1 |
Hi all, |
2 |
|
3 |
this is the next release of the sandbox. It now integrates seamlessly |
4 |
into most ebuilds. The following features have been added : |
5 |
|
6 |
* Added an ebuild to install the correct dynamic bash executable. It |
7 |
supports safe unmerging, restoring the original static bash which is |
8 |
otherwise accessible as /bin/sbash. |
9 |
|
10 |
* Added env vars for customizing sandbox log labeling, number of beeps |
11 |
after failure report, forcebly disabling of the sandbox before running |
12 |
ebuild to make it possible to install a misbehaving package. The env |
13 |
vars are SANDBOX_LOG, SANDBOX_BEEP and SANDBOX_DISABLED. SANDBOX_LOG is |
14 |
automatically set to the full name of the package by portage. |
15 |
|
16 |
* Bumped up to version 0.2. Added support for path prefix predictions. |
17 |
This means that write is not allowed, but the request to do so is not |
18 |
considered an error. The ebuild.sh now also contains support functions |
19 |
which allows easy dynamic configuration of the sandbox inside an ebuild. |
20 |
The added functions are : "addread, addwrite, adddeny, addprediction'. |
21 |
|
22 |
Below is a short usage summary: |
23 |
============================== |
24 |
|
25 |
1. To have full sandbox protection, the dynbash-2.04.ebuild should be |
26 |
merged. |
27 |
|
28 |
2. When a package misbehaves and you don't feel like fixing it but still |
29 |
want to install it, set the SANDBOX_DISABLED to something and remerge. |
30 |
The previous error report will be in /tmp/sandbox-[package]-[pid].log. |
31 |
Please submit this file to gentoo-dev@g.o. |
32 |
|
33 |
3. When you don't want to hear beeps when a package fails, add |
34 |
SANDBOX_BEEP to /etc/make.conf and set it to 0. Setting it to another |
35 |
positive number configures the number of beeps that will sound. |
36 |
|
37 |
4. The default writable path prefixes are now : |
38 |
"/dev/null:/dev/pts/:/dev/tty:/tmp/:/var/log/scrollkeeper.log: \ |
39 |
~/.gconfd/lock:~/.bash_history:[$PORTAGE_TMP]" |
40 |
|
41 |
5. The default predicted path prefixes are : |
42 |
"~/.:/usr/tmp/conftest:/usr/lib/conftest" |
43 |
|
44 |
6. The above prefixes are now hardcoded into the sandbox executable but |
45 |
should in time migrate to '/etc/make.globals'. |
46 |
|
47 |
7. If your package needs other permissions you have three options : |
48 |
|
49 |
a. try to figure out why it writes outside the image dir and fix |
50 |
the makefile, |
51 |
|
52 |
b. question yourself if it's a general path that should be |
53 |
integrated into the default settings, if this is the case send |
54 |
it together with your motivation to this mailinglist, |
55 |
|
56 |
c. configure the sandbox with the new ebuild functions. Generally |
57 |
you only need to use 'addwrite path' or 'addpredict path'. Note |
58 |
that these change the sandbox for the current ebuild execution |
59 |
and are thus not presistant across emerge stages |
60 |
(download,compile, install). |
61 |
|
62 |
|
63 |
That's it, |
64 |
|
65 |
Have fun and don't hesitate to contact me when questions arise, |
66 |
|
67 |
Geert |
68 |
|
69 |
-- |
70 |
Geert Bevin |
71 |
the Leaf sprl/bvba |
72 |
"Use what you need" Pierre Theunisstraat 1/47 |
73 |
http://www.theleaf.be 1030 Brussels |
74 |
gbevin@×××××××.be Tel & Fax +32 2 241 19 98 |