Re: [gentoo-portage-dev] [PATCH v2] ebuild: allow RESTRICT=network-sandbox in ebuilds

2018-01-16 Thread Zac Medico 
On 01/16/2018 02:19 PM, Mike Frysinger wrote:
> From: Mike Frysinger 
> 
> Some ebuilds are a bit hard to fix their use of the network in src
> phases, so allow them to disable things.  This allows us to turn off
> access by default and for the vast majority while we work out how to
> fix the few broken packages.
> 
> URL: https://crbug.com/731905
> ---
>  man/ebuild.5   | 4 
>  pym/portage/package/ebuild/doebuild.py | 3 ++-
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/man/ebuild.5 b/man/ebuild.5
> index 42a0599fe3a9..1f2d4219e93e 100644
> --- a/man/ebuild.5
> +++ b/man/ebuild.5
> @@ -689,6 +689,10 @@ binaries that are not compatible with debugedit.
>  .I mirror
>  files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR.
>  .TP
> +.I network\-sandbox
> +Disables the network namespace for specific packages.
> +Should not be used in the main Gentoo tree.
> +.TP
>  .I preserve\-libs
>  Disables preserve\-libs for specific packages. Note than when a package is
>  merged, RESTRICT=preserve\-libs applies if either the new instance or the
> diff --git a/pym/portage/package/ebuild/doebuild.py 
> b/pym/portage/package/ebuild/doebuild.py
> index 0be148fd408e..f75f11a1a424 100644
> --- a/pym/portage/package/ebuild/doebuild.py
> +++ b/pym/portage/package/ebuild/doebuild.py
> @@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, 
> **kwargs):
>   kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \
>   phase in _ipc_phases
>   kwargs['networked'] = 'network-sandbox' not in settings.features or \
> - phase in _networked_phases
> + phase in _networked_phases or \
> + 'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
>  
>   if phase == 'depend':
>   kwargs['droppriv'] = 'userpriv' in settings.features
> 

Thanks, looks perfect now.
-- 
Thanks,
Zac



signature.asc
Description: OpenPGP digital signature

[gentoo-portage-dev] [PATCH v2] ebuild: allow RESTRICT=network-sandbox in ebuilds

2018-01-16 Thread Mike Frysinger 
From: Mike Frysinger 

Some ebuilds are a bit hard to fix their use of the network in src
phases, so allow them to disable things.  This allows us to turn off
access by default and for the vast majority while we work out how to
fix the few broken packages.

URL: https://crbug.com/731905
---
 man/ebuild.5   | 4 
 pym/portage/package/ebuild/doebuild.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/man/ebuild.5 b/man/ebuild.5
index 42a0599fe3a9..1f2d4219e93e 100644
--- a/man/ebuild.5
+++ b/man/ebuild.5
@@ -689,6 +689,10 @@ binaries that are not compatible with debugedit.
 .I mirror
 files in \fBSRC_URI\fR will not be downloaded from the \fBGENTOO_MIRRORS\fR.
 .TP
+.I network\-sandbox
+Disables the network namespace for specific packages.
+Should not be used in the main Gentoo tree.
+.TP
 .I preserve\-libs
 Disables preserve\-libs for specific packages. Note than when a package is
 merged, RESTRICT=preserve\-libs applies if either the new instance or the
diff --git a/pym/portage/package/ebuild/doebuild.py 
b/pym/portage/package/ebuild/doebuild.py
index 0be148fd408e..f75f11a1a424 100644
--- a/pym/portage/package/ebuild/doebuild.py
+++ b/pym/portage/package/ebuild/doebuild.py
@@ -148,7 +148,8 @@ def _doebuild_spawn(phase, settings, actionmap=None, 
**kwargs):
kwargs['ipc'] = 'ipc-sandbox' not in settings.features or \
phase in _ipc_phases
kwargs['networked'] = 'network-sandbox' not in settings.features or \
-   phase in _networked_phases
+   phase in _networked_phases or \
+   'network-sandbox' in settings['PORTAGE_RESTRICT'].split()
 
if phase == 'depend':
kwargs['droppriv'] = 'userpriv' in settings.features
-- 
2.15.1