| 1 |
Hi all, |
| 2 |
|
| 3 |
this is the next release of the sandbox. It now integrates seamlessly |
| 4 |
into most ebuilds. The following features have been added : |
| 5 |
|
| 6 |
* Added an ebuild to install the correct dynamic bash executable. It |
| 7 |
supports safe unmerging, restoring the original static bash which is |
| 8 |
otherwise accessible as /bin/sbash. |
| 9 |
|
| 10 |
* Added env vars for customizing sandbox log labeling, number of beeps |
| 11 |
after failure report, forcebly disabling of the sandbox before running |
| 12 |
ebuild to make it possible to install a misbehaving package. The env |
| 13 |
vars are SANDBOX_LOG, SANDBOX_BEEP and SANDBOX_DISABLED. SANDBOX_LOG is |
| 14 |
automatically set to the full name of the package by portage. |
| 15 |
|
| 16 |
* Bumped up to version 0.2. Added support for path prefix predictions. |
| 17 |
This means that write is not allowed, but the request to do so is not |
| 18 |
considered an error. The ebuild.sh now also contains support functions |
| 19 |
which allows easy dynamic configuration of the sandbox inside an ebuild. |
| 20 |
The added functions are : "addread, addwrite, adddeny, addprediction'. |
| 21 |
|
| 22 |
Below is a short usage summary: |
| 23 |
============================== |
| 24 |
|
| 25 |
1. To have full sandbox protection, the dynbash-2.04.ebuild should be |
| 26 |
merged. |
| 27 |
|
| 28 |
2. When a package misbehaves and you don't feel like fixing it but still |
| 29 |
want to install it, set the SANDBOX_DISABLED to something and remerge. |
| 30 |
The previous error report will be in /tmp/sandbox-[package]-[pid].log. |
| 31 |
Please submit this file to gentoo-dev@g.o. |
| 32 |
|
| 33 |
3. When you don't want to hear beeps when a package fails, add |
| 34 |
SANDBOX_BEEP to /etc/make.conf and set it to 0. Setting it to another |
| 35 |
positive number configures the number of beeps that will sound. |
| 36 |
|
| 37 |
4. The default writable path prefixes are now : |
| 38 |
"/dev/null:/dev/pts/:/dev/tty:/tmp/:/var/log/scrollkeeper.log: \ |
| 39 |
~/.gconfd/lock:~/.bash_history:[$PORTAGE_TMP]" |
| 40 |
|
| 41 |
5. The default predicted path prefixes are : |
| 42 |
"~/.:/usr/tmp/conftest:/usr/lib/conftest" |
| 43 |
|
| 44 |
6. The above prefixes are now hardcoded into the sandbox executable but |
| 45 |
should in time migrate to '/etc/make.globals'. |
| 46 |
|
| 47 |
7. If your package needs other permissions you have three options : |
| 48 |
|
| 49 |
a. try to figure out why it writes outside the image dir and fix |
| 50 |
the makefile, |
| 51 |
|
| 52 |
b. question yourself if it's a general path that should be |
| 53 |
integrated into the default settings, if this is the case send |
| 54 |
it together with your motivation to this mailinglist, |
| 55 |
|
| 56 |
c. configure the sandbox with the new ebuild functions. Generally |
| 57 |
you only need to use 'addwrite path' or 'addpredict path'. Note |
| 58 |
that these change the sandbox for the current ebuild execution |
| 59 |
and are thus not presistant across emerge stages |
| 60 |
(download,compile, install). |
| 61 |
|
| 62 |
|
| 63 |
That's it, |
| 64 |
|
| 65 |
Have fun and don't hesitate to contact me when questions arise, |
| 66 |
|
| 67 |
Geert |
| 68 |
|
| 69 |
-- |
| 70 |
Geert Bevin |
| 71 |
the Leaf sprl/bvba |
| 72 |
"Use what you need" Pierre Theunisstraat 1/47 |
| 73 |
http://www.theleaf.be 1030 Brussels |
| 74 |
gbevin@×××××××.be Tel & Fax +32 2 241 19 98 |
Archives