Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
W dniu wto, 16.01.2018 o godzinie 23∶32 -0500, użytkownik Mike Gilbert napisał: > On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysingerwrote: > > From: Mike Frysinger > > > > Some ebuilds are a bit hard to fix their use of the network in src > > phases, so allow them to disable things. This allows us to turn off > > access by default and for the vast majority while we work out how to > > fix the few broken packages. > > If we are going to allow network sandboxing to be disabled in > individual ebuilds, we should also allow the other sandboxes to be > disabled for the same reasons. sys-apps/sandbox has been notoriously > buggy, for example. > > Also, valid RESTRICT values are specified in PMS, so this really > belongs in an a new EAPI. As long as this isn't used in ::gentoo, I don't mind. However, for completeness I should point out that: a. you should be addressing the root issue and not bashing with big 'sandbox' hammer whenever something fails -- i.e. if the problem is due to LD_PRELOAD being used (which is frequently the case), then the solution is to wipe LD_PRELOAD, b. you should be addressing it in as narrow scope as possible -- i.e. it is usually enough to disable sandbox for the execution of a single command rather than the whole ebuild. That said, app-portage/unsandbox is much cleaner solution here. -- Best regards, Michał Górny
Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
On Wed, Jan 17, 2018 at 1:33 PM, Mike Frysingerwrote: > On 16 Jan 2018 23:32, Mike Gilbert wrote: > > On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger wrote: > > > Some ebuilds are a bit hard to fix their use of the network in src > > > phases, so allow them to disable things. This allows us to turn off > > > access by default and for the vast majority while we work out how to > > > fix the few broken packages. > > > > If we are going to allow network sandboxing to be disabled in > > individual ebuilds, we should also allow the other sandboxes to be > > disabled for the same reasons. sys-apps/sandbox has been notoriously > > buggy, for example. > > that sandbox can already be disabled dynamically in ebuilds as needed. > i don't really see a reason for it to be a RESTRICT value. > It used to be in RESTRICT even; it was dropped in 2015. https://archives.gentoo.org/gentoo-pms/message/05f8faf4f1477b4406619b92bb7722b7 I don't mind if portage acts on other tokens (allowed in the spec). I do think we should file a patch to PMS. If they accept it, other PMs can implement this feature in a future EAPI (and in portage, it will just work in all EAPIs) But if we never tell them about the tokens, they can never implement them. -A -mike >
Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
On 16 Jan 2018 23:32, Mike Gilbert wrote: > On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger wrote: > > Some ebuilds are a bit hard to fix their use of the network in src > > phases, so allow them to disable things. This allows us to turn off > > access by default and for the vast majority while we work out how to > > fix the few broken packages. > > If we are going to allow network sandboxing to be disabled in > individual ebuilds, we should also allow the other sandboxes to be > disabled for the same reasons. sys-apps/sandbox has been notoriously > buggy, for example. that sandbox can already be disabled dynamically in ebuilds as needed. i don't really see a reason for it to be a RESTRICT value. -mike signature.asc Description: Digital signature
Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
On 01/16/2018 08:32 PM, Mike Gilbert wrote: > On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysingerwrote: >> From: Mike Frysinger >> >> Some ebuilds are a bit hard to fix their use of the network in src >> phases, so allow them to disable things. This allows us to turn off >> access by default and for the vast majority while we work out how to >> fix the few broken packages. > > If we are going to allow network sandboxing to be disabled in > individual ebuilds, we should also allow the other sandboxes to be > disabled for the same reasons. sys-apps/sandbox has been notoriously > buggy, for example. Yeah, that sounds reasonable. We have ACCEPT_RESTRICT and package.accept_restrict in case people want to mask packages with certain restrict values. > Also, valid RESTRICT values are specified in PMS, so this really > belongs in an a new EAPI. PMS says: Package managers may recognise other tokens, but ebuilds may not rely upon them being supported. -- Thanks, Zac signature.asc Description: OpenPGP digital signature
Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysingerwrote: > From: Mike Frysinger > > Some ebuilds are a bit hard to fix their use of the network in src > phases, so allow them to disable things. This allows us to turn off > access by default and for the vast majority while we work out how to > fix the few broken packages. If we are going to allow network sandboxing to be disabled in individual ebuilds, we should also allow the other sandboxes to be disabled for the same reasons. sys-apps/sandbox has been notoriously buggy, for example. Also, valid RESTRICT values are specified in PMS, so this really belongs in an a new EAPI.
Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
On 01/16/2018 01:46 PM, Mike Frysinger wrote: > From: Mike Frysinger> > Some ebuilds are a bit hard to fix their use of the network in src > phases, so allow them to disable things. This allows us to turn off > access by default and for the vast majority while we work out how to > fix the few broken packages. > > URL: https://crbug.com/731905 > --- > man/ebuild.5 | 4 > pym/portage/package/ebuild/doebuild.py | 3 ++- > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/man/ebuild.5 b/man/ebuild.5 > index 42a0599fe3a9..a8fc3f86b68a 100644 > --- a/man/ebuild.5 > +++ b/man/ebuild.5 > @@ -689,6 +689,10 @@ binaries that are not compatible with debugedit. > .I mirror > files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR. > .TP > +.I network-sandbox Please use network\-sandbox so that it renders as a minus glyph as described in the grof_char man page: http://man7.org/linux/man-pages/man7/groff_char.7.html > +Disables the network namespace for specific packages. > +Should not be used in the main Gentoo tree. > +.TP > .I preserve\-libs > Disables preserve\-libs for specific packages. Note than when a package is > merged, RESTRICT=preserve\-libs applies if either the new instance or the > diff --git a/pym/portage/package/ebuild/doebuild.py > b/pym/portage/package/ebuild/doebuild.py > index 0be148fd408e..f75f11a1a424 100644 > --- a/pym/portage/package/ebuild/doebuild.py > +++ b/pym/portage/package/ebuild/doebuild.py > @@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, > **kwargs): > kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \ > phase in _ipc_phases > kwargs['networked'] = 'network-sandbox' not in settings.features or \ > - phase in _networked_phases > + phase in _networked_phases or \ > + 'network-sandbox' in settings['PORTAGE_RESTRICT'].split() > > if phase == 'depend': > kwargs['droppriv'] = 'userpriv' in settings.features > Looks good. -- Thanks, Zac signature.asc Description: OpenPGP digital signature
[gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds
From: Mike FrysingerSome ebuilds are a bit hard to fix their use of the network in src phases, so allow them to disable things. This allows us to turn off access by default and for the vast majority while we work out how to fix the few broken packages. URL: https://crbug.com/731905 --- man/ebuild.5 | 4 pym/portage/package/ebuild/doebuild.py | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/man/ebuild.5 b/man/ebuild.5 index 42a0599fe3a9..a8fc3f86b68a 100644 --- a/man/ebuild.5 +++ b/man/ebuild.5 @@ -689,6 +689,10 @@ binaries that are not compatible with debugedit. .I mirror files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR. .TP +.I network-sandbox +Disables the network namespace for specific packages. +Should not be used in the main Gentoo tree. +.TP .I preserve\-libs Disables preserve\-libs for specific packages. Note than when a package is merged, RESTRICT=preserve\-libs applies if either the new instance or the diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py index 0be148fd408e..f75f11a1a424 100644 --- a/pym/portage/package/ebuild/doebuild.py +++ b/pym/portage/package/ebuild/doebuild.py @@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, **kwargs): kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \ phase in _ipc_phases kwargs['networked'] = 'network-sandbox' not in settings.features or \ - phase in _networked_phases + phase in _networked_phases or \ + 'network-sandbox' in settings['PORTAGE_RESTRICT'].split() if phase == 'depend': kwargs['droppriv'] = 'userpriv' in settings.features -- 2.15.1