From: Fabian Groffen Date: Sun, 30 Sep 2012 11:06:08 +0000 (+0200) Subject: seatbelt: optionally re-enable logging of sandbox violations X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=fda43d31a566e72c03d264461e9ae07ed35077e5;p=portage.git seatbelt: optionally re-enable logging of sandbox violations It may be useful to see violations logged by seatbelt, which are too expensive to be enabled by default. Allow enabling this using sandbox-debug flag. Patch by Michael Weisner, bug #430640 --- diff --git a/man/make.conf.5 b/man/make.conf.5 index 3253de04e..1f3726d54 100644 --- a/man/make.conf.5 +++ b/man/make.conf.5 @@ -465,6 +465,12 @@ and later), this particular sandbox implementation is used instead of sys-apps/sandbox. Note that using Mac OS X sandbox slows down the emerge process considerably, in particular for write operations. .TP +.B sandbox-debug +Enable debug messages regarding sandboxing. This currently only has +an effect on Mac OS X platforms where it enables logging of denied +access into /var/log/system.log. Note that logging is extremely slow +and will slow down the emerge process considerably. +.TP .B sesandbox Enable SELinux sandbox\-ing. Do not toggle this \fBFEATURE\fR yourself. .TP diff --git a/pym/portage/const.py b/pym/portage/const.py index 74cda03e1..b6b949309 100644 --- a/pym/portage/const.py +++ b/pym/portage/const.py @@ -79,7 +79,7 @@ MACOSSANDBOX_PROFILE = '''(version 1) (allow default) -(deny file-write* (with no-log)) +(deny file-write*@@LOGGING@@) (allow file-read* file-write* (literal @@ -101,6 +101,7 @@ MACOSSANDBOX_PROFILE = '''(version 1) #"^(/private)?/var/run/syslog$" ) )''' +MACOSSANDBOX_NOLOG=" (with no-log)" PORTAGE_GROUPNAME = portagegroup PORTAGE_USERNAME = portageuser @@ -137,7 +138,7 @@ SUPPORTED_FEATURES = frozenset([ "noauto", "noclean", "nodoc", "noinfo", "noman", "nostrip", "notitles", "parallel-fetch", "parallel-install", "prelink-checksums", "preserve-libs", - "protect-owned", "python-trace", "sandbox", + "protect-owned", "python-trace", "sandbox", "sandbox-debug", "selinux", "sesandbox", "sfperms", "sign", "skiprocheck", "split-elog", "split-log", "splitdebug", "strict", "stricter", "suidctl", "test", "test-fail-continue", diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py index b18e192ce..84e4494b9 100644 --- a/pym/portage/package/ebuild/doebuild.py +++ b/pym/portage/package/ebuild/doebuild.py @@ -39,7 +39,7 @@ from portage import auxdbkeys, bsd_chflags, \ _shell_quote, _unicode_decode, _unicode_encode from portage.const import EBUILD_SH_ENV_FILE, EBUILD_SH_ENV_DIR, \ EBUILD_SH_BINARY, INVALID_ENV_FILE, MISC_SH_BINARY, \ - EPREFIX, MACOSSANDBOX_PROFILE + EPREFIX, MACOSSANDBOX_PROFILE, MACOSSANDBOX_NOLOG from portage.data import portage_gid, portage_uid, secpass, \ uid, userpriv_groups from portage.dbapi.porttree import _parse_uri_map @@ -1457,6 +1457,11 @@ def spawn(mystring, mysettings, debug=0, free=0, droppriv=0, sesandbox=0, fakero sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX@@", sbprefixpath) sbprofile = sbprofile.replace("@@WRITEABLE_PREFIX_RE@@", sbprefixre) + if "sandbox-debug" in features: + sbprofile = sbprofile.replace("@@LOGGING@@", "") + else: + sbprofile = sbprofile.replace("@@LOGGING@@", MACOSSANDBOX_NOLOG) + keywords["profile"] = sbprofile spawn_func = portage.process.spawn_macossandbox else: