From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2FF64138B5C for ; Mon, 6 Apr 2015 12:38:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3F525E083C; Mon, 6 Apr 2015 12:38:00 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C2A79E0833 for ; Mon, 6 Apr 2015 12:37:59 +0000 (UTC) Received: from pomiot.lan (77-255-11-20.adsl.inetia.pl [77.255.11.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id EEC4C3409BB; Mon, 6 Apr 2015 12:37:57 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-portage-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default Date: Mon, 6 Apr 2015 14:37:49 +0200 Message-Id: <1428323869-9815-1-git-send-email-mgorny@gentoo.org> X-Mailer: git-send-email 2.3.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org X-Archives-Salt: f9e8c9ac-73ae-4171-8e22-b58fef5513be X-Archives-Hash: c31d9056b3d4cc39ad9c6906675fa7f5 All three features should be mature enough to be enabled by default. CGroups provide better tracking for ebuild processes, while the two sandboxes improve security through restricting IPC & network access for build-only phases. All the features degrade gracefully when the relevant kernel features are not available. --- cnf/make.globals | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cnf/make.globals b/cnf/make.globals index dd99618..2d93e9d 100644 --- a/cnf/make.globals +++ b/cnf/make.globals @@ -50,9 +50,10 @@ RESUMECOMMAND_SSH=${FETCHCOMMAND_SSH} FETCHCOMMAND_SFTP="bash -c \"x=\\\${2#sftp://} ; host=\\\${x%%/*} ; port=\\\${host##*:} ; host=\\\${host%:*} ; [[ \\\${host} = \\\${port} ]] && port=22 ; eval \\\"declare -a ssh_opts=(\\\${3})\\\" ; exec sftp -P \\\${port} \\\"\\\${ssh_opts[@]}\\\" \\\"\\\${host}:/\\\${x#*/}\\\" \\\"\\\$1\\\"\" sftp \"\${DISTDIR}/\${FILE}\" \"\${URI}\" \"\${PORTAGE_SSH_OPTS}\"" # Default user options -FEATURES="assume-digests binpkg-logs +FEATURES="assume-digests binpkg-logs cgroup config-protect-if-modified distlocks ebuild-locks - fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned + fixlafiles ipc-sandbox merge-sync network-sandbox + news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" -- 2.3.5