[gentoo-commits] proj/portage:master commit in: lib/_emerge/, lib/portage/package/ebuild/ - gentoo-commits

From:	Zac Medico <zmedico@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/portage:master commit in: lib/_emerge/, lib/portage/package/ebuild/
Date:	Wed, 09 Jan 2019 04:09:05
Message-Id:	`1546938731.bbfc36befdeed60f29c17d80d7766fd0da402d61.zmedico@gentoo`

1

commit:     bbfc36befdeed60f29c17d80d7766fd0da402d61

2

Author:     Zac Medico <zmedico <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jan  8 04:45:52 2019 +0000

4

Commit:     Zac Medico <zmedico <AT> gentoo <DOT> org>

5

CommitDate: Tue Jan  8 09:12:11 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=bbfc36be

7

8

pid-sandbox: whitelist selected pkg_* phases (bug 673794)

9

10

Whitelist the same phases that are whitelisted for FEATURES=cgroup,

11

since pid-sandbox is less valuable and is likely to have unintended

12

consenquences during these phases.

13

14

Bug: https://bugs.gentoo.org/673794

15

Reviewed-by: Michał Górny <mgorny <AT> gentoo.org>

16

Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>

17

18

 lib/_emerge/AbstractEbuildProcess.py   | 9 ++++++---

19

 lib/portage/package/ebuild/doebuild.py | 8 ++++++--

20

 2 files changed, 12 insertions(+), 5 deletions(-)

21

22

diff --git a/lib/_emerge/AbstractEbuildProcess.py b/lib/_emerge/AbstractEbuildProcess.py

23

index bda0bd83f..ddf04e9b3 100644

24

--- a/lib/_emerge/AbstractEbuildProcess.py

25

+++ b/lib/_emerge/AbstractEbuildProcess.py

26

@@ -1,4 +1,4 @@

27

-# Copyright 1999-2018 Gentoo Foundation

28

+# Copyright 1999-2019 Gentoo Foundation

29

 # Distributed under the terms of the GNU General Public License v2

30

31

 import errno

32

@@ -22,6 +22,10 @@ from portage.util.futures import asyncio

33

 from portage.util._pty import _create_pty_or_pipe

34

 from portage.util import apply_secpass_permissions

35

36

+portage.proxy.lazyimport.lazyimport(globals(),

37

+	'portage.package.ebuild.doebuild:_global_pid_phases',

38

+)

39

+

40

 class AbstractEbuildProcess(SpawnProcess):

41

42

 	__slots__ = ('phase', 'settings',) + \

43

@@ -30,7 +34,6 @@ class AbstractEbuildProcess(SpawnProcess):

44

45

 	_phases_without_builddir = ('clean', 'cleanrm', 'depend', 'help',)

46

 	_phases_interactive_whitelist = ('config',)

47

-	_phases_without_cgroup = ('preinst', 'postinst', 'prerm', 'postrm', 'config')

48

49

 	# Number of milliseconds to allow natural exit of the ebuild

50

 	# process after it has called the exit command via IPC. It

51

@@ -71,7 +74,7 @@ class AbstractEbuildProcess(SpawnProcess):

52

 		# Check if the cgroup hierarchy is in place. If it's not, mount it.

53

 		if (os.geteuid() == 0 and platform.system() == 'Linux'

54

 				and 'cgroup' in self.settings.features

55

-				and self.phase not in self._phases_without_cgroup):

56

+				and self.phase not in _global_pid_phases):

57

 			cgroup_root = '/sys/fs/cgroup'

58

 			cgroup_portage = os.path.join(cgroup_root, 'portage')

59

60

61

diff --git a/lib/portage/package/ebuild/doebuild.py b/lib/portage/package/ebuild/doebuild.py

62

index baebb9a27..f11923595 100644

63

--- a/lib/portage/package/ebuild/doebuild.py

64

+++ b/lib/portage/package/ebuild/doebuild.py

65

@@ -1,4 +1,4 @@

66

-# Copyright 2010-2018 Gentoo Authors

67

+# Copyright 2010-2019 Gentoo Authors

68

 # Distributed under the terms of the GNU General Public License v2

69

70

 from __future__ import unicode_literals

71

@@ -110,6 +110,9 @@ _ipc_phases = frozenset([

72

 	"preinst", "postinst", "prerm", "postrm",

73

])

74

75

+# phases which execute in the global PID namespace

76

+_global_pid_phases = frozenset(['preinst', 'postinst', 'prerm', 'postrm', 'config'])

77

+

78

 # phases in which networking access is allowed

79

 _networked_phases = frozenset([

80

 	# for VCS fetching

81

@@ -153,7 +156,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, **kwargs):

82

 	kwargs['networked'] = 'network-sandbox' not in settings.features or \

83

 		phase in _networked_phases or \

84

 		'network-sandbox' in settings['PORTAGE_RESTRICT'].split()

85

-	kwargs['pidns'] = 'pid-sandbox' in settings.features

86

+	kwargs['pidns'] = ('pid-sandbox' in settings.features and

87

+		phase not in _global_pid_phases)

88

89

 	if phase == 'depend':

90

 		kwargs['droppriv'] = 'userpriv' in settings.features

1	commit: bbfc36befdeed60f29c17d80d7766fd0da402d61
2	Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jan 8 04:45:52 2019 +0000
4	Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
5	CommitDate: Tue Jan 8 09:12:11 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=bbfc36be
7
8	pid-sandbox: whitelist selected pkg_* phases (bug 673794)
9
10	Whitelist the same phases that are whitelisted for FEATURES=cgroup,
11	since pid-sandbox is less valuable and is likely to have unintended
12	consenquences during these phases.
13
14	Bug: https://bugs.gentoo.org/673794
15	Reviewed-by: Michał Górny <mgorny <AT> gentoo.org>
16	Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>
17
18	lib/_emerge/AbstractEbuildProcess.py \| 9 ++++++---
19	lib/portage/package/ebuild/doebuild.py \| 8 ++++++--
20	2 files changed, 12 insertions(+), 5 deletions(-)
21
22	diff --git a/lib/_emerge/AbstractEbuildProcess.py b/lib/_emerge/AbstractEbuildProcess.py
23	index bda0bd83f..ddf04e9b3 100644
24	--- a/lib/_emerge/AbstractEbuildProcess.py
25	+++ b/lib/_emerge/AbstractEbuildProcess.py
26	@@ -1,4 +1,4 @@
27	-# Copyright 1999-2018 Gentoo Foundation
28	+# Copyright 1999-2019 Gentoo Foundation
29	# Distributed under the terms of the GNU General Public License v2
30
31	import errno
32	@@ -22,6 +22,10 @@ from portage.util.futures import asyncio
33	from portage.util._pty import _create_pty_or_pipe
34	from portage.util import apply_secpass_permissions
35
36	+portage.proxy.lazyimport.lazyimport(globals(),
37	+ 'portage.package.ebuild.doebuild:_global_pid_phases',
38	+)
39	+
40	class AbstractEbuildProcess(SpawnProcess):
41
42	__slots__ = ('phase', 'settings',) + \
43	@@ -30,7 +34,6 @@ class AbstractEbuildProcess(SpawnProcess):
44
45	_phases_without_builddir = ('clean', 'cleanrm', 'depend', 'help',)
46	_phases_interactive_whitelist = ('config',)
47	- _phases_without_cgroup = ('preinst', 'postinst', 'prerm', 'postrm', 'config')
48
49	# Number of milliseconds to allow natural exit of the ebuild
50	# process after it has called the exit command via IPC. It
51	@@ -71,7 +74,7 @@ class AbstractEbuildProcess(SpawnProcess):
52	# Check if the cgroup hierarchy is in place. If it's not, mount it.
53	if (os.geteuid() == 0 and platform.system() == 'Linux'
54	and 'cgroup' in self.settings.features
55	- and self.phase not in self._phases_without_cgroup):
56	+ and self.phase not in _global_pid_phases):
57	cgroup_root = '/sys/fs/cgroup'
58	cgroup_portage = os.path.join(cgroup_root, 'portage')
59
60
61	diff --git a/lib/portage/package/ebuild/doebuild.py b/lib/portage/package/ebuild/doebuild.py
62	index baebb9a27..f11923595 100644
63	--- a/lib/portage/package/ebuild/doebuild.py
64	+++ b/lib/portage/package/ebuild/doebuild.py
65	@@ -1,4 +1,4 @@
66	-# Copyright 2010-2018 Gentoo Authors
67	+# Copyright 2010-2019 Gentoo Authors
68	# Distributed under the terms of the GNU General Public License v2
69
70	from __future__ import unicode_literals
71	@@ -110,6 +110,9 @@ _ipc_phases = frozenset([
72	"preinst", "postinst", "prerm", "postrm",
73	])
74
75	+# phases which execute in the global PID namespace
76	+_global_pid_phases = frozenset(['preinst', 'postinst', 'prerm', 'postrm', 'config'])
77	+
78	# phases in which networking access is allowed
79	_networked_phases = frozenset([
80	# for VCS fetching
81	@@ -153,7 +156,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, **kwargs):
82	kwargs['networked'] = 'network-sandbox' not in settings.features or \
83	phase in _networked_phases or \
84	'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
85	- kwargs['pidns'] = 'pid-sandbox' in settings.features
86	+ kwargs['pidns'] = ('pid-sandbox' in settings.features and
87	+ phase not in _global_pid_phases)
88
89	if phase == 'depend':
90	kwargs['droppriv'] = 'userpriv' in settings.features

Gentoo Archives: gentoo-commits