From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 338EA138A1A for ; Sun, 25 Jan 2015 21:43:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4BAAE08C9; Sun, 25 Jan 2015 21:43:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 309F7E07FD for ; Sun, 25 Jan 2015 21:43:19 +0000 (UTC) Received: from [192.168.0.13] (ip174-67-205-96.oc.oc.cox.net [174.67.205.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zmedico) by smtp.gentoo.org (Postfix) with ESMTPSA id 0AF183406CE for ; Sun, 25 Jan 2015 21:43:17 +0000 (UTC) Message-ID: <54C56372.2060502@gentoo.org> Date: Sun, 25 Jan 2015 13:43:14 -0800 From: Zac Medico User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-portage-dev@lists.gentoo.org Subject: Re: [gentoo-portage-dev] [PATCH v2] Support escaping network-sandbox through SOCKSv5 proxy References: <1422194414-31669-1-git-send-email-mgorny@gentoo.org> In-Reply-To: <1422194414-31669-1-git-send-email-mgorny@gentoo.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: c06d0b2c-23b0-4712-99a1-803d5e099f7f X-Archives-Hash: 8a4af44f0f90a9b48c5e3e4cc804c1dd On 01/25/2015 06:00 AM, Michał Górny wrote: > diff --git a/bin/socks5-server.py b/bin/socks5-server.py > new file mode 100644 > index 0000000..c079018 > --- /dev/null > +++ b/bin/socks5-server.py > @@ -0,0 +1,218 @@ > +#!/usr/bin/env python > +# SOCKSv5 proxy server for network-sandbox > +# Copyright 2015 Gentoo Foundation > +# Distributed under the terms of the GNU General Public License v2 > + > +import asyncore > +import errno > +import socket > +import struct > +import sys > + > + > +class ProxyConnection(asyncore.dispatcher_with_send): > + _addr = None > + _connected = False > + _family = socket.AF_INET > + _proxy_conn = None > + > + def __init__(self, proxy_conn): > + self._proxy_conn = proxy_conn > + asyncore.dispatcher_with_send.__init__(self) > + self.create_socket(self._family, socket.SOCK_STREAM) > + > + def start_connection(self, host, port): > + try: > + self.connect((host, port)) > + except: > + self.handle_error() This except handler should at least allow SystemExit and KeyboardInterrupt to raise. > diff --git a/pym/portage/package/ebuild/_config/special_env_vars.py b/pym/portage/package/ebuild/_config/special_env_vars.py > index 6bb3c95..905d5e7 100644 > --- a/pym/portage/package/ebuild/_config/special_env_vars.py > +++ b/pym/portage/package/ebuild/_config/special_env_vars.py > @@ -71,7 +71,7 @@ environ_whitelist += [ > "PORTAGE_PYM_PATH", "PORTAGE_PYTHON", > "PORTAGE_PYTHONPATH", "PORTAGE_QUIET", > "PORTAGE_REPO_NAME", "PORTAGE_REPOSITORIES", "PORTAGE_RESTRICT", > - "PORTAGE_SIGPIPE_STATUS", > + "PORTAGE_SIGPIPE_STATUS", "PORTAGE_SOCKS5_PROXY", > "PORTAGE_TMPDIR", "PORTAGE_UPDATE_ENV", "PORTAGE_USERNAME", > "PORTAGE_VERBOSE", "PORTAGE_WORKDIR_MODE", "PORTAGE_XATTR_EXCLUDE", > "PORTDIR", "PORTDIR_OVERLAY", "PREROOTPATH", The DISTCC_SOCKS_PROXY variable should also be added to the whitelist. Other than these 2 minor issues, the patch looks to me. I guess there's no point in using portage's event loop instead of asyncore, since we want the proxy to drop privileges, and therefore it can't run in the main portage process. -- Thanks, Zac