* [gentoo-commits] proj/portage:prefix commit in: man/, pym/portage/package/ebuild/, pym/portage/
@ 2012-10-02 11:59 Fabian Groffen
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Groffen @ 2012-10-02 11:59 UTC (permalink / raw
To: gentoo-commits
commit: d89a3f12837b9ba9b401b15d4da28b221c5268ec
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 2 11:55:43 2012 +0000
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Tue Oct 2 11:55:43 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=d89a3f12
backout fda43d31a566e72c03d264461e9ae07ed35077e5
We better always have logging, since if there are no violations (as
should be) there is no performance penalty or log messages at all.
---
man/make.conf.5 | 6 ------
pym/portage/const.py | 5 ++---
pym/portage/package/ebuild/doebuild.py | 7 +------
3 files changed, 3 insertions(+), 15 deletions(-)
diff --git a/man/make.conf.5 b/man/make.conf.5
index 9c84819..70ac4d3 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -464,12 +464,6 @@ On Mac OS X platforms that have /usr/bin/sandbox-exec available (10.5
and later), this particular sandbox implementation is used instead of
sys-apps/sandbox.
.TP
-.B sandbox-debug
-Enable debug messages regarding sandboxing. This currently only has
-an effect on Mac OS X platforms where it enables logging of denied
-access into /var/log/system.log. Note that logging is extremely slow
-and will slow down the emerge process considerably.
-.TP
.B sesandbox
Enable SELinux sandbox\-ing. Do not toggle this \fBFEATURE\fR yourself.
.TP
diff --git a/pym/portage/const.py b/pym/portage/const.py
index b6b9493..74cda03 100644
--- a/pym/portage/const.py
+++ b/pym/portage/const.py
@@ -79,7 +79,7 @@ MACOSSANDBOX_PROFILE = '''(version 1)
(allow default)
-(deny file-write*@@LOGGING@@)
+(deny file-write* (with no-log))
(allow file-read* file-write*
(literal
@@ -101,7 +101,6 @@ MACOSSANDBOX_PROFILE = '''(version 1)
#"^(/private)?/var/run/syslog$"
)
)'''
-MACOSSANDBOX_NOLOG=" (with no-log)"
PORTAGE_GROUPNAME = portagegroup
PORTAGE_USERNAME = portageuser
@@ -138,7 +137,7 @@ SUPPORTED_FEATURES = frozenset([
"noauto", "noclean", "nodoc", "noinfo", "noman",
"nostrip", "notitles", "parallel-fetch", "parallel-install",
"prelink-checksums", "preserve-libs",
- "protect-owned", "python-trace", "sandbox", "sandbox-debug",
+ "protect-owned", "python-trace", "sandbox",
"selinux", "sesandbox", "sfperms",
"sign", "skiprocheck", "split-elog", "split-log", "splitdebug",
"strict", "stricter", "suidctl", "test", "test-fail-continue",
diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py
index 2db7900..1d0661e 100644
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -39,7 +39,7 @@ from portage import auxdbkeys, bsd_chflags, \
_shell_quote, _unicode_decode, _unicode_encode
from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \
EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \
- EPREFIX, MACOSSANDBOX_PROFILE, MACOSSANDBOX_NOLOG
+ EPREFIX, MACOSSANDBOX_PROFILE
from portage.data import portage_gid, portage_uid, secpass, \
uid, userpriv_groups
from portage.dbapi.porttree import _parse_uri_map
@@ -1461,11 +1461,6 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero
sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
- if "sandbox-debug" in features:
- sbprofile = sbprofile.replace("@@LOGGING@@", "")
- else:
- sbprofile = sbprofile.replace("@@LOGGING@@", MACOSSANDBOX_NOLOG)
-
keywords["profile"] = sbprofile
spawn_func = portage.process.spawn_macossandbox
else:
^ permalink raw reply related [flat|nested] 2+ messages in thread* [gentoo-commits] proj/portage:prefix commit in: man/, pym/portage/package/ebuild/, pym/portage/
@ 2012-09-30 11:10 Fabian Groffen
0 siblings, 0 replies; 2+ messages in thread
From: Fabian Groffen @ 2012-09-30 11:10 UTC (permalink / raw
To: gentoo-commits
commit: fda43d31a566e72c03d264461e9ae07ed35077e5
Author: Fabian Groffen <grobian <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 30 11:06:08 2012 +0000
Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org>
CommitDate: Sun Sep 30 11:09:35 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=fda43d31
seatbelt: optionally re-enable logging of sandbox violations
It may be useful to see violations logged by seatbelt, which are too
expensive to be enabled by default. Allow enabling this using
sandbox-debug flag.
Patch by Michael Weisner, bug #430640
---
man/make.conf.5 | 6 ++++++
pym/portage/const.py | 5 +++--
pym/portage/package/ebuild/doebuild.py | 7 ++++++-
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/man/make.conf.5 b/man/make.conf.5
index 3253de0..1f3726d 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -465,6 +465,12 @@ and later), this particular sandbox implementation is used instead of
sys-apps/sandbox. Note that using Mac OS X sandbox slows down the
emerge process considerably, in particular for write operations.
.TP
+.B sandbox-debug
+Enable debug messages regarding sandboxing. This currently only has
+an effect on Mac OS X platforms where it enables logging of denied
+access into /var/log/system.log. Note that logging is extremely slow
+and will slow down the emerge process considerably.
+.TP
.B sesandbox
Enable SELinux sandbox\-ing. Do not toggle this \fBFEATURE\fR yourself.
.TP
diff --git a/pym/portage/const.py b/pym/portage/const.py
index 74cda03..b6b9493 100644
--- a/pym/portage/const.py
+++ b/pym/portage/const.py
@@ -79,7 +79,7 @@ MACOSSANDBOX_PROFILE = '''(version 1)
(allow default)
-(deny file-write* (with no-log))
+(deny file-write*@@LOGGING@@)
(allow file-read* file-write*
(literal
@@ -101,6 +101,7 @@ MACOSSANDBOX_PROFILE = '''(version 1)
#"^(/private)?/var/run/syslog$"
)
)'''
+MACOSSANDBOX_NOLOG=" (with no-log)"
PORTAGE_GROUPNAME = portagegroup
PORTAGE_USERNAME = portageuser
@@ -137,7 +138,7 @@ SUPPORTED_FEATURES = frozenset([
"noauto", "noclean", "nodoc", "noinfo", "noman",
"nostrip", "notitles", "parallel-fetch", "parallel-install",
"prelink-checksums", "preserve-libs",
- "protect-owned", "python-trace", "sandbox",
+ "protect-owned", "python-trace", "sandbox", "sandbox-debug",
"selinux", "sesandbox", "sfperms",
"sign", "skiprocheck", "split-elog", "split-log", "splitdebug",
"strict", "stricter", "suidctl", "test", "test-fail-continue",
diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py
index b18e192..84e4494 100644
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -39,7 +39,7 @@ from portage import auxdbkeys, bsd_chflags, \
_shell_quote, _unicode_decode, _unicode_encode
from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \
EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \
- EPREFIX, MACOSSANDBOX_PROFILE
+ EPREFIX, MACOSSANDBOX_PROFILE, MACOSSANDBOX_NOLOG
from portage.data import portage_gid, portage_uid, secpass, \
uid, userpriv_groups
from portage.dbapi.porttree import _parse_uri_map
@@ -1457,6 +1457,11 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero
sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
+ if "sandbox-debug" in features:
+ sbprofile = sbprofile.replace("@@LOGGING@@", "")
+ else:
+ sbprofile = sbprofile.replace("@@LOGGING@@", MACOSSANDBOX_NOLOG)
+
keywords["profile"] = sbprofile
spawn_func = portage.process.spawn_macossandbox
else:
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-10-02 11:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-02 11:59 [gentoo-commits] proj/portage:prefix commit in: man/, pym/portage/package/ebuild/, pym/portage/ Fabian Groffen
-- strict thread matches above, loose matches on Subject: below --
2012-09-30 11:10 Fabian Groffen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox