| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
See https://no-color.org/. We already switched Portage and gentoolkit.
Bug: https://bugs.gentoo.org/898224
Bug: https://bugs.gentoo.org/902551
Signed-off-by: Sam James <sam@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
This allows people to disable use of ptrace if their configuration
does not support it. This forces older sandbox behavior where we
cannot protect against static or set*id programs.
Bug: https://bugs.gentoo.org/648516
Bug: https://bugs.gentoo.org/771360
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In bug #737220 sandbox was denying write access to /usr/tmp
(a symlink to /var/tmp) for statically linked binaries.
It happens because erealpath() helper conservatively does not
resolve any symlink for external traced processes (to avoid
symlink confusion via /proc/ that could refer to tracer and not
tracee).
Instead of fixing erealpath() to handle more cases of symlinks
let's just allow /usr/tmp as if it was /var/tmp.
Reported-by: Kirill Chibisov
Bug: https://bugs.gentoo.org/737220
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This initial version doesn't enable their use by default.
URL: https://bugs.gentoo.org/512794
Reported-by: Matthew Thode <prometheanfire@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We implicitly permit write access to this node by not catching functions
like openpty and posix_openpt, but when projects try to access the node
directly (due to legacy/fallback logic), the sandbox would reject them.
Make access to the node explicit since it's generally harmless.
URL: https://bugs.gentoo.org/413327
URL: https://bugs.gentoo.org/550650
URL: https://bugs.gentoo.org/550670
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Almost no one has beep support turned on anymore, and ebeep in the main
tree has been deprecated (meaning it wasn't found useful while building
packages). So punt support for it from sandbox too.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
The previous commit to fix duplicate dist inclusion broke the install of
the generated file. So try again but hopefully this time get it right:
- include only 00default.in in the dist
- install only 00default
URL: http://bugs.gentoo.org/333131
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
| |
Make sure we only bundle 00default.in in the dist tarball rather than also
including the generated 00default.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Rather than hardcode /usr, assume that the prefix sandbox is configured
with is the same prefix that other packages in the system will be
configured with. This isn't entirely correct, but covers all of the
common and realistic use cases.
URL: http://bugs.gentoo.org/275064
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Reported-by: Michael Haubenwallner <haubi@gentoo.org>
|
| |
|
|
|
|
|
| |
Always use local sandbox.d copy to avoid random /etc/sandbox.d issues like
it doesn't exist, or has permission problems, or anything else.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
|
|
config directory for package specific configuration files.
Signed-off-by: Martin Schlemmer <azarah@gentoo.org>
|
Sam James
Mike Frysinger
Sergei Trofimovich
Michał Górny
Martin Schlemmer
GitWeb