Daniel and Alexander,
The pull request to add sandboxing support is now completed on fink
git against master at https://github.com/fink/fink/pull/135/files, but
upstream master seem to have unrelated bootstrap issues. However, the
attached fink_sandboxing.diff applies these same changes onto the current
fink-0.41.0 and bootstraps cleanly.
The current sandbox changes provides configuration of fink.conf to
add the desired state for the new UseSandbox setting in fink.conf. The
changes also provide runtime options of --build-in-sandbox and
--no-build-in-sandbox to override the UseSandbox setting in fink.conf.
The sandboxing of fink can easily be verified with 'ps -le | grep
sandbox-exec' during a fink build. Which will show...
0 4232 4084 4106 0 31 0 2455672 3064 - S+
0 ttys027 0:00.01 sudo -u fink-bld sandbox-exec -p (version 1)
^J(allow default) ^J(deny file* ^J^I(subpath "/usr/local")^J^I(subpath
"/opt/local")^J)^J env CCACHE_DIR=/sw/var/ccache
CFLAGS=-D_DARWIN_NO_64_BIT_INODE -O2 -g -Wall CPPFLAGS=-I/sw/include
HOME=/tmp/fink-build-HOME.RCOdx6VWFB
INFOPATH=/sw/share/info:/sw/info:/usr/share/info LDFLAGS=-L/sw/lib
MACOSX_DEPLOYMENT_TARGET=10.11 MAKEFLAGS=-j8
MANPATH=/sw/share/man:/usr/share/man:/Applications/Xcode.app/Contents/Developer/usr/share/man:/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/share/man:/sw/lib/perl5/5.18.2/man
PATH=/sw/var/lib/fink/path-prefix-libcxx:/sw/var/lib/fink/path-prefix-clang:/sw/bin:/sw/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/opt/X11/bin
PERL5LIB=/sw/lib/perl5:/sw/lib/perl5/darwin
PWD=/sw/src/fink.build/cvs-1.12.13-18 SHLVL=2 TERM=xterm-256color
__CFPREFERENCES_AVOID_DAEMON=1 sh -c /tmp/fink.5o7aZ
for 'UseSandbox: true"' in fink.conf or --build-in-sandbox on the fink
command line. The usage of sandbox-exec won't be seen for either 'UseSandbox:
false"' in fink.conf or --no-build-in-sandbox on the fink command line.
Jack
diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST 2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/MANIFEST 2016-11-05 07:49:06.000000000 -0400
@@ -24,6 +24,7 @@
fink.8.in
fink.conf.5.in
fink.csh
+fink.sb
fink.sh
images/finkDoneFailed.png
images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in 2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.8.in 2016-11-05 07:50:59.000000000 -0400
@@ -103,6 +103,19 @@
.It Cm --no-build-as-nobody
Force the the unpack, patch, compile, and install phases to be
performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+This is the default unless overridden by a setting of
+.Pa UseSandbox`: false
+in
+.Pa fink.conf
+configuration file.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
.It Cm -m, --maintainer
Perform actions useful to package maintainers: run validation on
the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.conf.5.in fink-0.41.0/fink.conf.5.in
--- fink-0.41.0.orig/fink.conf.5.in 2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.conf.5.in 2016-11-05 07:52:31.000000000 -0400
@@ -204,6 +204,12 @@
uses the value of this option in MAKEFLAGS=-j. Running
.Cm fink configure
will tell you how many active CPUs/cores are available on your system.
+.It Cm UseSandbox: Ar boolean
+Causes
+.Nm fink
+to execute within a sandbox which blacklists file read access to
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb
.It Cm AutoUid: Ar boolean
This option specifies whether fink should dynamically allocate the UID and GID
of its unprivileged fink-bld user if that user is absent.
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb 1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0/fink.sb 2016-11-05 07:52:55.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/install.sh fink-0.41.0/install.sh
--- fink-0.41.0.orig/install.sh 2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/install.sh 2016-11-05 07:53:26.000000000 -0400
@@ -70,6 +70,7 @@
install -c -p -m 755 postinstall.pl "$basepath/lib/fink/"
install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/"
+install -c -p -m 644 fink.sb "$basepath/etc/"
install -c -p -m 644 fink.8 "$basepath/share/man/man8/"
install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/"
install -c -p -m 644 images/*.png "$basepath/share/fink/images/"
diff -uNr fink-0.41.0.orig/perlmod/Fink/Config.pm
fink-0.41.0/perlmod/Fink/Config.pm
--- fink-0.41.0.orig/perlmod/Fink/Config.pm 2016-09-20 14:16:24.000000000
-0400
+++ fink-0.41.0/perlmod/Fink/Config.pm 2016-11-05 07:54:40.000000000 -0400
@@ -219,6 +219,7 @@
map( { $_ => 0 } qw(dontask interactive verbosity keep_build keep_root
maintainermode showversion use_binary) ),
map( { $_ => 1 } qw(build_as_nobody) ),
+ map( { $_ => 1 } qw(build_in_sandbox) ),
map( { $_ => "" } qw(tests validate) ),
map ( { $_ => [] } qw(include_trees exclude_trees) ),
map( { $_ => -1 } qw(use_binary) ),
@@ -272,6 +273,7 @@
'download pre-compiled packages from the binary
distribution '
. 'if available' ],
[ 'build-as-nobody!' => \$opts{build_as_nobody}, 'see
man page' ],
+ [ 'build-in-sandbox!' => \$opts{build_in_sandbox}, 'see man
page' ],
[ 'maintainer|m' => sub {set_checking_opts(\%opts, @_);},
'see man page' ],
[ 'tests:s' => sub {set_checking_opts(\%opts, @_);},
'see man page' ],
[ 'validate:s' => sub {set_checking_opts(\%opts, @_);},
'see man page' ],
diff -uNr fink-0.41.0.orig/perlmod/Fink/Configure.pm
fink-0.41.0/perlmod/Fink/Configure.pm
--- fink-0.41.0.orig/perlmod/Fink/Configure.pm 2016-09-20 14:16:24.000000000
-0400
+++ fink-0.41.0/perlmod/Fink/Configure.pm 2016-11-05 07:58:59.000000000
-0400
@@ -73,8 +73,9 @@
# 1: Added ConfFileCompatVersion, UseBinaryDist, fink 0.24.0
# 2: Added MaxBuildJobs, fink 0.30.1 (belated bump)
# 3: Added AutoUid, AutoUidMin, AutoUidMax, FinkBldUid, fink 0.33.0
+# 4. Added UseSandbox, fink 0.42.0
#
-our $conf_file_compat_version = 3;
+our $conf_file_compat_version = 4;
=head2 Exported Variables
@@ -137,7 +138,7 @@
sub choose_misc {
my $verbose;
- my ($proxy_prompt, $proxy, $passive_ftp, $same_for_ftp, $binary_dist);
+ my ($proxy_prompt, $proxy, $passive_ftp, $same_for_ftp, $binary_dist,
$sandbox_build);
my ($auto_uid, $uid_min, $uid_max, $fink_conf_uid, $real_uid, $real_gid,
$do_uid);
@@ -189,6 +190,25 @@
$config->set_param("UseBinaryDist", $binary_dist ? "true" : "false");
print "\n";
+ $sandbox_build = $config->param_boolean("UseSandbox");
+
+ # New users should use the sandbox build, but an existing user who
+ # is running "fink configure" should see a default answer of "no"
+ # for this question... To tell these two classes of users apart,
+ # we check to see if the "Verbose" parameter has been set yet.
+
+ if (!$config->has_param("UseSandbox")) {
+ if ($config->has_param("Verbose")) {
+ $sandbox_build = 0;
+ } else {
+ $sandbox_build = 1;
+ }
+ }
+ $sandbox_build =
+ &prompt_boolean("Should Fink try to build packages under ".
+ "the Apple sandbox mechanism?",
+ default => $sandbox_build);
+ $config->set_param("UseSandbox", $sandbox_build ? "true" :
"false");
my $v_distribution = version->parse('v'.$config->param("Distribution"));
if ($v_distribution >= version->parse("v10.7")) {
diff -uNr fink-0.41.0.orig/perlmod/Fink/Services.pm
fink-0.41.0/perlmod/Fink/Services.pm
--- fink-0.41.0.orig/perlmod/Fink/Services.pm 2016-09-20 14:16:24.000000000
-0400
+++ fink-0.41.0/perlmod/Fink/Services.pm 2016-11-05 08:03:10.000000000
-0400
@@ -594,6 +594,33 @@
@wrap = map "$_=$ENV{$_}", sort keys %ENV;
push @wrap, "__CFPREFERENCES_AVOID_DAEMON=1";
unshift @wrap, 'env' if @wrap;
+ my $runtime_request =
Fink::Config::get_option("build_in_sandbox");
+ my $sandbox_request;
+ if ($runtime_request == 0) { # -no-build-in-sandbox
+ $sandbox_request = 0;
+ } elsif ($runtime_request == 1) {
+ $sandbox_request = 1;
+ } elsif ($Fink::Config::config->param_boolean('UseSandbox')) {
+ $sandbox_request = 1;
+ } else {
+ $sandbox_request = 0;
+ }
+ if ( $sandbox_request ) {
+ my $sandbox = "$Fink::Config::basepath/etc/fink.sb";
+ if (open my $info, $sandbox) {
+ my $sandbox_profile = "(version 1) \n";
+ $sandbox_profile .= "(allow default) \n";
+ $sandbox_profile .= "(deny file* \n";
+ while( my $line = <$info>) {
+ chomp $line;
+ $sandbox_profile .= "\t(subpath
\"".$line."\"\)\n";
+ }
+ $sandbox_profile .= "\)\n";
+ close $info;
+ print STDERR $sandbox_profile, "\n" if
($options{debug});
+ @wrap = (qw| sandbox-exec -p |,
$sandbox_profile, @wrap) if -f $sandbox;
+ }
+ }
my $sudo_cmd = "sudo -u " .
Fink::Config::build_as_user_group()->{'user'};
@wrap = (split(' ', $sudo_cmd), @wrap, qw/ sh -c /);
$wrap_token = "$sudo_cmd [ENV] sh -c ";
diff -uNr fink-0.41.0.orig/t/Services/execute_nonroot_okay.t
fink-0.41.0/t/Services/execute_nonroot_okay.t
--- fink-0.41.0.orig/t/Services/execute_nonroot_okay.t 2016-09-20
14:16:24.000000000 -0400
+++ fink-0.41.0/t/Services/execute_nonroot_okay.t 2016-11-05
08:04:11.000000000 -0400
@@ -15,6 +15,8 @@
can_ok('Fink::Config','get_option'); # 4
can_ok('Fink::Config','set_options'); # 5
+my $config_obj = Fink::Config->new_with_path('basepath/etc/fink.conf');
+
# need a a safe place to create files
# OS X 10.2 comes with perl 5.6.0, but File::Temp isn't in core until 5.6.1
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Fink-devel mailing list
Fink-devel@lists.sourceforge.net
List archive:
http://news.gmane.org/gmane.os.apple.fink.devel
Subscription management:
https://lists.sourceforge.net/lists/listinfo/fink-devel
