On Sun, Oct 2, 2016 at 1:00 PM, Michael Orlitzky <m...@gentoo.org> wrote: > On 10/02/2016 10:38 AM, Rich Freeman wrote: >> That said, some distros have better >> tools for finding missing dependencies, like blocking access to files >> that aren't part of a declared dependency during the build process. >> I've looked at the portage jail and that actually wouldn't be hard to >> add to Gentoo. Right now portage configures the jail to give read >> access to everything by default. If you disabled that you could >> instead pass a configuration that explicitly gives read access to >> every single file in the build dependencies (and @system I suppose), >> and denied everything else. Implementation is left as an exercise to >> the reader. >> > > This has to be harder than it looks. The benefit would be huge, so if it > was easy, someone would have done it already, right? >
I did some of the research but didn't get beyond that. Basically you need to use the portage API to walk the full dependency tree (unless we require deps of deps to be explicitly defined, then you just need to walk one level), and use the portage API to obtain a list of installed files for each. That just all goes into a list which is passed to the sandbox when it is set up (it just takes a list of paths I believe with a R/W access setting). You need to pass it the full contents of @system as well. If it is slow you could probably make it a FEATURE that ordinary users can choose to use or not, but which of course would be recommended for devs. Right now /etc/sandbox.d/00default contains SANDBOX_READ="/". That would need to be removed, and set explicitly in portage. What I haven't done is traced all the portage sources to best figure where to do it. I imagine portage will already have the dependency list cached somewhere. I'm not sure if it already walks their list of files, but if so then this is an obvious optimization. I suspect it wouldn't perform all that badly actually as this stuff is all easy to resolve, unless the sandbox binary itself struggles with a long ACL. -- Rich