Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-portage-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-portage-dev@l.g.o, Zac Medico <zmedico@g.o>
Subject: Re: [gentoo-portage-dev] [PATCH] pid-sandbox: whitelist selected pkg_* phases (bug 673794)
Date: Tue, 08 Jan 2019 08:14:16
Message-Id: 2D993FE0-A9F9-4C25-80D5-8FA61EFD3BAD@gentoo.org
In Reply to: [gentoo-portage-dev] [PATCH] pid-sandbox: whitelist selected pkg_* phases (bug 673794) by Zac Medico
1 Dnia January 8, 2019 4:53:11 AM UTC, Zac Medico <zmedico@g.o> napisał(a):
2 >Whitelist the same phases that are whitelisted for FEATURES=cgroup,
3 >since pid-sandbox is less valuable and is likely to have unintended
4 >consenquences during these phases.
5 >
6 >Bug: https://bugs.gentoo.org/673794
7 >Signed-off-by: Zac Medico <zmedico@g.o>
8 >---
9 > lib/_emerge/AbstractEbuildProcess.py | 9 ++++++---
10 > lib/portage/package/ebuild/doebuild.py | 8 ++++++--
11 > 2 files changed, 12 insertions(+), 5 deletions(-)
12 >
13 >diff --git a/lib/_emerge/AbstractEbuildProcess.py
14 >b/lib/_emerge/AbstractEbuildProcess.py
15 >index bda0bd83f..ddf04e9b3 100644
16 >--- a/lib/_emerge/AbstractEbuildProcess.py
17 >+++ b/lib/_emerge/AbstractEbuildProcess.py
18 >@@ -1,4 +1,4 @@
19 >-# Copyright 1999-2018 Gentoo Foundation
20 >+# Copyright 1999-2019 Gentoo Foundation
21 > # Distributed under the terms of the GNU General Public License v2
22 >
23 > import errno
24 >@@ -22,6 +22,10 @@ from portage.util.futures import asyncio
25 > from portage.util._pty import _create_pty_or_pipe
26 > from portage.util import apply_secpass_permissions
27 >
28 >+portage.proxy.lazyimport.lazyimport(globals(),
29 >+ 'portage.package.ebuild.doebuild:_global_pid_phases',
30 >+)
31 >+
32 > class AbstractEbuildProcess(SpawnProcess):
33 >
34 > __slots__ = ('phase', 'settings',) + \
35 >@@ -30,7 +34,6 @@ class AbstractEbuildProcess(SpawnProcess):
36 >
37 > _phases_without_builddir = ('clean', 'cleanrm', 'depend', 'help',)
38 > _phases_interactive_whitelist = ('config',)
39 >- _phases_without_cgroup = ('preinst', 'postinst', 'prerm', 'postrm',
40 >'config')
41 >
42 > # Number of milliseconds to allow natural exit of the ebuild
43 > # process after it has called the exit command via IPC. It
44 >@@ -71,7 +74,7 @@ class AbstractEbuildProcess(SpawnProcess):
45 > # Check if the cgroup hierarchy is in place. If it's not, mount it.
46 > if (os.geteuid() == 0 and platform.system() == 'Linux'
47 > and 'cgroup' in self.settings.features
48 >- and self.phase not in self._phases_without_cgroup):
49 >+ and self.phase not in _global_pid_phases):
50 > cgroup_root = '/sys/fs/cgroup'
51 > cgroup_portage = os.path.join(cgroup_root, 'portage')
52 >
53 >diff --git a/lib/portage/package/ebuild/doebuild.py
54 >b/lib/portage/package/ebuild/doebuild.py
55 >index baebb9a27..f11923595 100644
56 >--- a/lib/portage/package/ebuild/doebuild.py
57 >+++ b/lib/portage/package/ebuild/doebuild.py
58 >@@ -1,4 +1,4 @@
59 >-# Copyright 2010-2018 Gentoo Authors
60 >+# Copyright 2010-2019 Gentoo Authors
61 > # Distributed under the terms of the GNU General Public License v2
62 >
63 > from __future__ import unicode_literals
64 >@@ -110,6 +110,9 @@ _ipc_phases = frozenset([
65 > "preinst", "postinst", "prerm", "postrm",
66 > ])
67 >
68 >+# phases which execute in the global PID namespace
69 >+_global_pid_phases = frozenset(['preinst', 'postinst', 'prerm',
70 >'postrm', 'config'])
71 >+
72 > # phases in which networking access is allowed
73 > _networked_phases = frozenset([
74 > # for VCS fetching
75 >@@ -153,7 +156,8 @@ def _doebuild_spawn(phase, settings,
76 >actionmap=None, **kwargs):
77 > kwargs['networked'] = 'network-sandbox' not in settings.features or \
78 > phase in _networked_phases or \
79 > 'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
80 >- kwargs['pidns'] = 'pid-sandbox' in settings.features
81 >+ kwargs['pidns'] = ('pid-sandbox' in settings.features and
82 >+ phase not in _global_pid_phases)
83 >
84 > if phase == 'depend':
85 > kwargs['droppriv'] = 'userpriv' in settings.features
86
87 LGTM, thanks.
88 --
89 Best regards,
90 Michał Górny
Report Message
Find on MARC Find on Google Groups