Re: [Fink-devel] reworked sandboxing support

2016-11-08 Thread Jack Howarth 
In case anyone is interested in testing bootstraps of the revised
sandboxing patches applied to the current fink 0.41.0 sources, the
attached fink_sandboxing_v4.diff is identical to
fink_sandboxing_v3.diff with the following fink.sb.5.in manage
corrections...

--- fink_sandboxing_v3.diff 2016-11-06 19:55:56.0 -0500
+++ fink_sandboxing_v4.diff 2016-11-07 11:01:56.0 -0500
@@ -36,7 +36,7 @@
 +/opt/local
 diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
 --- fink-0.41.0.orig/fink.sb.5.in 1969-12-31 19:00:00.0 -0500
-+++ fink-0.41.0/fink.sb.5.in 2016-11-06 18:40:34.0 -0500
 fink-0.41.0/fink.sb.5.in 2016-11-07 11:00:48.0 -0500
 @@ -0,0 +1,56 @@
 +.\" -*- nroff -*-
 +.Dd November 2011
@@ -53,17 +53,17 @@
 +.\"
 +.\"
 +.Sh DESCRIPTION
-+When
++The
 +.Xr fink 8
-+is initially installed it prompts you for whether you wish to enable the
-+building of packages within a protected sandbox which blacklists access to
-+those directories listed in
++packaging system defaults to compiling packages within a protected
sandbox that blacklists
++access to directories listed in
 +.Nm
-+by hand. In general, these options are meant for advanced users only.
++In general, modifying the list of blacklisted directories meant for
advanced users only.
 +.Pp
-+Your
++The default
 +.Nm
-+defaults to blacklisting the following directories
++blacklists the following directories
++
 +.Bl -tag -width flag -offset indent -compact
 +.It /usr/local
 +.It /opt/local

I would be curious to hear about success or failure reports. I have no
issues bootstrapping and using the sandboxing.
Just make sure to grab the sandbox friendly updates for gcc5/gcc6 and
llvm-gcc42 from

https://sourceforge.net/p/fink/package-submissions/4835/
https://sourceforge.net/p/fink/package-submissions/4834/


On Sun, Nov 6, 2016 at 10:34 PM, Jack Howarth  wrote:
> Daniel and Alexander,
> The attached patch reworks the previously proposed sandboxing
> support by...
>
> 1) Enabling the sandbox usage by default (except during fink bootstraps)
> 2) Adding a 'NoSandbox' field for the Info files which can be used to
> disable the sandbox on a per package basis.
> 3) Retaining the --build-in-sandbox/--no-build-in-sandbox fink flags
> which override the other settings.
>
> The --no-build-in-sandbox fink flag can be used to disable the sandbox
> in any fink build while the --build-in-sandbox fink flag can be used
> to override 'NoSandbox: true' in a particular info file.
>
> The attached fink_sandboxing_v3.diff, applied to stock fink-0.41.0,
> has been verified to bootstrap on 10.11 and exhibit the behaviors
> described above.
> Jack
diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST   2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/MANIFEST2016-11-06 18:40:34.0 -0500
@@ -24,6 +24,8 @@
 fink.8.in
 fink.conf.5.in
 fink.csh
+fink.sb
+fink.sb.5.in
 fink.sh
 images/finkDoneFailed.png
 images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in  2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/fink.8.in   2016-11-06 18:40:34.0 -0500
@@ -103,6 +103,14 @@
 .It Cm --no-build-as-nobody
 Force the the unpack, patch, compile, and install phases to be 
 performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to 
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
 .It Cm -m, --maintainer
 Perform actions useful to package maintainers: run validation on
 the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb 2016-11-06 18:40:34.0 -0500
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in   1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb.5.in2016-11-07 11:00:48.0 -0500
@@ -0,0 +1,56 @@
+.\" -*- nroff -*-
+.Dd November 2011
+.Dt FINK.SB 5
+.Sh NAME
+.Nm fink.sb
+.Nd sandboxing configuration file for
+.Xr fink 8
+.Sh SYNOPSIS
+@PREFIX@/etc/fink.sb
+.\"
+.\"
+.\" DESCRIPTION
+.\"
+.\"
+.Sh DESCRIPTION
+The
+.Xr fink 8
+packaging system defaults to compiling packages within a protected sandbox 
that blacklists 
+access to directories listed in
+.Nm
+In general, modifying the list of blacklisted directories meant for advanced 
users only.
+.Pp
+The default
+.Nm
+blacklists the following directories
+
+.Bl -tag -width flag -offset indent -compact
+.It /usr/local
+.It /opt/local
+.El
+.Pp
+The blacklisted directories appear one per line in the file.
+.El
+.\"
+.\"
+.\" AUTHOR
+.\"
+.\"
+.Sh AUTHOR
+This manpage is maintained by the

[Fink-devel] reworked sandboxing support

2016-11-06 Thread Jack Howarth 
Daniel and Alexander,
The attached patch reworks the previously proposed sandboxing
support by...

1) Enabling the sandbox usage by default (except during fink bootstraps)
2) Adding a 'NoSandbox' field for the Info files which can be used to
disable the sandbox on a per package basis.
3) Retaining the --build-in-sandbox/--no-build-in-sandbox fink flags
which override the other settings.

The --no-build-in-sandbox fink flag can be used to disable the sandbox
in any fink build while the --build-in-sandbox fink flag can be used
to override 'NoSandbox: true' in a particular info file.

The attached fink_sandboxing_v3.diff, applied to stock fink-0.41.0,
has been verified to bootstrap on 10.11 and exhibit the behaviors
described above.
Jack
diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST   2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/MANIFEST2016-11-06 18:40:34.0 -0500
@@ -24,6 +24,8 @@
 fink.8.in
 fink.conf.5.in
 fink.csh
+fink.sb
+fink.sb.5.in
 fink.sh
 images/finkDoneFailed.png
 images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in  2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/fink.8.in   2016-11-06 18:40:34.0 -0500
@@ -103,6 +103,14 @@
 .It Cm --no-build-as-nobody
 Force the the unpack, patch, compile, and install phases to be 
 performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to 
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
 .It Cm -m, --maintainer
 Perform actions useful to package maintainers: run validation on
 the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb 2016-11-06 18:40:34.0 -0500
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in   1969-12-31 19:00:00.0 -0500
+++ fink-0.41.0/fink.sb.5.in2016-11-06 18:40:34.0 -0500
@@ -0,0 +1,56 @@
+.\" -*- nroff -*-
+.Dd November 2011
+.Dt FINK.SB 5
+.Sh NAME
+.Nm fink.sb
+.Nd sandboxing configuration file for
+.Xr fink 8
+.Sh SYNOPSIS
+@PREFIX@/etc/fink.sb
+.\"
+.\"
+.\" DESCRIPTION
+.\"
+.\"
+.Sh DESCRIPTION
+When
+.Xr fink 8
+is initially installed it prompts you for whether you wish to enable the
+building of packages within a protected sandbox which blacklists access to
+those directories listed in
+.Nm
+by hand. In general, these options are meant for advanced users only.
+.Pp
+Your
+.Nm
+defaults to blacklisting the following directories
+.Bl -tag -width flag -offset indent -compact
+.It /usr/local
+.It /opt/local
+.El
+.Pp
+The blacklisted directories appear one per line in the file.
+.El
+.\"
+.\"
+.\" AUTHOR
+.\"
+.\"
+.Sh AUTHOR
+This manpage is maintained by the Fink Core Group 
.
+.\"
+.\"
+.\" ACKNOWLEDGEMENTS
+.\"
+.\"
+.Sh ACKNOWLEDGEMENTS
+.Nm fink
+is developed and maintained by The Fink Project (http://www.finkproject.org).
+.\"
+.\"
+.\" SEE ALSO
+.\"
+.\"
+.Sh "SEE ALSO"
+.Xr apt-get 8 ,
+.Xr fink 8
diff -uNr fink-0.41.0.orig/install.sh fink-0.41.0/install.sh
--- fink-0.41.0.orig/install.sh 2016-09-20 14:16:24.0 -0400
+++ fink-0.41.0/install.sh  2016-11-06 18:40:34.0 -0500
@@ -70,8 +70,10 @@
 
 install -c -p -m 755 postinstall.pl "$basepath/lib/fink/"
 install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/"
+install -c -p -m 644 fink.sb "$basepath/etc/"
 install -c -p -m 644 fink.8 "$basepath/share/man/man8/"
 install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/"
+install -c -p -m 644 fink.sb.5 "$basepath/share/man/man5/"
 install -c -p -m 644 images/*.png "$basepath/share/fink/images/"
 
 # copy executables
diff -uNr fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm 
fink-0.41.0/perlmod/Fink/Bootstrap.pm
--- fink-0.41.0.orig/perlmod/Fink/Bootstrap.pm  2016-09-20 14:16:24.0 
-0400
+++ fink-0.41.0/perlmod/Fink/Bootstrap.pm   2016-11-06 18:58:41.0 
-0500
@@ -500,6 +500,8 @@
Fink::Config::set_options( { 'use_binary' => -1 });
# bootstrap as root
Fink::Config::set_options( { 'build_as_nobody' => 0 });
+   # don't use sandbox during bootstrap
+   Fink::Config::set_options( { 'build_in_sandbox' => 0 });
 
# make sure we have the package descriptions
Fink::Package->require_packages();
@@ -581,6 +583,8 @@
 
# bootstrap as root
Fink::Config::set_options( { 'build_as_nobody' => 0 });
+   # don't use sandbox during bootstrap
+   Fink::Config::set_options( { 'build_in_sandbox' => 0 });
# use normal install routines, but do not use buildlocks
Fink::Config::set_options( {