Hi all, this is the next release of the sandbox. It now integrates seamlessly into most ebuilds. The following features have been added : * Added an ebuild to install the correct dynamic bash executable. It supports safe unmerging, restoring the original static bash which is otherwise accessible as /bin/sbash. * Added env vars for customizing sandbox log labeling, number of beeps after failure report, forcebly disabling of the sandbox before running ebuild to make it possible to install a misbehaving package. The env vars are SANDBOX_LOG, SANDBOX_BEEP and SANDBOX_DISABLED. SANDBOX_LOG is automatically set to the full name of the package by portage. * Bumped up to version 0.2. Added support for path prefix predictions. This means that write is not allowed, but the request to do so is not considered an error. The ebuild.sh now also contains support functions which allows easy dynamic configuration of the sandbox inside an ebuild. The added functions are : "addread, addwrite, adddeny, addprediction'. Below is a short usage summary: ============================== 1. To have full sandbox protection, the dynbash-2.04.ebuild should be merged. 2. When a package misbehaves and you don't feel like fixing it but still want to install it, set the SANDBOX_DISABLED to something and remerge. The previous error report will be in /tmp/sandbox-[package]-[pid].log. Please submit this file to gentoo-dev@gentoo.org. 3. When you don't want to hear beeps when a package fails, add SANDBOX_BEEP to /etc/make.conf and set it to 0. Setting it to another positive number configures the number of beeps that will sound. 4. The default writable path prefixes are now : "/dev/null:/dev/pts/:/dev/tty:/tmp/:/var/log/scrollkeeper.log: \ ~/.gconfd/lock:~/.bash_history:[$PORTAGE_TMP]" 5. The default predicted path prefixes are : "~/.:/usr/tmp/conftest:/usr/lib/conftest" 6. The above prefixes are now hardcoded into the sandbox executable but should in time migrate to '/etc/make.globals'. 7. If your package needs other permissions you have three options : a. try to figure out why it writes outside the image dir and fix the makefile, b. question yourself if it's a general path that should be integrated into the default settings, if this is the case send it together with your motivation to this mailinglist, c. configure the sandbox with the new ebuild functions. Generally you only need to use 'addwrite path' or 'addpredict path'. Note that these change the sandbox for the current ebuild execution and are thus not presistant across emerge stages (download,compile, install). That's it, Have fun and don't hesitate to contact me when questions arise, Geert -- Geert Bevin the Leaf sprl/bvba "Use what you need" Pierre Theunisstraat 1/47 http://www.theleaf.be 1030 Brussels gbevin@theleaf.be Tel & Fax +32 2 241 19 98