seatbelt: optionally re-enable logging of sandbox violations

It may be useful to see violations logged by seatbelt, which are too
expensive to be enabled by default.  Allow enabling this using
sandbox-debug flag.

Patch by Michael Weisner, bug #430640

diff --git a/man/make.conf.5 b/man/make.conf.5
index 3253de04e68addfe2e423005dd2b02c30a24e7b4..1f3726d5449421ec0e543dae97480ac7c47620ab 100644 (file)
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -465,6 +465,12 @@ and later), this particular sandbox implementation is used instead of
 sys-apps/sandbox.  Note that using Mac OS X sandbox slows down the
 emerge process considerably, in particular for write operations.
 .TP
+.B sandbox-debug
+Enable debug messages regarding sandboxing. This currently only has
+an effect on Mac OS X platforms where it enables logging of denied
+access into /var/log/system.log. Note that logging is extremely slow
+and will slow down the emerge process considerably.
+.TP
 .B sesandbox
 Enable SELinux sandbox\-ing.  Do not toggle this \fBFEATURE\fR yourself.
 .TP

diff --git a/pym/portage/const.py b/pym/portage/const.py
index 74cda03e10ba053d8ad9974abeeca4642888c6ec..b6b949309dc7336ac4e270a769739c19309fbbcb 100644 (file)
--- a/pym/portage/const.py
+++ b/pym/portage/const.py
@@ -79,7 +79,7 @@ MACOSSANDBOX_PROFILE     = '''(version 1)
 
 (allow default)
 
-(deny file-write* (with no-log))
+(deny file-write*@@LOGGING@@)
 
 (allow file-read* file-write*
   (literal
@@ -101,6 +101,7 @@ MACOSSANDBOX_PROFILE     = '''(version 1)
     #"^(/private)?/var/run/syslog$"
   )
 )'''
+MACOSSANDBOX_NOLOG=" (with no-log)"
 
 PORTAGE_GROUPNAME        = portagegroup
 PORTAGE_USERNAME         = portageuser
@@ -137,7 +138,7 @@ SUPPORTED_FEATURES       = frozenset([
                            "noauto", "noclean", "nodoc", "noinfo", "noman",
                            "nostrip", "notitles", "parallel-fetch", "parallel-install",
                            "prelink-checksums", "preserve-libs",
-                           "protect-owned", "python-trace", "sandbox",
+                           "protect-owned", "python-trace", "sandbox", "sandbox-debug", 
                            "selinux", "sesandbox", "sfperms",
                            "sign", "skiprocheck", "split-elog", "split-log", "splitdebug",
                            "strict", "stricter", "suidctl", "test", "test-fail-continue",

diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py
index b18e192ce7fda73cd48dc5487bcaf8c3356cf205..84e4494b91b859b701b43f84e358debdfc8ee9a0 100644 (file)
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -39,7 +39,7 @@ from portage import auxdbkeys, bsd_chflags, \
        _shell_quote, _unicode_decode, _unicode_encode
 from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \
        EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \
-       EPREFIX, MACOSSANDBOX_PROFILE
+       EPREFIX, MACOSSANDBOX_PROFILE, MACOSSANDBOX_NOLOG
 from portage.data import portage_gid, portage_uid, secpass, \
        uid, userpriv_groups
 from portage.dbapi.porttree import _parse_uri_map
@@ -1457,6 +1457,11 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero
                sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath)
                sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre)
 
+               if "sandbox-debug" in features:
+                       sbprofile = sbprofile.replace("@@LOGGING@@", "")
+               else:
+                       sbprofile = sbprofile.replace("@@LOGGING@@", MACOSSANDBOX_NOLOG)
+
                keywords["profile"] = sbprofile
                spawn_func = portage.process.spawn_macossandbox
        else: