT+${SANDBOX_PREDICT}:}/"
+ sydboxcheck >/dev/null 2>&1 && addpredict "/"
+ fi
local save_PALUDIS_EXTRA_DIE_MESSAGE="${PALUDIS_EXTRA_DIE_MESSAGE}"
@@ -68,6 +71,9 @@ exheres_internal_test()
export PALUDIS_EXTRA_DIE_MESSAGE="${save_PALUDIS_EXTRA_DIE_MESSAGE}"
- [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]] && SANDBOX_PREDICT="${old_sandbox_predict}"
+ if [[ -z "${PALUDIS_DO_NOTHING_SANDBOXY}" ]]; then
+ SANDBOX_PREDICT="${old_sandbox_predict}"
+ sydboxcheck >/dev/null 2>&1 && rmpredict "/"
+ fi
true
}
diff --git a/paludis/repositories/e/ebuild/sydbox.bash b/paludis/repositories/e/ebuild/sydbox.bash
new file mode 100644
index 0000000..a936fd7
--- /dev/null
+++ b/paludis/repositories/e/ebuild/sydbox.bash
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# vim: set sw=4 sts=4 et :
+
+# Copyright (c) 2009 Ali Polatel <polatel@gmail.com>
+#
+# Based in part upon ebuild.sh from Portage, which is Copyright 1995-2005
+# Gentoo Foundation and distributed under the terms of the GNU General
+# Public License v2.
+#
+# This file is part of the Paludis package manager. Paludis is free software;
+# you can redistribute it and/or modify it under the terms of the GNU General
+# Public License, version 2, as published by the Free Software Foundation.
+#
+# Paludis is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+# Place, Suite 330, Boston, MA 02111-1307 USA
+
+sydboxcheck()
+{
+ if [[ -z "${1}" ]]; then
+ [[ -e /dev/sydbox ]]
+ else
+ [[ -e /dev/sydbox/${1} ]]
+ fi
+}
+
+sydboxcmd()
+{
+ if sydboxcheck ${1}; then
+ if [[ -n "${2}" ]]; then
+ [[ "/" != "${2:0:1}" ]] && die "${FUNCNAME} ${1}: non-absolute path"
+ : > /dev/sydbox/${1}/"${2}"
+ else
+ : > /dev/sydbox/${1}
+ fi
+ fi
+}
+
+addread()
+{
+ die_unless_nonfatal "${FUNCNAME} not implemented for sydbox yet"
+}
+
+addwrite()
+{
+ sydboxcmd write "${1}"
+}
+
+adddeny()
+{
+ die_unless_nonfatal "${FUNCNAME} not implemented for sydbox yet"
+}
+
+addpredict()
+{
+ sydboxcmd predict "${1}"
+}
+
+rmwrite()
+{
+ sydboxcmd unwrite "${1}"
+}
+
+rmpredict()
+{
+ sydboxcmd unpredict "${1}"
+}
+
diff --git a/paludis/repositories/e/ebuild_entries.cc b/paludis/repositories/e/ebuild_entries.cc
index bda1732..9e45e91 100644
--- a/paludis/repositories/e/ebuild_entries.cc
+++ b/paludis/repositories/e/ebuild_entries.cc
@@ -489,6 +489,7 @@ EbuildEntries::fetch(const std::tr1::shared_ptr<const ERepositoryID> & id,
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv") && userpriv_ok)
));
@@ -796,6 +797,7 @@ EbuildEntries::install(const std::tr1::shared_ptr<const ERepositoryID> & id,
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv") && userpriv_ok)
));
@@ -907,6 +909,7 @@ EbuildEntries::info(const std::tr1::shared_ptr<const ERepositoryID> & id,
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv") && userpriv_ok)
));
@@ -978,6 +981,7 @@ EbuildEntries::get_environment_variable(
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phases.begin_phases()->option("sandbox")),
+ value_for<n::sydbox>(phases.begin_phases()->option("sydbox")),
value_for<n::userpriv>(phases.begin_phases()->option("userpriv") && userpriv_ok)
),
@@ -1134,6 +1138,7 @@ EbuildEntries::pretend(
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv") && userpriv_ok)
));
@@ -1187,6 +1192,7 @@ EbuildEntries::pretend(
(_imp->params.master_repositories() && ! _imp->params.master_repositories()->empty()) ?
(*_imp->params.master_repositories()->begin())->params().location() : _imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv") && userpriv_ok)
));
diff --git a/paludis/repositories/e/ebuild_id.cc b/paludis/repositories/e/ebuild_id.cc
index 19aea57..33177e2 100644
--- a/paludis/repositories/e/ebuild_id.cc
+++ b/paludis/repositories/e/ebuild_id.cc
@@ -255,6 +255,7 @@ EbuildID::need_keys_added() const
(_imp->repository->params().master_repositories() && ! _imp->repository->params().master_repositories()->empty()) ?
(*_imp->repository->params().master_repositories()->begin())->params().location() : _imp->repository->params().location()),
value_for<n::sandbox>(phases.begin_phases()->option("sandbox")),
+ value_for<n::sydbox>(phases.begin_phases()->option("sydbox")),
value_for<n::userpriv>(phases.begin_phases()->option("userpriv"))
));
diff --git a/paludis/repositories/e/exndbam_repository.cc b/paludis/repositories/e/exndbam_repository.cc
index c810636..d6b0c4f 100644
--- a/paludis/repositories/e/exndbam_repository.cc
+++ b/paludis/repositories/e/exndbam_repository.cc
@@ -555,6 +555,7 @@ ExndbamRepository::perform_uninstall(
value_for<n::package_id>(id),
value_for<n::portdir>(_imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv"))
));
diff --git a/paludis/repositories/e/qa/restrict_key.cc b/paludis/repositories/e/qa/restrict_key.cc
index eb006ae..ef3ed1a 100644
--- a/paludis/repositories/e/qa/restrict_key.cc
+++ b/paludis/repositories/e/qa/restrict_key.cc
@@ -47,6 +47,7 @@ namespace
allowed_restricts.insert("nostrip");
allowed_restricts.insert("strip");
allowed_restricts.insert("sandbox");
+ allowed_restricts.insert("sydbox");
allowed_restricts.insert("userpriv");
allowed_restricts.insert("test");
}
diff --git a/paludis/repositories/e/vdb_repository.cc b/paludis/repositories/e/vdb_repository.cc
index 171aa5f..b3166b4 100644
--- a/paludis/repositories/e/vdb_repository.cc
+++ b/paludis/repositories/e/vdb_repository.cc
@@ -476,6 +476,7 @@ VDBRepository::perform_uninstall(
value_for<n::package_id>(id),
value_for<n::portdir>(_imp->params.location()),
value_for<n::sandbox>(phase->option("sandbox")),
+ value_for<n::sydbox>(phase->option("sydbox")),
value_for<n::userpriv>(phase->option("userpriv"))
));
diff --git a/paludis/util/system.cc b/paludis/util/system.cc
index 765411f..b6494f4 100644
--- a/paludis/util/system.cc
+++ b/paludis/util/system.cc
@@ -35,6 +35,7 @@
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/select.h>
+#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include <grp.h>
@@ -313,6 +314,24 @@ Command::with_sandbox()
return *this;
}
+Command &
+Command::with_sydbox()
+{
+#if HAVE_SYDBOX
+ struct stat buf;
+ if (! getenv_with_default("PALUDIS_DO_NOTHING_SANDBOXY", "").empty())
+ Log::get_instance()->message("util.system.nothing_sandboxy", ll_debug, lc_no_context)
+ << "PALUDIS_DO_NOTHING_SANDBOXY is set, not using sydbox";
+ else if (-1 != stat("/dev/sydbox", &buf))
+ Log::get_instance()->message("util.system.sandbox_in_sandbox", ll_warning, lc_no_context)
+ << "Already inside sydbox, not spawning another sydbox instance";
+ else
+ _imp->command = "sydbox -- " + _imp->command;
+#endif
+
+ return *this;
+}
+
std::tr1::shared_ptr<const uid_t>
Command::uid() const
{
diff --git a/paludis/util/system.hh b/paludis/util/system.hh
index da8a28c..bd11f75 100644
--- a/paludis/util/system.hh
+++ b/paludis/util/system.hh
@@ -149,6 +149,13 @@ namespace paludis
Command & with_sandbox();
/**
+ * Run our command sydboxed
+ *
+ * \since 0.38
+ */
+ Command & with_sydbox();
+
+ /**
* Echo the command to be run to stderr before running it.
*/
Command & with_echo_to_stderr();