Bug #202697 - Add / to the default initial SANDBOX_READ in order to
authorZac Medico <zmedico@gentoo.org>
Fri, 28 Dec 2007 23:12:24 +0000 (23:12 -0000)
committerZac Medico <zmedico@gentoo.org>
Fri, 28 Dec 2007 23:12:24 +0000 (23:12 -0000)
avoid a situation where attempts to read arbitrary files trigger
sandbox violations.

svn path=/main/trunk/; revision=9085

bin/ebuild.sh

index d65ff69e9596f5f25794f4e6897d5d2526fe89f1..51b0b5f2f150ae944c24f1910b8ce44cc4e42e50 100755 (executable)
@@ -9,7 +9,7 @@ PORTAGE_PYM_PATH="${PORTAGE_PYM_PATH:-/usr/lib/portage/pym}"
 SANDBOX_PREDICT="${SANDBOX_PREDICT}:/proc/self/maps:/dev/console:/dev/random"
 export SANDBOX_PREDICT="${SANDBOX_PREDICT}:${PORTAGE_PYM_PATH}:${PORTAGE_DEPCACHEDIR}"
 export SANDBOX_WRITE="${SANDBOX_WRITE}:/dev/shm:/dev/stdout:/dev/stderr:${PORTAGE_TMPDIR}"
-export SANDBOX_READ="${SANDBOX_READ}:/dev/shm:/dev/stdin:${PORTAGE_TMPDIR}"
+export SANDBOX_READ="${SANDBOX_READ}:/:/dev/shm:/dev/stdin:${PORTAGE_TMPDIR}"
 # Don't use sandbox's BASH_ENV for new shells because it does
 # 'source /etc/profile' which can interfere with the build
 # environment by modifying our PATH.