Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Michał Górny]

W dniu wto, 16.01.2018 o godzinie 23∶32 -0500, użytkownik Mike Gilbert
napisał:
> On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger  wrote:
> > From: Mike Frysinger 
> > 
> > Some ebuilds are a bit hard to fix their use of the network in src
> > phases, so allow them to disable things.  This allows us to turn off
> > access by default and for the vast majority while we work out how to
> > fix the few broken packages.
> 
> If we are going to allow network sandboxing to be disabled in
> individual ebuilds, we should also allow the other sandboxes to be
> disabled for the same reasons. sys-apps/sandbox has been notoriously
> buggy, for example.
> 
> Also, valid RESTRICT values are specified in PMS, so this really
> belongs in an a new EAPI.

As long as this isn't used in ::gentoo, I don't mind. However, for
completeness I should point out that:

a. you should be addressing the root issue and not bashing with big
'sandbox' hammer whenever something fails -- i.e. if the problem is due
to LD_PRELOAD being used (which is frequently the case), then
the solution is to wipe LD_PRELOAD,

b. you should be addressing it in as narrow scope as possible -- i.e. it
is usually enough to disable sandbox for the execution of a single
command rather than the whole ebuild.

That said, app-portage/unsandbox is much cleaner solution here.

-- 
Best regards,
Michał Górny

Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Alec Warner]

On Wed, Jan 17, 2018 at 1:33 PM, Mike Frysinger  wrote:

> On 16 Jan 2018 23:32, Mike Gilbert wrote:
> > On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger wrote:
> > > Some ebuilds are a bit hard to fix their use of the network in src
> > > phases, so allow them to disable things.  This allows us to turn off
> > > access by default and for the vast majority while we work out how to
> > > fix the few broken packages.
> >
> > If we are going to allow network sandboxing to be disabled in
> > individual ebuilds, we should also allow the other sandboxes to be
> > disabled for the same reasons. sys-apps/sandbox has been notoriously
> > buggy, for example.
>
> that sandbox can already be disabled dynamically in ebuilds as needed.
> i don't really see a reason for it to be a RESTRICT value.
>

It used to be in RESTRICT even; it was dropped in 2015.

https://archives.gentoo.org/gentoo-pms/message/05f8faf4f1477b4406619b92bb7722b7

I don't mind if portage acts on other tokens (allowed in the spec). I do
think we should file a patch to PMS.
If they accept it, other PMs can implement this feature in a future EAPI
(and in portage, it will just work in all EAPIs)

But if we never tell them about the tokens, they can never implement them.

-A

-mike
>

Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Mike Frysinger]

On 16 Jan 2018 23:32, Mike Gilbert wrote:
> On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger wrote:
> > Some ebuilds are a bit hard to fix their use of the network in src
> > phases, so allow them to disable things.  This allows us to turn off
> > access by default and for the vast majority while we work out how to
> > fix the few broken packages.
> 
> If we are going to allow network sandboxing to be disabled in
> individual ebuilds, we should also allow the other sandboxes to be
> disabled for the same reasons. sys-apps/sandbox has been notoriously
> buggy, for example.

that sandbox can already be disabled dynamically in ebuilds as needed.
i don't really see a reason for it to be a RESTRICT value.
-mike


signature.asc
Description: Digital signature

Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Zac Medico]

On 01/16/2018 08:32 PM, Mike Gilbert wrote:
> On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger  wrote:
>> From: Mike Frysinger 
>>
>> Some ebuilds are a bit hard to fix their use of the network in src
>> phases, so allow them to disable things.  This allows us to turn off
>> access by default and for the vast majority while we work out how to
>> fix the few broken packages.
> 
> If we are going to allow network sandboxing to be disabled in
> individual ebuilds, we should also allow the other sandboxes to be
> disabled for the same reasons. sys-apps/sandbox has been notoriously
> buggy, for example.

Yeah, that sounds reasonable. We have ACCEPT_RESTRICT and
package.accept_restrict in case people want to mask packages with
certain restrict values.

> Also, valid RESTRICT values are specified in PMS, so this really
> belongs in an a new EAPI.

PMS says: Package managers may recognise other tokens, but ebuilds may
not rely upon them being supported.
-- 
Thanks,
Zac



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Mike Gilbert]

On Tue, Jan 16, 2018 at 4:46 PM, Mike Frysinger  wrote:
> From: Mike Frysinger 
>
> Some ebuilds are a bit hard to fix their use of the network in src
> phases, so allow them to disable things.  This allows us to turn off
> access by default and for the vast majority while we work out how to
> fix the few broken packages.

If we are going to allow network sandboxing to be disabled in
individual ebuilds, we should also allow the other sandboxes to be
disabled for the same reasons. sys-apps/sandbox has been notoriously
buggy, for example.

Also, valid RESTRICT values are specified in PMS, so this really
belongs in an a new EAPI.

Re: [gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Zac Medico]

On 01/16/2018 01:46 PM, Mike Frysinger wrote:
> From: Mike Frysinger 
> 
> Some ebuilds are a bit hard to fix their use of the network in src
> phases, so allow them to disable things.  This allows us to turn off
> access by default and for the vast majority while we work out how to
> fix the few broken packages.
> 
> URL: https://crbug.com/731905
> ---
>  man/ebuild.5   | 4 
>  pym/portage/package/ebuild/doebuild.py | 3 ++-
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/man/ebuild.5 b/man/ebuild.5
> index 42a0599fe3a9..a8fc3f86b68a 100644
> --- a/man/ebuild.5
> +++ b/man/ebuild.5
> @@ -689,6 +689,10 @@ binaries that are not compatible with debugedit.
>  .I mirror
>  files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR.
>  .TP
> +.I network-sandbox

Please use network\-sandbox so that it renders as a minus glyph as
described in the grof_char man page:

http://man7.org/linux/man-pages/man7/groff_char.7.html

> +Disables the network namespace for specific packages.
> +Should not be used in the main Gentoo tree.
> +.TP
>  .I preserve\-libs
>  Disables preserve\-libs for specific packages. Note than when a package is
>  merged, RESTRICT=preserve\-libs applies if either the new instance or the
> diff --git a/pym/portage/package/ebuild/doebuild.py 
> b/pym/portage/package/ebuild/doebuild.py
> index 0be148fd408e..f75f11a1a424 100644
> --- a/pym/portage/package/ebuild/doebuild.py
> +++ b/pym/portage/package/ebuild/doebuild.py
> @@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, 
> **kwargs):
>   kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \
>   phase in _ipc_phases
>   kwargs['networked'] = 'network-sandbox' not in settings.features or \
> - phase in _networked_phases
> + phase in _networked_phases or \
> + 'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
>  
>   if phase == 'depend':
>   kwargs['droppriv'] = 'userpriv' in settings.features
> 

Looks good.
-- 
Thanks,
Zac



signature.asc
Description: OpenPGP digital signature

[gentoo-portage-dev] [PATCH] ebuild: allow RESTRICT=network-sandbox in ebuilds

[Mike Frysinger]

From: Mike Frysinger 

Some ebuilds are a bit hard to fix their use of the network in src
phases, so allow them to disable things.  This allows us to turn off
access by default and for the vast majority while we work out how to
fix the few broken packages.

URL: https://crbug.com/731905
---
 man/ebuild.5   | 4 
 pym/portage/package/ebuild/doebuild.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/man/ebuild.5 b/man/ebuild.5
index 42a0599fe3a9..a8fc3f86b68a 100644
--- a/man/ebuild.5
+++ b/man/ebuild.5
@@ -689,6 +689,10 @@ binaries that are not compatible with debugedit.
 .I mirror
 files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR.
 .TP
+.I network-sandbox
+Disables the network namespace for specific packages.
+Should not be used in the main Gentoo tree.
+.TP
 .I preserve\-libs
 Disables preserve\-libs for specific packages. Note than when a package is
 merged, RESTRICT=preserve\-libs applies if either the new instance or the
diff --git a/pym/portage/package/ebuild/doebuild.py 
b/pym/portage/package/ebuild/doebuild.py
index 0be148fd408e..f75f11a1a424 100644
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, 
**kwargs):
kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \
phase in _ipc_phases
kwargs['networked'] = 'network-sandbox' not in settings.features or \
-   phase in _networked_phases
+   phase in _networked_phases or \
+   'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
 
if phase == 'depend':
kwargs['droppriv'] = 'userpriv' in settings.features
-- 
2.15.1