From: Fabian Groffen Date: Fri, 23 Dec 2011 10:24:27 +0000 (+0100) Subject: sandbox: move away from separate macossandbox X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=df4a18b0e20c2c3eaa24c8b36a19e0c530ed40f1;p=portage.git sandbox: move away from separate macossandbox Dropped prefixsandbox feature (protected at path level of $EPREFIX), to align with master branch more. Made macossandbox and macosusersandbox an execution mode of sandbox on OSX platforms. Documented that OS X sandbox is used, but that it is awfully slow (hence sandbox is still not enabled by default for OSX (in Prefix)). --- diff --git a/man/make.conf.5 b/man/make.conf.5 index c27a69f28..c2351bd18 100644 --- a/man/make.conf.5 +++ b/man/make.conf.5 @@ -439,6 +439,10 @@ Output a verbose trace of python execution to stderr when a command's .TP .B sandbox Enable sandbox\-ing when running \fBemerge\fR(1) and \fBebuild\fR(1). +On Mac OS X platforms that have /usr/bin/sandbox-exec available (10.5 +and later), this particular sandbox implementation is used instead of +sys-apps/sandbox. Note that using Mac OS X sandbox slows down the +emerge process considerably, in particular for write operations. .TP .B sesandbox Enable SELinux sandbox\-ing. Do not toggle this \fBFEATURE\fR yourself. diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py index 656d9ee2d..083e0cefb 100644 --- a/pym/portage/package/ebuild/doebuild.py +++ b/pym/portage/package/ebuild/doebuild.py @@ -1212,15 +1212,13 @@ def _spawn_actionmap(settings): restrict = settings["PORTAGE_RESTRICT"].split() nosandbox = (("userpriv" in features) and \ ("usersandbox" not in features) and \ - ("macosusersandbox" not in features) and \ "userpriv" not in restrict and \ "nouserpriv" not in restrict) if nosandbox and ("userpriv" not in features or \ "userpriv" in restrict or \ "nouserpriv" in restrict): nosandbox = ("sandbox" not in features and \ - "usersandbox" not in features and \ - "macosusersandbox" not in features) + "usersandbox" not in features) if not portage.process.sandbox_capable: nosandbox = True @@ -1386,26 +1384,13 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero # fake ownership/permissions will have to be converted to real # permissions in the merge phase. fakeroot = fakeroot and uid != 0 and portage.process.fakeroot_capable - macossandbox = ("macossandbox" in features or \ - "macosusersandbox" in features) if droppriv and not uid and portage_gid and portage_uid: keywords.update({"uid":portage_uid,"gid":portage_gid, "groups":userpriv_groups,"umask":0o02}) if not free: - free=((droppriv and "usersandbox" not in features and - "macosusersandbox" not in features) or \ + free=((droppriv and "usersandbox" not in features) or \ (not droppriv and "sandbox" not in features and \ - "usersandbox" not in features and not fakeroot and \ - not macossandbox)) - - # confining the process to a prefix sandbox is disabled by default, if - # a normal sandbox is requested a this point, it will be used, if no - # sandbox is requested, a prefix sandbox will be imposed if requested - # by the appropriate features - prefixsandbox = False - if free: - prefixsandbox = "macosprefixsandbox" in features - free = not prefixsandbox + "usersandbox" not in features and not fakeroot)) if not free and not (fakeroot or portage.process.sandbox_capable or \ portage.process.macossandbox_capable): @@ -1424,12 +1409,9 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero keywords["opt_name"] += " fakeroot" keywords["fakeroot_state"] = os.path.join(mysettings["T"], "fakeroot.state") spawn_func = portage.process.spawn_fakeroot - elif macossandbox: + elif sandbox and platform.system() == 'Darwin': keywords["opt_name"] += " macossandbox" - if prefixsandbox: - sbprefixpath = mysettings["EPREFIX"] - else: - sbprefixpath = mysettings["PORTAGE_BUILDDIR"] + sbprefixpath = mysettings["PORTAGE_BUILDDIR"] # escape some characters with special meaning in re's sbprefixre = sbprefixpath.replace("+", "\+")