[gentoo-commits] proj/sandbox:master commit in: src/

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     c119fe8e393540224c803ab5036ddb80b800716c
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 23 04:52:47 2013 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sat Feb 23 04:52:47 2013 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c119fe8e

sandbox: pass child signals back up to the parent

We were incorrectly passing signal information back up to the parent.
See the URL for more information.

URL: http://www.cons.org/cracauer/sigint.html
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 72 +++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 48 insertions(+), 24 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 3783bca..c2a1d25 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -131,7 +131,7 @@ static void print_sandbox_log(char *sandbox_log)
 static void stop(int signum)
 {
 	if (0 == stop_called) {
-		stop_called = 1;
+		stop_called = signum;
 		sb_warn("caught signal %d in pid %d", signum, getpid());
 	} else
 		sb_warn("signal already caught and busy still cleaning up!");
@@ -140,7 +140,7 @@ static void stop(int signum)
 static void usr1_handler(int signum, siginfo_t *siginfo, void *ucontext)
 {
 	if (0 == stop_called) {
-		stop_called = 1;
+		stop_called = signum;
 		sb_warn("caught signal %d in pid %d", signum, getpid());
 
 		/* FIXME: This is really bad form, as we should kill the whole process
@@ -183,12 +183,11 @@ static int spawn_shell(char *argv_bash[], char **env, int debug)
 		sb_pwarn("failed to waitpid for child");
 		return 1;
 	} else if (status != 0) {
-		if (WIFSIGNALED(status)) {
+		if (WIFSIGNALED(status))
 			psignal(WTERMSIG(status), "Sandboxed process killed by signal");
-			return 128 + WTERMSIG(status);
-		} else if (debug)
+		else if (debug)
 			sb_warn("process returned with failed exit status %d!", WEXITSTATUS(status));
-		return WEXITSTATUS(status) ? : 1;
+		return status;
 	}
 
 	return 0;
@@ -196,8 +195,6 @@ static int spawn_shell(char *argv_bash[], char **env, int debug)
 
 int main(int argc, char **argv)
 {
-	struct sigaction act_new;
-
 	int sandbox_log_presence = 0;
 
 	struct sandbox_info_t sandbox_info;
@@ -308,26 +305,39 @@ int main(int argc, char **argv)
 		}
 	}
 
-	/* set up the required signal handlers ... but allow SIGHUP to be
-	 * ignored in case people are running `nohup ...` #217898
-	 */
-	if (signal(SIGHUP, &stop) == SIG_IGN)
-		signal(SIGHUP, SIG_IGN);
-#define wsignal(sig, act) \
+	/* Set up the required signal handlers */
+	int sigs[] = { SIGHUP, SIGINT, SIGQUIT, SIGTERM, SIGUSR1, };
+	struct sigaction act_new, act_old[ARRAY_SIZE(sigs)];
+	size_t si = 0;
+
+#define wsigaction() \
 	do { \
-		sighandler_t _old = signal(sig, act); \
-		if (_old == SIG_ERR) \
-			sb_pwarn("unable to bind signal %s", #sig); \
-		else if (_old != SIG_DFL && _old != SIG_IGN) \
-			sb_warn("signal %s already had a handler ...", #sig); \
+		if (sigaction(sigs[si], &act_new, &act_old[si])) \
+			sb_pwarn("unable to bind signal %i", sigs[si]); \
+		else if (act_old[si].sa_handler != SIG_DFL && \
+		         act_old[si].sa_handler != SIG_IGN) \
+			sb_warn("signal %i already had a handler ...", sigs[si]); \
+		++si; \
 	} while (0)
-	wsignal(SIGINT, &stop);
-	wsignal(SIGQUIT, &stop);
-	wsignal(SIGTERM, &stop);
+
+	sigemptyset(&act_new.sa_mask);
+	act_new.sa_sigaction = NULL;
+	act_new.sa_handler = stop;
+	act_new.sa_flags = SA_RESTART;
+	wsigaction();
+	wsigaction();
+	wsigaction();
+	wsigaction();
+
+	sigemptyset(&act_new.sa_mask);
+	act_new.sa_handler = NULL;
 	act_new.sa_sigaction = usr1_handler;
-	sigemptyset (&act_new.sa_mask);
 	act_new.sa_flags = SA_SIGINFO | SA_RESTART;
-	sigaction (SIGUSR1, &act_new, NULL);
+	wsigaction();
+
+	/* Allow SIGHUP to be ignored in case people are running `nohup ...` #217898 */
+	if (act_old[0].sa_handler == SIG_IGN)
+		sigaction(SIGHUP, &act_old[0], NULL);
 
 	/* STARTING PROTECTED ENVIRONMENT */
 	dputs("The protected environment has been started.");
@@ -353,6 +363,20 @@ int main(int argc, char **argv)
 	} else
 		dputs(sandbox_footer);
 
+	/* Do the right thing and pass the signal back up.  See:
+	 * http://www.cons.org/cracauer/sigint.html
+	 */
+	if (stop_called != SIGUSR1 && WIFSIGNALED(shell_exit)) {
+		int signum = WTERMSIG(shell_exit);
+		for (si = 0; si < ARRAY_SIZE(sigs); ++si)
+			sigaction(sigs[si], &act_old[si], NULL);
+		kill(getpid(), signum);
+		return 128 + signum;
+	} else if (WIFEXITED(shell_exit))
+		shell_exit = WEXITSTATUS(shell_exit);
+	else
+		shell_exit = 1; /* ??? */
+
 	if (!is_env_on(ENV_SANDBOX_TESTING))
 		if (sandbox_log_presence && shell_exit == 0)
 			shell_exit = 1;

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     d6af3ad271c3893419962059092eea29ffb4f507
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 25 04:57:17 2013 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Feb 25 04:57:17 2013 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=d6af3ad2

sandbox: do not resolve target of stderr

The recent e12fee192ac8b0343a468e5a8f7811a7b029ff9a commit does not
handle things when stderr is connected to a real file (e.g. a pipe
or a socket or fifo or ...).  It also does not play well to have
multiple things writing to the same file through different fds.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 51f2d95..3783bca 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -82,15 +82,18 @@ static int setup_sandbox(struct sandbox_info_t *sandbox_info, bool interactive)
 	}
 
 	/* Generate sandbox message path -- this process's stderr */
-	char path[SB_PATH_MAX];
-	sprintf(path, "%s/2", sb_get_fd_dir());
-	if (realpath(path, sandbox_info->sandbox_message_path) == NULL) {
-		sb_pwarn("could not read stderr path: %s", path);
+	const char *fdpath = sb_get_fd_dir();
+	if (realpath(fdpath, sandbox_info->sandbox_message_path) == NULL) {
+		sb_pwarn("could not read fd path: %s", fdpath);
 		if (realpath(sbio_fallback_path, sandbox_info->sandbox_message_path)) {
 			sb_pwarn("could not read stderr path: %s", sbio_fallback_path);
 			/* fuck it */
 			strcpy(sandbox_info->sandbox_message_path, sbio_fallback_path);
 		}
+	} else {
+		/* Do not resolve the target of stderr because it could be something
+		 * that doesn't exist on the fs.  Like a pipe (`tee` and such). */
+		strcat(sandbox_info->sandbox_message_path, "/2");
 	}
 
 	return 0;

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     9b2b36945ec4e0335e0375cc45e14c41c66d28ae
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 29 09:16:15 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Mar 29 09:16:15 2016 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=9b2b3694

sandbox: allow user to force SIGKILL

Sometimes the child process can get wedged and not respond to CTRL+C,
so add an escape hatch so the user can easily force SIGKILL.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index c668ab6..503ad0b 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -128,13 +128,21 @@ static void print_sandbox_log(char *sandbox_log)
 	sb_eerror("--------------------------------------------------------------------------------\n");
 }
 
+static int stop_count = 5;
+
 static void stop(int signum)
 {
 	if (0 == stop_called) {
 		stop_called = signum;
 		sb_warn("caught signal %d in pid %d", signum, getpid());
-	} else
-		sb_warn("signal already caught and busy still cleaning up!");
+	} else if (--stop_count) {
+		sb_warn("Send signal %i more time%s to force SIGKILL",
+			stop_count, stop_count == 1 ? "" : "s");
+	} else {
+		/* This really should kill all children; see usr1_handler. */
+		kill(child_pid, SIGKILL);
+		stop_count = 1;
+	}
 }
 
 static void usr1_handler(int signum, siginfo_t *siginfo, void *ucontext)

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     e9a45d1832ba36acd11bf4c8fa57b576f87d17c5
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Oct 28 09:51:23 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Oct 28 09:51:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=e9a45d18

sandbox: undefine dprintf

The C library has a dprintf function too, and it might be a define
that clashes with ours, so undefine it to avoid warnings.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/sandbox.c b/src/sandbox.c
index d74abd9..6cd5f38 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -15,6 +15,9 @@
 #include "sbutil.h"
 #include "sandbox.h"
 
+/* The C library might have a macro for this. */
+#undef dprintf
+
 static int print_debug = 0;
 #define dprintf(fmt, args...) do { if (print_debug) printf(fmt, ## args); } while (0)
 #define dputs(str) do { if (print_debug) puts(str); } while (0)

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     c029863b70ca77f59cd181974cfab0fa18c0a265
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 29 03:38:58 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Oct 29 03:38:58 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=c029863b

sandbox: avoid repetitive strlen calculations when building cmdline

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 6cd5f38..7e8a769 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -263,21 +263,19 @@ int main(int argc, char **argv)
 	str_list_add_item_copy(argv_bash, sandbox_info.sandbox_rc, oom_error);
 	if (argc >= 2) {
 		int i;
+		size_t cmdlen;
+		char *cmd = NULL;
 
 		str_list_add_item_copy(argv_bash, run_str, oom_error);
 		str_list_add_item_copy(argv_bash, argv[1], oom_error);
+		cmdlen = strlen(argv_bash[4]);
 		for (i = 2; i < argc; i++) {
-			char *tmp_ptr;
-
-			tmp_ptr = xrealloc(argv_bash[4],
-					   (strlen(argv_bash[4]) +
-					    strlen(argv[i]) + 2) *
-					   sizeof(char));
-			argv_bash[4] = tmp_ptr;
-
-			snprintf(argv_bash[4] + strlen(argv_bash[4]),
-				 strlen(argv[i]) + 2, " %s",
-				 argv[i]);
+			size_t arglen = strlen(argv[i]);
+			argv_bash[4] = xrealloc(argv_bash[4], cmdlen + arglen + 2);
+			argv_bash[4][cmdlen] = ' ';
+			memcpy(argv_bash[4] + cmdlen + 1, argv[i], arglen);
+			cmdlen += arglen + 1;
+			argv_bash[4][cmdlen] = '\0';
 		}
 	}
 

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     52357565c61a5d2c4f4da693caae852a4d90b111
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Mon Nov  1 18:31:23 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Nov  1 18:31:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=52357565

sandbox: include "sandbox" in the error log summary

This should make it a little more clear that this summary is coming
from the sandbox and not somewhere else.

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 7d6b03f..3d43446 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -114,7 +114,7 @@ static void print_sandbox_log(char *sandbox_log)
 		return;
 	}
 
-	sb_eerror("--------------------------- ACCESS VIOLATION SUMMARY ---------------------------\n");
+	sb_eerror("----------------------- SANDBOX ACCESS VIOLATION SUMMARY -----------------------\n");
 	sb_eerror("LOG FILE: \"%s\"\n", sandbox_log);
 
 	while (1) {

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     116ca8fd5af908edad85095916585576aa19ec5f
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Nov  2 04:13:53 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Nov  2 04:13:53 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=116ca8fd

sandbox: add backwards compat interface hack

Portage runs commands through sandbox like:
  $ sandbox "/usr/lib/portage/python3.9/ebuild.sh unpack"

That means we can't break the CLI without breaking portage and forcing
everyone to upgrade together.  That'll be pretty disruptive for people,
so add a hack to detect this situation: if a single argument is passed
on the CLI, and it doesn't appear to be a file, then fallback to running
it through the shell.  This keeps portage working while allowing the new
interface style to launch.  If/when we can update portage to always use
the -c option, maybe we can drop this in the future.  Or not ... it's
not exactly the worst hack for users.

Bug: https://bugs.gentoo.org/265907
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/sandbox.c b/src/sandbox.c
index 2d03dd4..ed0c7f6 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -260,6 +260,15 @@ int main(int argc, char **argv)
 		goto oom_error;
 
 	/* Setup bash argv */
+	if (!opt_use_bash && argc == 2) {
+		/* Backwards compatibility hack: if there's only one argument, and it
+		 * appears to be a shell command (not an absolute path to a program),
+		 * then fallback to running through the shell.
+		 */
+		if (access(argv[1], X_OK))
+			opt_use_bash = true;
+	}
+
 	if (opt_use_bash || argc == 1) {
 		str_list_add_item_copy(argv_bash, "/bin/bash", oom_error);
 		str_list_add_item_copy(argv_bash, "-rcfile", oom_error);

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     71c438d90052579e2245c674ad430f9b01fed5a5
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Nov  2 03:43:30 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Nov  2 03:43:30 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=71c438d9

sandbox: delete now unused variable

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 3d43446..2d03dd4 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -267,7 +267,6 @@ int main(int argc, char **argv)
 		if (argc >= 2) {
 			int i;
 			size_t cmdlen;
-			char *cmd = NULL;
 
 			str_list_add_item_copy(argv_bash, run_str, oom_error);
 			str_list_add_item_copy(argv_bash, argv[1], oom_error);

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     373c81e05db464d82d9f667871d682b36804de15
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov  3 04:50:10 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov  3 04:50:10 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=373c81e0

sandbox: fix passing of config env vars down

This code has been buggy since it was first added years ago -- it
would read the right value out of the config file, but then always
just set $SANDBOX_VERBOSE to it instead of the right env var.  This
prevented the basic loading of sandbox settings from sandbox.conf.

Bug: https://bugs.gentoo.org/821403
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/environ.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/environ.c b/src/environ.c
index 542dd64..ecff0dc 100644
--- a/src/environ.c
+++ b/src/environ.c
@@ -96,7 +96,7 @@ static void setup_cfg_var(const char *env_var)
 	 * environment if not already present. */
 	config = rc_get_cnf_entry(sb_conf_file(), env_var, NULL);
 	if (NULL != config) {
-		setenv(ENV_SANDBOX_VERBOSE, config, 0);
+		setenv(env_var, config, 0);
 		free(config);
 	}
 }

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     018f85d5c9f3e268b9dee96c022a66ff697042dc
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Nov  5 09:32:06 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Nov  5 09:32:06 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=018f85d5

sandbox: move verbose startup info behind debug knob

These messages aren't super useful to most people, nor are needed on
every invocation, so put them behind a debug knob to reduce log spam.x

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/sandbox.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 063974d..02f4cbe 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -234,19 +234,22 @@ int main(int argc, char **argv)
 			sb_err("not launching a new sandbox as one is already running in this process hierarchy");
 
 	/* determine the location of all the sandbox support files */
-	dputs("Detection of the support files.");
+	if (opt_debug)
+		dputs("Detection of the support files.");
 
 	if (-1 == setup_sandbox(&sandbox_info, print_debug))
 		sb_err("failed to setup sandbox");
 
 	/* verify the existance of required files */
-	dputs("Verification of the required files.");
+	if (opt_debug)
+		dputs("Verification of the required files.");
 
 	if (!rc_file_exists(sandbox_info.sandbox_rc))
 		sb_perr("could not open the sandbox rc file: %s", sandbox_info.sandbox_rc);
 
 	/* set up the required environment variables */
-	dputs("Setting up the required environment variables.");
+	if (opt_debug)
+		dputs("Setting up the required environment variables.");
 
 	/* If not in portage, cd into it work directory */
 	if ('\0' != sandbox_info.work_dir[0])
@@ -346,9 +349,8 @@ int main(int argc, char **argv)
 		sigaction(SIGHUP, &act_old[0], NULL);
 
 	/* STARTING PROTECTED ENVIRONMENT */
-	dputs("The protected environment has been started.");
-	dputs(sandbox_footer);
-	dputs("Process being started in forked instance.");
+	if (opt_debug)
+		dputs("The protected environment has been started.");
 
 	/* Start Bash */
 	int shell_exit = spawn_shell(argv_bash, sandbox_environ, print_debug);
@@ -359,8 +361,6 @@ int main(int argc, char **argv)
 	argv_bash = NULL;
 	sandbox_environ = NULL;
 
-	dputs("Cleaning up sandbox process");
-	dputs(sandbox_banner);
 	dputs("The protected environment has been shut down.");
 
 	if (rc_file_exists(sandbox_info.sandbox_log)) {

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Frysinger]

commit:     f0fd6d2e4884177af599416d1cca0423d1b7df08
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Nov  5 09:28:55 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Nov  5 09:28:55 2021 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=f0fd6d2e

sandbox: add --debug option to control SANDBOX_DEBUG

Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 src/environ.c |  2 +-
 src/options.c | 14 +++++++++++++-
 src/sandbox.h |  1 +
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/environ.c b/src/environ.c
index 1535f06..81a3e5f 100644
--- a/src/environ.c
+++ b/src/environ.c
@@ -303,7 +303,7 @@ char **setup_environ(struct sandbox_info_t *sandbox_info, bool interactive)
 	if (!getenv(ENV_SANDBOX_VERBOSE))
 		sb_setenv(&new_environ, ENV_SANDBOX_VERBOSE, "1");
 	if (!getenv(ENV_SANDBOX_DEBUG))
-		sb_setenv(&new_environ, ENV_SANDBOX_DEBUG, "0");
+		sb_setenv(&new_environ, ENV_SANDBOX_DEBUG, opt_debug ? "1" : "0");
 	if (!getenv(ENV_NOCOLOR))
 		sb_setenv(&new_environ, ENV_NOCOLOR, "no");
 	if (!getenv(ENV_SANDBOX_METHOD))

diff --git a/src/options.c b/src/options.c
index 64cd750..5332318 100644
--- a/src/options.c
+++ b/src/options.c
@@ -21,6 +21,7 @@ int opt_use_ns_time = -1;
 int opt_use_ns_user = -1;
 int opt_use_ns_uts = -1;
 bool opt_use_bash = false;
+int opt_debug = -1;
 
 static const struct {
 	const char *name;
@@ -38,6 +39,7 @@ static const struct {
 	{ "NAMESPACE_TIME_ENABLE",   &opt_use_ns_time,    false, },
 	{ "NAMESPACE_USER_ENABLE",   &opt_use_ns_user,    false, },
 	{ "NAMESPACE_UTS_ENABLE",    &opt_use_ns_uts,     false, },
+	{ "SANDBOX_DEBUG",           &opt_debug,          false, },
 };
 
 static void read_config(void)
@@ -77,7 +79,7 @@ static void show_version(void)
 	exit(0);
 }
 
-#define PARSE_FLAGS "+chV"
+#define PARSE_FLAGS "+cdhV"
 #define a_argument required_argument
 static struct option const long_opts[] = {
 	{"ns-on",         no_argument, &opt_use_namespaces, true},
@@ -101,6 +103,7 @@ static struct option const long_opts[] = {
 	{"ns-uts-on",     no_argument, &opt_use_ns_uts, true},
 	{"ns-uts-off",    no_argument, &opt_use_ns_uts, false},
 	{"bash",          no_argument, NULL, 'c'},
+	{"debug",         no_argument, NULL, 'd'},
 	{"help",          no_argument, NULL, 'h'},
 	{"version",       no_argument, NULL, 'V'},
 	{"run-configure", no_argument, NULL, 0x800},
@@ -128,6 +131,7 @@ static const char * const opts_help[] = {
 	"Enable  the use of UTS (hostname/uname) namespaces",
 	"Disable the use of UTS (hostname/uname) namespaces",
 	"Run command through bash shell",
+	"Enable debug output",
 	"Print this help and exit",
 	"Print version and exit",
 	"Run local sandbox configure in same way and exit (developer only)",
@@ -207,6 +211,12 @@ void parseargs(int argc, char *argv[])
 		case 'c':
 			opt_use_bash = true;
 			break;
+		case 'd':
+			if (opt_debug <= 0)
+				opt_debug = 1;
+			else
+				++opt_debug;
+			break;
 		case 'V':
 			show_version();
 		case 'h':
@@ -215,6 +225,8 @@ void parseargs(int argc, char *argv[])
 			run_configure(argc, argv);
 		case '?':
 			show_usage(1);
+		default:
+			sb_ebort("ISE: unhandled CLI option %c\n", i);
 		}
 	}
 

diff --git a/src/sandbox.h b/src/sandbox.h
index 0c0430f..28961f5 100644
--- a/src/sandbox.h
+++ b/src/sandbox.h
@@ -53,5 +53,6 @@ extern int opt_use_ns_time;
 extern int opt_use_ns_user;
 extern int opt_use_ns_uts;
 extern bool opt_use_bash;
+extern int opt_debug;
 
 #endif

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Gilbert]

commit:     7f230519475c2aaea91df75b0165d8b6c03b9fa9
Author:     gto2023 <gto7052 <AT> mailbox <DOT> org>
AuthorDate: Thu Jul 13 11:59:24 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug  5 20:07:55 2023 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=7f230519

sandbox: do not compare array to NULL

Fixes a compiler warning:
```
src/environ.c:211:19: warning: the comparison will always evaluate as ‘true’ for the address of ‘work_dir’ will never be NULL [-Waddress]
```

Bug: https://bugs.gentoo.org/906234
Signed-off-by: gto2023 <gto7052 <AT> mailbox.org>
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 src/environ.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/environ.c b/src/environ.c
index 81a3e5f..df8595b 100644
--- a/src/environ.c
+++ b/src/environ.c
@@ -208,7 +208,7 @@ static int setup_cfg_vars(struct sandbox_info_t *sandbox_info)
 	if (-1 == setup_access_var(ENV_SANDBOX_WRITE))
 		return -1;
 	if ((NULL == getenv(ENV_SANDBOX_WRITE)) &&
-	    (NULL != sandbox_info->work_dir))
+	    strlen(sandbox_info->work_dir))
 		setenv(ENV_SANDBOX_WRITE, sandbox_info->work_dir, 1);
 
 	if (-1 == setup_access_var(ENV_SANDBOX_PREDICT))

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Gilbert]

commit:     5d13985d6ec4ceeced9b9b45f00bc19c69efbb8f
Author:     gto2023 <gto7052 <AT> mailbox <DOT> org>
AuthorDate: Thu Jul 13 11:55:09 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Aug  5 18:04:53 2023 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=5d13985d

sandbox: prevent possible use of uninitialized members of sandbox_info struct

Signed-off-by: gto2023 <gto7052 <AT> mailbox.org>
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 src/sandbox.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index 802850c..e4e05c8 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -211,7 +211,7 @@ int main(int argc, char **argv)
 {
 	int sandbox_log_presence = 0;
 
-	struct sandbox_info_t sandbox_info;
+	struct sandbox_info_t sandbox_info = {};
 
 	char **sandbox_environ;
 	char **argv_bash = NULL;

[gentoo-commits] proj/sandbox:master commit in: src/

[Mike Gilbert]

commit:     4d85608b67803f8f861910590830fcb8c2220b06
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Aug  6 00:20:14 2023 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Tue Aug  8 15:29:39 2023 +0000
URL:        https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=4d85608b

src: fix -Wold-style-declaration

Signed-off-by: Sam James <sam <AT> gentoo.org>
Closes: https://github.com/gentoo/sandbox/pull/23
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 src/sandbox.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sandbox.c b/src/sandbox.c
index e4e05c8..071cad0 100644
--- a/src/sandbox.c
+++ b/src/sandbox.c
@@ -25,8 +25,8 @@ int (*sbio_faccessat)(int, const char *, int, int) = faccessat;
 int (*sbio_open)(const char *, int, mode_t) = (void *)open;
 FILE *(*sbio_popen)(const char *, const char *) = popen;
 
-volatile static int stop_called = 0;
-volatile static pid_t child_pid = 0;
+static volatile int stop_called = 0;
+static volatile pid_t child_pid = 0;
 
 static const char sandbox_banner[] = "============================= Gentoo path sandbox ==============================";
 static const char sandbox_footer[] = "--------------------------------------------------------------------------------";