| 1 |
Whitelist the same phases that are whitelisted for FEATURES=cgroup, |
| 2 |
since pid-sandbox is less valuable and is likely to have unintended |
| 3 |
consenquences during these phases. |
| 4 |
|
| 5 |
Bug: https://bugs.gentoo.org/673794 |
| 6 |
Signed-off-by: Zac Medico <zmedico@g.o> |
| 7 |
--- |
| 8 |
lib/_emerge/AbstractEbuildProcess.py | 9 ++++++--- |
| 9 |
lib/portage/package/ebuild/doebuild.py | 8 ++++++-- |
| 10 |
2 files changed, 12 insertions(+), 5 deletions(-) |
| 11 |
|
| 12 |
diff --git a/lib/_emerge/AbstractEbuildProcess.py b/lib/_emerge/AbstractEbuildProcess.py |
| 13 |
index bda0bd83f..ddf04e9b3 100644 |
| 14 |
--- a/lib/_emerge/AbstractEbuildProcess.py |
| 15 |
+++ b/lib/_emerge/AbstractEbuildProcess.py |
| 16 |
@@ -1,4 +1,4 @@ |
| 17 |
-# Copyright 1999-2018 Gentoo Foundation |
| 18 |
+# Copyright 1999-2019 Gentoo Foundation |
| 19 |
# Distributed under the terms of the GNU General Public License v2 |
| 20 |
|
| 21 |
import errno |
| 22 |
@@ -22,6 +22,10 @@ from portage.util.futures import asyncio |
| 23 |
from portage.util._pty import _create_pty_or_pipe |
| 24 |
from portage.util import apply_secpass_permissions |
| 25 |
|
| 26 |
+portage.proxy.lazyimport.lazyimport(globals(), |
| 27 |
+ 'portage.package.ebuild.doebuild:_global_pid_phases', |
| 28 |
+) |
| 29 |
+ |
| 30 |
class AbstractEbuildProcess(SpawnProcess): |
| 31 |
|
| 32 |
__slots__ = ('phase', 'settings',) + \ |
| 33 |
@@ -30,7 +34,6 @@ class AbstractEbuildProcess(SpawnProcess): |
| 34 |
|
| 35 |
_phases_without_builddir = ('clean', 'cleanrm', 'depend', 'help',) |
| 36 |
_phases_interactive_whitelist = ('config',) |
| 37 |
- _phases_without_cgroup = ('preinst', 'postinst', 'prerm', 'postrm', 'config') |
| 38 |
|
| 39 |
# Number of milliseconds to allow natural exit of the ebuild |
| 40 |
# process after it has called the exit command via IPC. It |
| 41 |
@@ -71,7 +74,7 @@ class AbstractEbuildProcess(SpawnProcess): |
| 42 |
# Check if the cgroup hierarchy is in place. If it's not, mount it. |
| 43 |
if (os.geteuid() == 0 and platform.system() == 'Linux' |
| 44 |
and 'cgroup' in self.settings.features |
| 45 |
- and self.phase not in self._phases_without_cgroup): |
| 46 |
+ and self.phase not in _global_pid_phases): |
| 47 |
cgroup_root = '/sys/fs/cgroup' |
| 48 |
cgroup_portage = os.path.join(cgroup_root, 'portage') |
| 49 |
|
| 50 |
diff --git a/lib/portage/package/ebuild/doebuild.py b/lib/portage/package/ebuild/doebuild.py |
| 51 |
index baebb9a27..f11923595 100644 |
| 52 |
--- a/lib/portage/package/ebuild/doebuild.py |
| 53 |
+++ b/lib/portage/package/ebuild/doebuild.py |
| 54 |
@@ -1,4 +1,4 @@ |
| 55 |
-# Copyright 2010-2018 Gentoo Authors |
| 56 |
+# Copyright 2010-2019 Gentoo Authors |
| 57 |
# Distributed under the terms of the GNU General Public License v2 |
| 58 |
|
| 59 |
from __future__ import unicode_literals |
| 60 |
@@ -110,6 +110,9 @@ _ipc_phases = frozenset([ |
| 61 |
"preinst", "postinst", "prerm", "postrm", |
| 62 |
]) |
| 63 |
|
| 64 |
+# phases which execute in the global PID namespace |
| 65 |
+_global_pid_phases = frozenset(['preinst', 'postinst', 'prerm', 'postrm', 'config']) |
| 66 |
+ |
| 67 |
# phases in which networking access is allowed |
| 68 |
_networked_phases = frozenset([ |
| 69 |
# for VCS fetching |
| 70 |
@@ -153,7 +156,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, **kwargs): |
| 71 |
kwargs['networked'] = 'network-sandbox' not in settings.features or \ |
| 72 |
phase in _networked_phases or \ |
| 73 |
'network-sandbox' in settings['PORTAGE_RESTRICT'].split() |
| 74 |
- kwargs['pidns'] = 'pid-sandbox' in settings.features |
| 75 |
+ kwargs['pidns'] = ('pid-sandbox' in settings.features and |
| 76 |
+ phase not in _global_pid_phases) |
| 77 |
|
| 78 |
if phase == 'depend': |
| 79 |
kwargs['droppriv'] = 'userpriv' in settings.features |
| 80 |
-- |
| 81 |
2.18.1 |
Archives