[98193] trunk/base/src
jmr at macports.org
jmr at macports.org
Thu Sep 27 22:10:50 PDT 2012
Revision: 98193
http://trac.macports.org//changeset/98193
Author: jmr at macports.org
Date: 2012-09-27 22:10:50 -0700 (Thu, 27 Sep 2012)
Log Message:
-----------
use sandboxing to prevent writes outside workpath and distpath
Modified Paths:
--------------
trunk/base/src/pextlib1.0/system.c
trunk/base/src/port1.0/portsandbox.tcl
trunk/base/src/port1.0/portutil.tcl
Modified: trunk/base/src/pextlib1.0/system.c
===================================================================
--- trunk/base/src/pextlib1.0/system.c 2012-09-28 04:07:10 UTC (rev 98192)
+++ trunk/base/src/pextlib1.0/system.c 2012-09-28 05:10:50 UTC (rev 98193)
@@ -156,10 +156,8 @@
}
}
-#if 0
/* check if and how we should use sandbox-exec */
sandbox = check_sandboxing(interp, &sandbox_exec_path, &profilestr);
-#endif
/*
* Fork a child to run the command, in a popen() like fashion -
Modified: trunk/base/src/port1.0/portsandbox.tcl
===================================================================
--- trunk/base/src/port1.0/portsandbox.tcl 2012-09-28 04:07:10 UTC (rev 98192)
+++ trunk/base/src/port1.0/portsandbox.tcl 2012-09-28 05:10:50 UTC (rev 98193)
@@ -35,37 +35,41 @@
options portsandbox_supported portsandbox_profile
default portsandbox_supported {[file executable $portutil::autoconf::sandbox_exec_path]}
-default portsandbox_profile {[portsandbox::get_default_profile]}
+default portsandbox_profile {}
-# produce a suitable profile to pass to sandbox-exec
+# set up a suitable profile to pass to sandbox-exec, based on the target
# command line usage would be:
-# sandbox-exec -p '(version 1) (allow default) (deny file* (subpath "/usr/local") (subpath "/Library/Frameworks"))' some-command
-proc portsandbox::get_default_profile {} {
- global os.major prefix frameworks_dir
- set prefix_conflict [expr {$prefix == "/usr/local" || [string match $prefix "/usr/local/*"]}]
- set frameworks_conflict [expr {$frameworks_dir == "/Library/Frameworks" || [string match $frameworks_dir "/Library/Frameworks/*"]}]
- if {$prefix_conflict && $frameworks_conflict} {
- return ""
- }
- set profile "(version 1) (allow default) (deny "
- if {${os.major} > 9} {
- append profile "file* "
- if {!$prefix_conflict} {
- append profile {(subpath "/usr/local")}
+# sandbox-exec -p '(version 1) (allow default) (deny file-write*) (allow file-write* <filter>)' some-command
+proc portsandbox::set_profile {target} {
+ global os.major portsandbox_profile workpath distpath altprefix
+
+ switch $target {
+ activate -
+ deactivate -
+ load -
+ unload {
+ set portsandbox_profile ""
+ return
}
- if {!$frameworks_conflict} {
- append profile { (subpath "/Library/Frameworks")}
+ fetch -
+ mirror -
+ clean {
+ set allow_dirs [list $distpath]
}
- } else {
- append profile "file-read* file-write* (regex "
- if {!$prefix_conflict} {
- append profile {#"^/usr/local/"}
+ }
+
+ # TODO: remove altprefix support
+ lappend allow_dirs $workpath $altprefix
+
+ set portsandbox_profile "(version 1) (allow default) (deny file-write*)"
+ foreach dir $allow_dirs {
+ append portsandbox_profile " (allow file-write* "
+ if {${os.major} > 9} {
+ append portsandbox_profile "(subpath \"${dir}\")"
+ } else {
+ append portsandbox_profile "(regex #\"^${dir}/\")"
}
- if {!$frameworks_conflict} {
- append profile { #"^/Library/Frameworks/"}
- }
- append profile ")"
+ append portsandbox_profile ")"
}
- append profile ")"
- return $profile
+ append portsandbox_profile " (allow file-write-data (literal \"/dev/null\"))"
}
Modified: trunk/base/src/port1.0/portutil.tcl
===================================================================
--- trunk/base/src/port1.0/portutil.tcl 2012-09-28 04:07:10 UTC (rev 98192)
+++ trunk/base/src/port1.0/portutil.tcl 2012-09-28 05:10:50 UTC (rev 98193)
@@ -1326,6 +1326,7 @@
if {$procedure != ""} {
set targetname [ditem_key $ditem name]
set target [ditem_key $ditem provides]
+ portsandbox::set_profile $target
global ${target}.asroot
if { [tbool ${target}.asroot] } {
elevateToRoot $targetname
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20120927/16f1ac1c/attachment-0001.html>
More information about the macports-changes
mailing list