* [gentoo-dev] sandbox v0.2
@ 2001-12-10 11:28 Geert Bevin
0 siblings, 0 replies; only message in thread
From: Geert Bevin @ 2001-12-10 11:28 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 2936 bytes --]
Hi all,
this is the next release of the sandbox. It now integrates seamlessly
into most ebuilds. The following features have been added :
* Added an ebuild to install the correct dynamic bash executable. It
supports safe unmerging, restoring the original static bash which is
otherwise accessible as /bin/sbash.
* Added env vars for customizing sandbox log labeling, number of beeps
after failure report, forcebly disabling of the sandbox before running
ebuild to make it possible to install a misbehaving package. The env
vars are SANDBOX_LOG, SANDBOX_BEEP and SANDBOX_DISABLED. SANDBOX_LOG is
automatically set to the full name of the package by portage.
* Bumped up to version 0.2. Added support for path prefix predictions.
This means that write is not allowed, but the request to do so is not
considered an error. The ebuild.sh now also contains support functions
which allows easy dynamic configuration of the sandbox inside an ebuild.
The added functions are : "addread, addwrite, adddeny, addprediction'.
Below is a short usage summary:
==============================
1. To have full sandbox protection, the dynbash-2.04.ebuild should be
merged.
2. When a package misbehaves and you don't feel like fixing it but still
want to install it, set the SANDBOX_DISABLED to something and remerge.
The previous error report will be in /tmp/sandbox-[package]-[pid].log.
Please submit this file to gentoo-dev@gentoo.org.
3. When you don't want to hear beeps when a package fails, add
SANDBOX_BEEP to /etc/make.conf and set it to 0. Setting it to another
positive number configures the number of beeps that will sound.
4. The default writable path prefixes are now :
"/dev/null:/dev/pts/:/dev/tty:/tmp/:/var/log/scrollkeeper.log: \
~/.gconfd/lock:~/.bash_history:[$PORTAGE_TMP]"
5. The default predicted path prefixes are :
"~/.:/usr/tmp/conftest:/usr/lib/conftest"
6. The above prefixes are now hardcoded into the sandbox executable but
should in time migrate to '/etc/make.globals'.
7. If your package needs other permissions you have three options :
a. try to figure out why it writes outside the image dir and fix
the makefile,
b. question yourself if it's a general path that should be
integrated into the default settings, if this is the case send
it together with your motivation to this mailinglist,
c. configure the sandbox with the new ebuild functions. Generally
you only need to use 'addwrite path' or 'addpredict path'. Note
that these change the sandbox for the current ebuild execution
and are thus not presistant across emerge stages
(download,compile, install).
That's it,
Have fun and don't hesitate to contact me when questions arise,
Geert
--
Geert Bevin
the Leaf sprl/bvba
"Use what you need" Pierre Theunisstraat 1/47
http://www.theleaf.be 1030 Brussels
gbevin@theleaf.be Tel & Fax +32 2 241 19 98
[-- Attachment #2: sandbox-0.2-ebuild.tar.bz2 --]
[-- Type: application/x-bzip, Size: 10186 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2001-12-10 11:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-10 11:28 [gentoo-dev] sandbox v0.2 Geert Bevin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox