From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3472D138A1A for ; Sun, 25 Jan 2015 22:02:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6596E08DA; Sun, 25 Jan 2015 22:02:35 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2B538E08AF for ; Sun, 25 Jan 2015 22:02:35 +0000 (UTC) Received: from pomiot.lan (mgorny-1-pt.tunnel.tserv28.waw1.ipv6.he.net [IPv6:2001:470:70:353::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 25D1834050D; Sun, 25 Jan 2015 22:02:32 +0000 (UTC) Date: Sun, 25 Jan 2015 23:01:28 +0100 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: Zac Medico Cc: gentoo-portage-dev@lists.gentoo.org Subject: Re: [gentoo-portage-dev] [PATCH v2] Support escaping network-sandbox through SOCKSv5 proxy Message-ID: <20150125230128.12b61f69@pomiot.lan> In-Reply-To: <54C56372.2060502@gentoo.org> References: <1422194414-31669-1-git-send-email-mgorny@gentoo.org> <54C56372.2060502@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/6Y25Aq78BMbtB03JRuF+j6b"; protocol="application/pgp-signature" X-Archives-Salt: 7c823b3b-b7aa-407f-be75-29f6b4a5c3c2 X-Archives-Hash: d5d3b10a076720dc64ea4bfebdec2532 --Sig_/6Y25Aq78BMbtB03JRuF+j6b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Dnia 2015-01-25, o godz. 13:43:14 Zac Medico napisa=C5=82(a): > On 01/25/2015 06:00 AM, Micha=C5=82 G=C3=B3rny wrote: > > diff --git a/bin/socks5-server.py b/bin/socks5-server.py > > new file mode 100644 > > index 0000000..c079018 > > --- /dev/null > > +++ b/bin/socks5-server.py > > @@ -0,0 +1,218 @@ > > +#!/usr/bin/env python > > +# SOCKSv5 proxy server for network-sandbox > > +# Copyright 2015 Gentoo Foundation > > +# Distributed under the terms of the GNU General Public License v2 > > + > > +import asyncore > > +import errno > > +import socket > > +import struct > > +import sys > > + > > + > > +class ProxyConnection(asyncore.dispatcher_with_send): > > + _addr =3D None > > + _connected =3D False > > + _family =3D socket.AF_INET > > + _proxy_conn =3D None > > + > > + def __init__(self, proxy_conn): > > + self._proxy_conn =3D proxy_conn > > + asyncore.dispatcher_with_send.__init__(self) > > + self.create_socket(self._family, socket.SOCK_STREAM) > > + > > + def start_connection(self, host, port): > > + try: > > + self.connect((host, port)) > > + except: > > + self.handle_error() >=20 > This except handler should at least allow SystemExit and > KeyboardInterrupt to raise. handle_error() has conditional exception reraising code. > > diff --git a/pym/portage/package/ebuild/_config/special_env_vars.py b/p= ym/portage/package/ebuild/_config/special_env_vars.py > > index 6bb3c95..905d5e7 100644 > > --- a/pym/portage/package/ebuild/_config/special_env_vars.py > > +++ b/pym/portage/package/ebuild/_config/special_env_vars.py > > @@ -71,7 +71,7 @@ environ_whitelist +=3D [ > > "PORTAGE_PYM_PATH", "PORTAGE_PYTHON", > > "PORTAGE_PYTHONPATH", "PORTAGE_QUIET", > > "PORTAGE_REPO_NAME", "PORTAGE_REPOSITORIES", "PORTAGE_RESTRICT", > > - "PORTAGE_SIGPIPE_STATUS", > > + "PORTAGE_SIGPIPE_STATUS", "PORTAGE_SOCKS5_PROXY", > > "PORTAGE_TMPDIR", "PORTAGE_UPDATE_ENV", "PORTAGE_USERNAME", > > "PORTAGE_VERBOSE", "PORTAGE_WORKDIR_MODE", "PORTAGE_XATTR_EXCLUDE", > > "PORTDIR", "PORTDIR_OVERLAY", "PREROOTPATH", >=20 > The DISTCC_SOCKS_PROXY variable should also be added to the whitelist. There's a regexp for DISTCC_* below. > Other than these 2 minor issues, the patch looks to me. I guess there's > no point in using portage's event loop instead of asyncore, since we > want the proxy to drop privileges, and therefore it can't run in the > main portage process. To be honest, I didn't even think about it. Asyncore seemed like the Python way of doing non-blocking socket I/O. --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/6Y25Aq78BMbtB03JRuF+j6b Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUxWe4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2REJCMDdDQzRGMERBRDA2RUEwQUZFNDFC MDdBMUFFQUVGQjQ0NjRFAAoJELB6GurvtEZO26IP/27eyoGHBwkdhMs/63ZTaDmG srCNARD7GNrUQayO7QjwOGN8t/bJG8e+tSgO4jVFXKLU5WHJUTOJw/3PhHDj5iP9 VCY0yFqMLSFvbws6sOoPYcW7fWJZXFOjdR0JxqcnQHYw+Pf3I7Ar9GVNeQWbKIxK 8SzvLJF7Ej8VgUTt5Svrh5ev5BmPWzF9+8zIV3Oxo+CNjtHxJ8o7DBPfKQQP0dEG aaS8UBCmeux9HyBlJRJm82GKjPv0BbXoXVHZ2EttevqD8T8FMPlLx5hLEQ0i6dSd BsWriDIW8112KB9pEcb3UH5biWHVQaajVWOTaYy9KyhGNPVsAnU0nVcYUSUlboC8 puO7Jf45rjaTrV4m/xsFsQb5mahgDGByaEt/FQDZDGma8YBTF6rijbtU9c8oggcC LwBg+ASHro5djNviT0+2QjJv8MS2AGrax4Yoc47OMB9Bf7uFpcSbkzq+gBtNPX7n qwEYeytYDquLXLU2xAW8PdXZ/8OupEHaR8H5dM7qXA6K82Ryr0u+lKVgI5ne0CIy 690XuqZs/UEIl6zcvSnOTVlNahzZo4Qp4Eyc6NZeLo4QxpkSEMRjoYRjmp/TGyZF y9LlU93aLT1hEjMXZKtcf+WQHeRc1MAzLrHRRRP1gaQ+QhN/2DTvj6ySeSlb8lVg Mtvqm1jjjG5BNxQfl620 =DgTZ -----END PGP SIGNATURE----- --Sig_/6Y25Aq78BMbtB03JRuF+j6b--