Gentoo Archives: gentoo-portage-dev

From: Zac Medico <zmedico@g.o>
To: gentoo-portage-dev@l.g.o
Cc: Zac Medico <zmedico@g.o>
Subject: [gentoo-portage-dev] [PATCH] preinst_selinux_labels: disable LD_PRELOAD sandbox (bug 655996)
Date: Fri, 18 May 2018 17:26:16
Message-Id: 20180518172552.14658-1-zmedico@gentoo.org
1 Since SELinux does not allow LD_PRELOAD across domain transitions.
2 disable the LD_PRELOAD sandbox for preinst_selinux_labels.
3
4 Bug: https://bugs.gentoo.org/655996
5 ---
6 pym/_emerge/EbuildPhase.py | 37 +++++++++++++++++++++++++++++++++-
7 pym/_emerge/MiscFunctionsProcess.py | 6 +++++-
8 pym/portage/package/ebuild/doebuild.py | 26 +++++++++++++++++-------
9 3 files changed, 60 insertions(+), 9 deletions(-)
10
11 diff --git a/pym/_emerge/EbuildPhase.py b/pym/_emerge/EbuildPhase.py
12 index 890b17870..9795bec13 100644
13 --- a/pym/_emerge/EbuildPhase.py
14 +++ b/pym/_emerge/EbuildPhase.py
15 @@ -275,7 +275,7 @@ class EbuildPhase(CompositeTask):
16 # when FEATURES=compress-build-logs is enabled.
17 fd, logfile = tempfile.mkstemp()
18 os.close(fd)
19 - post_phase = MiscFunctionsProcess(background=self.background,
20 + post_phase = _PostPhaseCommands(background=self.background,
21 commands=post_phase_cmds, fd_pipes=self.fd_pipes,
22 logfile=logfile, phase=self.phase, scheduler=self.scheduler,
23 settings=settings)
24 @@ -405,3 +405,38 @@ class EbuildPhase(CompositeTask):
25 log_path = self.settings.get("PORTAGE_LOG_FILE")
26 self.scheduler.output(msg, log_path=log_path,
27 background=background)
28 +
29 +
30 +class _PostPhaseCommands(CompositeTask):
31 +
32 + __slots__ = ("fd_pipes", "logfile", "phase", "settings", "commands",
33 + "_remaining_cmds")
34 +
35 + def _start(self):
36 + if isinstance(self.commands, list):
37 + self._remaining_cmds = [({}, self.commands)]
38 + else:
39 + self._remaining_cmds = list(reversed(self.commands))
40 +
41 + if 'selinux' not in self.settings.features:
42 + self._remaining_cmds = [(kwargs, commands) for kwargs, commands in
43 + self._remaining_cmds if not kwargs.get('selinux_only')]
44 +
45 + self._start_phase_cmds()
46 +
47 + def _start_phase_cmds(self, previous=None):
48 + if previous is not None:
49 + if not self._remaining_cmds:
50 + self._default_final_exit(previous)
51 + self._async_wait()
52 + return
53 + elif self._default_exit(previous) != os.EX_OK:
54 + self._async_wait()
55 + return
56 +
57 + kwargs, commands = self._remaining_cmds.pop()
58 +
59 + self._start_task(MiscFunctionsProcess(background=self.background,
60 + commands=commands, fd_pipes=self.fd_pipes,
61 + logfile=self.logfile, phase=self.phase, scheduler=self.scheduler,
62 + settings=self.settings, **kwargs), self._start_phase_cmds)
63 diff --git a/pym/_emerge/MiscFunctionsProcess.py b/pym/_emerge/MiscFunctionsProcess.py
64 index 99cf5983f..89fd22635 100644
65 --- a/pym/_emerge/MiscFunctionsProcess.py
66 +++ b/pym/_emerge/MiscFunctionsProcess.py
67 @@ -13,7 +13,7 @@ class MiscFunctionsProcess(AbstractEbuildProcess):
68 Spawns misc-functions.sh with an existing ebuild environment.
69 """
70
71 - __slots__ = ('commands',)
72 + __slots__ = ('commands', 'ld_preload_sandbox')
73
74 def _start(self):
75 settings = self.settings
76 @@ -29,6 +29,10 @@ class MiscFunctionsProcess(AbstractEbuildProcess):
77 AbstractEbuildProcess._start(self)
78
79 def _spawn(self, args, **kwargs):
80 + # If self.ld_preload_sandbox is None, default to free=False,
81 + # in alignment with the spawn(free=False) default.
82 + kwargs.setdefault('free', False if self.ld_preload_sandbox is None
83 + else not self.ld_preload_sandbox)
84
85 if self._dummy_pipe_fd is not None:
86 self.settings["PORTAGE_PIPE_FD"] = str(self._dummy_pipe_fd)
87 diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py
88 index 31b552ff3..499492b94 100644
89 --- a/pym/portage/package/ebuild/doebuild.py
90 +++ b/pym/portage/package/ebuild/doebuild.py
91 @@ -1722,13 +1722,25 @@ _post_phase_cmds = {
92 "install_symlink_html_docs",
93 "install_hooks"],
94
95 - "preinst" : [
96 - "preinst_sfperms",
97 - "preinst_selinux_labels",
98 - "preinst_suid_scan",
99 - "preinst_qa_check",
100 - ],
101 -
102 + "preinst" : (
103 + (
104 + {
105 + "ld_preload_sandbox": False,
106 + "selinux_only": True,
107 + },
108 + [
109 + "preinst_selinux_labels",
110 + ],
111 + ),
112 + (
113 + {},
114 + [
115 + "preinst_sfperms",
116 + "preinst_suid_scan",
117 + "preinst_qa_check",
118 + ],
119 + ),
120 + ),
121 "postinst" : [
122 "postinst_qa_check"],
123 }
124 --
125 2.13.6