| 1 |
On Thu, Feb 28, 2008 at 07:40:57PM +0100, Michael Weiser wrote: |
| 2 |
|
| 3 |
> I think, I'll give this one a go: http://www.macpronews.com/2008/0117.html. |
| 4 |
> This should be implementable as a FEATURES="sandbox-macos" |
| 5 |
|
| 6 |
This is nice! Using the attached proof-of-concept profile for |
| 7 |
sandbox-exec, I can completely confine emerge to $EPREFIX and some |
| 8 |
temporary directories. The actual call looks like this: |
| 9 |
|
| 10 |
sandbox-exec -f prefixtest.sb emerge prefixtest |
| 11 |
|
| 12 |
With my $EPREFIX being /Users/michael/bin/gentoo my intentionally broken |
| 13 |
test ebuild correctly reported: |
| 14 |
|
| 15 |
mkdir: cannot create directory `/Users/michael/bin/gentoo-broken': |
| 16 |
Permission denied |
| 17 |
|
| 18 |
although /Users/michael ist writable by me. I also did a quick test that |
| 19 |
sandbox also works when run by root. |
| 20 |
|
| 21 |
I guess, the next step would be to wrap src_build() and src_install() |
| 22 |
into a sandbox that can't leave $EPREFIX/var/tmp/portage. |
| 23 |
|
| 24 |
Can you give me some pointers where to look for the hooks? |
| 25 |
-- |
| 26 |
Cheers, Michael |
Archives