<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[124146] trunk/base/src</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="https://trac.macports.org/changeset/124146">124146</a></dd>
<dt>Author</dt> <dd>cal@macports.org</dd>
<dt>Date</dt> <dd>2014-08-19 16:17:13 -0700 (Tue, 19 Aug 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>base: darwintrace: fix ignoring of /usr/local and /Library/Frameworks
In detail:
- Add FILEMAP_DENY action that allows denying access to a specific prefix
completely (which is required to allow blacklisting /Library/Frameworks
without listing all 67 other directories in /Library in the sandbox)
- Move complete sandbox specification into Tcl code for easier, and less
confusing setup. This includes:
- No longer implicitly allow / (i.e., everything), if developer_dir is less
than two levels deep; code was originally added to deal with
$xcode/Contents/Developer and now does exactly that.
- No longer allow access to /usr in general since /usr also includes
/usr/local. Instead, list all directories in /usr explicitly. That should
also fix includes getting loaded from /usr/X11 -> /opt/X11, but will likely
break stuff on systems that *do* have X headers installed by Apple in this
location. We still have copies in MacPorts anyway, so this shouldn't be
a big deal.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkbasesrcdarwintracelib10darwintracec">trunk/base/src/darwintracelib1.0/darwintrace.c</a></li>
<li><a href="#trunkbasesrcpextlib10Makefilein">trunk/base/src/pextlib1.0/Makefile.in</a></li>
<li><a href="#trunkbasesrcpextlib10tracelibc">trunk/base/src/pextlib1.0/tracelib.c</a></li>
<li><a href="#trunkbasesrcport10porttracetcl">trunk/base/src/port1.0/porttrace.tcl</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkbasesrcdarwintracelib10sandbox_actionsh">trunk/base/src/darwintracelib1.0/sandbox_actions.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkbasesrcdarwintracelib10darwintracec"></a>
<div class="modfile"><h4>Modified: trunk/base/src/darwintracelib1.0/darwintrace.c (124145 => 124146)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/base/src/darwintracelib1.0/darwintrace.c 2014-08-19 23:09:50 UTC (rev 124145)
+++ trunk/base/src/darwintracelib1.0/darwintrace.c 2014-08-19 23:17:13 UTC (rev 124146)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx">
</span><span class="cx"> #define DARWINTRACE_USE_PRIVATE_API 1
</span><span class="cx"> #include "darwintrace.h"
</span><ins>+#include "sandbox_actions.h"
</ins><span class="cx">
</span><span class="cx"> #ifdef HAVE_LIBKERN_OSATOMIC_H
</span><span class="cx"> #include <libkern/OSAtomic.h>
</span><span class="lines">@@ -127,15 +128,10 @@
</span><span class="cx"> * 0: allow
</span><span class="cx"> * 1: map the path to the one given in additional_data (currently unsupported)
</span><span class="cx"> * 2: check for a dependency using the socket
</span><ins>+ * 3: deny access to the path and stop processing
</ins><span class="cx"> */
</span><span class="cx"> static char *filemap;
</span><span class="cx">
</span><del>-enum {
- FILEMAP_ALLOW = 0,
- // FILEMAP_REDIR = 1,
- FILEMAP_ASK = 2
-};
-
</del><span class="cx"> /**
</span><span class="cx"> * Setup method called as constructor to set up thread-local storage for the
</span><span class="cx"> * thread id and the darwintrace socket.
</span><span class="lines">@@ -671,6 +667,11 @@
</span><span class="cx"> }
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><ins>+ case FILEMAP_DENY:
+ if ((flags & DT_REPORT) > 0) {
+ __darwintrace_log_op("sandbox_violation", path);
+ }
+ return false;
</ins><span class="cx"> default:
</span><span class="cx"> fprintf(stderr, "darwintrace: error: unexpected byte in file map: `%x'\n", *t);
</span><span class="cx"> abort();
</span></span></pre></div>
<a id="trunkbasesrcdarwintracelib10sandbox_actionsh"></a>
<div class="addfile"><h4>Added: trunk/base/src/darwintracelib1.0/sandbox_actions.h (0 => 124146)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/base/src/darwintracelib1.0/sandbox_actions.h (rev 0)
+++ trunk/base/src/darwintracelib1.0/sandbox_actions.h 2014-08-19 23:17:13 UTC (rev 124146)
</span><span class="lines">@@ -0,0 +1,41 @@
</span><ins>+/*
+ * Copyright (c) 2014 The MacPorts Project
+ * All rights reserved.
+ *
+ * $Id$
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
+enum {
+ FILEMAP_ALLOW = 0,
+ // FILEMAP_REDIR = 1,
+ FILEMAP_ASK = 2,
+ FILEMAP_DENY = 3
+};
</ins><span class="cx">Property changes on: trunk/base/src/darwintracelib1.0/sandbox_actions.h
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnkeywords"></a>
<div class="addfile"><h4>Added: svn:keywords</h4></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<a id="trunkbasesrcpextlib10Makefilein"></a>
<div class="modfile"><h4>Modified: trunk/base/src/pextlib1.0/Makefile.in (124145 => 124146)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/base/src/pextlib1.0/Makefile.in 2014-08-19 23:09:50 UTC (rev 124145)
+++ trunk/base/src/pextlib1.0/Makefile.in 2014-08-19 23:17:13 UTC (rev 124146)
</span><span class="lines">@@ -13,6 +13,9 @@
</span><span class="cx"> OBJS+=strlcat.o
</span><span class="cx"> endif
</span><span class="cx">
</span><ins>+# tracelib.o has an additional dependency
+tracelib.o: ../darwintracelib1.0/sandbox_actions.h
+
</ins><span class="cx"> SHLIB_NAME= Pextlib${SHLIB_SUFFIX}
</span><span class="cx"> INSTALLDIR= ${DESTDIR}${TCL_PACKAGE_PATH}/pextlib1.0
</span><span class="cx">
</span></span></pre></div>
<a id="trunkbasesrcpextlib10tracelibc"></a>
<div class="modfile"><h4>Modified: trunk/base/src/pextlib1.0/tracelib.c (124145 => 124146)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/base/src/pextlib1.0/tracelib.c 2014-08-19 23:09:50 UTC (rev 124145)
+++ trunk/base/src/pextlib1.0/tracelib.c 2014-08-19 23:17:13 UTC (rev 124146)
</span><span class="lines">@@ -59,6 +59,7 @@
</span><span class="cx"> #include <cregistry/portgroup.h>
</span><span class="cx"> #include <cregistry/entry.h>
</span><span class="cx"> #include <registry2.0/registry.h>
</span><ins>+#include <darwintracelib1.0/sandbox_actions.h>
</ins><span class="cx">
</span><span class="cx"> #include "tracelib.h"
</span><span class="cx">
</span><span class="lines">@@ -84,7 +85,7 @@
</span><span class="cx">
</span><span class="cx"> static char *name;
</span><span class="cx"> static char *sandbox;
</span><del>-static char *filemap, *filemap_end;
</del><ins>+static size_t sandboxLength;
</ins><span class="cx"> static char *depends;
</span><span class="cx"> static int sock = -1;
</span><span class="cx"> static int kq = -1;
</span><span class="lines">@@ -95,7 +96,6 @@
</span><span class="cx"> static Tcl_Interp *interp;
</span><span class="cx"> static pthread_mutex_t sock_mutex = PTHREAD_MUTEX_INITIALIZER;
</span><span class="cx"> static int cleanuping = 0;
</span><del>-static char *sdk = NULL;
</del><span class="cx">
</span><span class="cx"> static void send_file_map(int sock);
</span><span class="cx"> static void dep_check(int sock, char *path);
</span><span class="lines">@@ -108,6 +108,7 @@
</span><span class="cx">
</span><span class="cx"> #define MAX_SOCKETS (1024)
</span><span class="cx"> #define BUFSIZE (4096)
</span><ins>+#define CANARY (0xdeadbeef)
</ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * send a buffer \c buf with the given length \c size to the socket \c sock, by
</span><span class="lines">@@ -179,9 +180,8 @@
</span><span class="cx"> * \return a Tcl return code
</span><span class="cx"> */
</span><span class="cx"> static int TracelibSetSandboxCmd(Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]) {
</span><del>- int len;
</del><span class="cx"> char *src, *dst;
</span><del>- enum { NORMAL, ESCAPE } state = NORMAL;
</del><ins>+ enum { NORMAL, ACTION, ESCAPE } state = NORMAL;
</ins><span class="cx">
</span><span class="cx"> if (objc != 3) {
</span><span class="cx"> Tcl_WrongNumArgs(interp, 2, objv, "number of arguments should be exactly 3");
</span><span class="lines">@@ -189,8 +189,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> src = Tcl_GetString(objv[2]);
</span><del>- len = strlen(src) + 2;
- sandbox = malloc(len);
</del><ins>+ sandboxLength = strlen(src) + 2;
+ sandbox = malloc(sandboxLength);
</ins><span class="cx"> if (!sandbox) {
</span><span class="cx"> Tcl_SetResult(interp, "memory allocation failed", TCL_STATIC);
</span><span class="cx"> return TCL_ERROR;
</span><span class="lines">@@ -213,18 +213,62 @@
</span><span class="cx"> /* : was escaped, keep literally */
</span><span class="cx"> *dst++ = ':';
</span><span class="cx"> state = NORMAL;
</span><ins>+ } else if (state == ACTION) {
+ /* : -> \0, we're done with this entry */
+ *dst++ = '\0';
+ state = NORMAL;
</ins><span class="cx"> } else {
</span><del>- /* : -> \0, unless it has been escaped */
</del><ins>+ /* unescaped : should never occur in normal state */
+ free(sandbox);
+ Tcl_SetResult(interp, "Unexpected colon before action specification.", TCL_STATIC);
+ return TCL_ERROR;
+ }
+ break;
+ case '=':
+ if (state == ESCAPE) {
+ /* = was escaped, keep literally */
+ *dst++ = '=';
+ state = NORMAL;
+ } else {
+ /* hit =, this is the end of the path, the action follows */
</ins><span class="cx"> *dst++ = '\0';
</span><ins>+ state = ACTION;
</ins><span class="cx"> }
</span><span class="cx"> break;
</span><ins>+ case '+':
+ case '-':
+ case '?':
+ if (state == ACTION) {
+ /* control character after equals, convert to binary */
+ switch (*src) {
+ case '+':
+ *dst++ = FILEMAP_ALLOW;
+ break;
+ case '-':
+ *dst++ = FILEMAP_DENY;
+ break;
+ case '?':
+ *dst++ = FILEMAP_ASK;
+ break;
+ }
+ } else {
+ /* before equals sign, copy literally */
+ *dst++ = *src;
+ }
+ break;
</ins><span class="cx"> default:
</span><span class="cx"> if (state == ESCAPE) {
</span><span class="cx"> /* unknown escape sequence, free buffer and raise an error */
</span><span class="cx"> free(sandbox);
</span><del>- Tcl_SetResult(interp, "unknown escape sequence", TCL_STATIC);
</del><ins>+ Tcl_SetResult(interp, "Unknown escape sequence.", TCL_STATIC);
</ins><span class="cx"> return TCL_ERROR;
</span><span class="cx"> }
</span><ins>+ if (state == ACTION) {
+ /* unknown control character, free buffer and raise an error */
+ free(sandbox);
+ Tcl_SetResult(interp, "Unknown control character. Possible values are +, -, and ?.", TCL_STATIC);
+ return TCL_ERROR;
+ }
</ins><span class="cx"> /* otherwise: copy the char */
</span><span class="cx"> *dst++ = *src;
</span><span class="cx"> break;
</span><span class="lines">@@ -310,68 +354,12 @@
</span><span class="cx"> * \param[in] sock the socket to send the sandbox bounds to
</span><span class="cx"> */
</span><span class="cx"> static void send_file_map(int sock) {
</span><del>- if (!filemap) {
- char *t, * _;
-
- size_t remaining = BUFSIZE;
- filemap = (char *)malloc(remaining);
- if (!filemap) {
- ui_warn("send_file_map: memory allocation failed");
- return;
- }
- t = filemap;
-
-# define append_allow(path, resolution) do { strlcpy(t, path, remaining); \
- if (remaining < (strlen(t)+3)) { \
- remaining=0; \
- fprintf(stderr, "tracelib: insufficient filemap memory\n"); \
- } else { \
- remaining-=strlen(t)+3; \
- } \
- t+=strlen(t)+1; \
- *t++=resolution; \
- *t++=0; \
- } while(0);
-
- if (enable_fence) {
- for (_ = sandbox; *_; _ += strlen(_) + 1) {
- append_allow(_, 0);
- }
-
- append_allow("/bin", 0);
- append_allow("/sbin", 0);
- append_allow("/dev", 0);
- append_allow(Tcl_GetVar(interp, "prefix", TCL_GLOBAL_ONLY), 2);
- /* If there is no SDK we will allow everything in /usr /System/Library etc, else add binaries to allow, and redirect root to SDK. */
- if (sdk && *sdk) {
- char buf[260];
- buf[0] = '\0';
- strlcat(buf, Tcl_GetVar(interp, "developer_dir", TCL_GLOBAL_ONLY), 260);
- strlcat(buf, "/SDKs/", 260);
- strlcat(buf, sdk, 260);
-
- append_allow("/usr/bin", 0);
- append_allow("/usr/sbin", 0);
- append_allow("/usr/libexec/gcc", 0);
- append_allow("/System/Library/Perl", 0);
- append_allow("/", 1);
- strlcpy(t - 1, buf, remaining);
- t += strlen(t) + 1;
- } else {
- append_allow("/usr", 0);
- append_allow("/System/Library", 0);
- append_allow("/Library", 0);
- append_allow(Tcl_GetVar(interp, "developer_dir", TCL_GLOBAL_ONLY), 0);
- }
- } else {
- append_allow("/", 0);
- }
- append_allow("", 0);
- filemap_end = t;
-# undef append_allow
</del><ins>+ if (enable_fence) {
+ answer_s(sock, sandbox, sandboxLength);
+ } else {
+ char allowAllSandbox[5] = {'/', '\0', FILEMAP_ALLOW, '\0', '\0'};
+ answer_s(sock, allowAllSandbox, sizeof(allowAllSandbox));
</ins><span class="cx"> }
</span><del>-
- answer_s(sock, filemap, filemap_end - filemap);
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><span class="lines">@@ -781,9 +769,6 @@
</span><span class="cx"> unlink(name);
</span><span class="cx"> safe_free(name);
</span><span class="cx"> }
</span><del>- if (filemap) {
- safe_free(filemap);
- }
</del><span class="cx"> if (depends) {
</span><span class="cx"> safe_free(depends);
</span><span class="cx"> }
</span><span class="lines">@@ -838,10 +823,6 @@
</span><span class="cx">
</span><span class="cx"> static int TracelibEnableFence(Tcl_Interp *interp UNUSED) {
</span><span class="cx"> enable_fence = 1;
</span><del>- if (filemap) {
- free(filemap);
- }
- filemap = 0;
</del><span class="cx"> return TCL_OK;
</span><span class="cx"> }
</span><span class="cx"> #endif /* defined(HAVE_TRACEMODE_SUPPORT) */
</span></span></pre></div>
<a id="trunkbasesrcport10porttracetcl"></a>
<div class="modfile"><h4>Modified: trunk/base/src/port1.0/porttrace.tcl (124145 => 124146)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/base/src/port1.0/porttrace.tcl 2014-08-19 23:09:50 UTC (rev 124145)
+++ trunk/base/src/port1.0/porttrace.tcl 2014-08-19 23:17:13 UTC (rev 124146)
</span><span class="lines">@@ -37,10 +37,58 @@
</span><span class="cx"> package require portutil 1.0
</span><span class="cx">
</span><span class="cx"> namespace eval porttrace {
</span><ins>+ proc appendEntry {sandbox path action} {
+ upvar 2 $sandbox sndbxlst
+
+ set mapping {}
+ # Escape backslashes with backslashes
+ lappend mapping "\\" "\\\\"
+ # Escape colons with \:
+ lappend mapping ":" "\\:"
+ # Escape equal signs with \=
+ lappend mapping "=" "\\="
+
+ set normalizedPath [file normalize $path]
+ lappend sndbxlst "[string map $mapping $path]=$action"
+ if {$normalizedPath ne $path} {
+ lappend sndbxlst "[string map $mapping $normalizedPath]=$action"
+ }
+ }
+
+ ##
+ # Append a trace sandbox entry suitable for allowing access to
+ # a directory to a given sandbox list.
+ #
+ # @param sandbox The name of the sandbox list variable
+ # @param path The path that should be permitted
+ proc allow {sandbox path} {
+ appendEntry $sandbox $path "+"
+ }
+
+ ##
+ # Append a trace sandbox entry suitable for denying access to a directory
+ # (and stopping processing of the sandbox) to a given sandbox list.
+ #
+ # @param sandbox The name of the sandbox list variable
+ # @param path The path that should be denied
+ proc deny {sandbox path} {
+ appendEntry $sandbox $path "-"
+ }
+
+ ##
+ # Append a trace sandbox entry suitable for deferring the access decision
+ # back to MacPorts to query for dependencies to a given sandbox list.
+ #
+ # @param sandbox The name of the sandbox list variable
+ # @param path The path that should be handed back to MacPorts for further
+ # processing.
+ proc ask {sandbox path} {
+ appendEntry $sandbox $path "?"
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> proc porttrace::trace_start {workpath} {
</span><del>- global os.platform developer_dir macportsuser
</del><ins>+ global prefix os.platform developer_dir macportsuser
</ins><span class="cx"> if {${os.platform} == "darwin"} {
</span><span class="cx"> if {[catch {package require Thread} error]} {
</span><span class="cx"> ui_warn "trace requires Tcl Thread package ($error)"
</span><span class="lines">@@ -65,56 +113,79 @@
</span><span class="cx"> set env(DYLD_INSERT_LIBRARIES) ${tracelib_path}
</span><span class="cx"> }
</span><span class="cx"> set env(DARWINTRACE_LOG) "$trace_fifo"
</span><ins>+
</ins><span class="cx"> # The sandbox is limited to:
</span><del>- # workpath
- # /tmp
- # /private/tmp
- # /var/tmp
- # /private/var/tmp
- # $TMPDIR
- # /dev/null
- # /dev/tty
- # /Library/Caches/com.apple.Xcode
- # $CCACHE_DIR
- # $HOMEDIR/.ccache
- set trace_sandbox [list \
- $workpath \
- $portpath \
- $distpath \
- /tmp \
- /private/tmp \
- /var/tmp \
- /private/var/tmp \
- /var/folders \
- /private/var/folders \
- /var/empty \
- /private/var/empty \
- /var/run \
- /private/var/run \
- /var/db/xcode_select_link \
- /private/var/db/xcode_select_link \
- /var/db/mds \
- /private/var/db/mds \
- /var/db/launchd.db \
- /private/var/db/launchd.db \
- [file normalize ~${macportsuser}/Library/Preferences/com.apple.dt.Xcode.plist] \
- "$env(HOME)/Library/Preferences/com.apple.dt.Xcode.plist" \
- /Library/Caches/com.apple.Xcode \
- /Library/LaunchDaemons \
- /Library/LaunchAgents \
- /dev \
- /etc/passwd \
- /etc/groups \
- /etc/localtime \
- [file normalize ${developer_dir}/../..] \
- "$env(HOME)/.ccache"]
</del><ins>+ set trace_sandbox [list]
+
+ # Allow work-, port-, and distpath
+ allow trace_sandbox $workpath
+ allow trace_sandbox $portpath
+ allow trace_sandbox $distpath
+
+ # Allow standard system directories
+ allow trace_sandbox "/bin"
+ allow trace_sandbox "/sbin"
+ allow trace_sandbox "/dev"
+ allow trace_sandbox "/usr/bin"
+ allow trace_sandbox "/usr/sbin"
+ allow trace_sandbox "/usr/include"
+ allow trace_sandbox "/usr/lib"
+ allow trace_sandbox "/usr/libexec"
+ allow trace_sandbox "/usr/share"
+ allow trace_sandbox "/System/Library"
+ # Deny /Library/Frameworks, third parties install there
+ deny trace_sandbox "/Library/Frameworks"
+ # But allow the rest of /Library
+ allow trace_sandbox "/Library"
+
+ # Allow a few configuration files
+ allow trace_sandbox "/etc/passwd"
+ allow trace_sandbox "/etc/groups"
+ allow trace_sandbox "/etc/localtime"
+
+ # Allow temporary locations
+ allow trace_sandbox "/tmp"
+ allow trace_sandbox "/var/tmp"
+ allow trace_sandbox "/var/folders"
+ allow trace_sandbox "/var/empty"
+ allow trace_sandbox "/var/run"
</ins><span class="cx"> if {[info exists env(TMPDIR)]} {
</span><del>- lappend trace_sandbox $env(TMPDIR)
</del><ins>+ set tmpdir [string trim $env(TMPDIR)]
+ if {$tmpdir ne ""} {
+ allow trace_sandbox $tmpdir
+ }
</ins><span class="cx"> }
</span><ins>+
+ # Allow access to some Xcode specifics
+ allow trace_sandbox "/var/db/xcode_select_link"
+ allow trace_sandbox "/var/db/mds"
+ allow trace_sandbox [file normalize ~${macportsuser}/Library/Preferences/com.apple.dt.Xcode.plist]
+ allow trace_sandbox "$env(HOME)/Library/Preferences/com.apple.dt.Xcode.plist"
+
+ # Allow access to developer_dir; however, if it ends with /Contents/Developer, strip
+ # that. If it doesn't leave that in place to avoid allowing access to "/"!
+ set ddsplit [file split [file normalize [file join ${developer_dir} ".." ".."]]]
+ if {[llength $ddsplit] > 2 && [lindex $ddsplit end-1] eq "Contents" && [lindex $ddsplit end] eq "Developer"} {
+ set ddsplit [lrange $ddsplit 0 end-2]
+ }
+ allow trace_sandbox [file join {*}$ddsplit]
+
+ # Allow launchd.db access to avoid failing on port-load(1)/port-unload(1)/port-reload(1)
+ allow trace_sandbox "/var/db/launchd.db"
+
+ # Deal with ccache
+ allow trace_sandbox "$env(HOME)/.ccache"
</ins><span class="cx"> if {[info exists env(CCACHE_DIR)]} {
</span><del>- lappend trace_sandbox $env(CCACHE_DIR)
</del><ins>+ set ccachedir [string trim $env(CCACHE_DIR)]
+ if {$ccachedir ne ""} {
+ allow trace_sandbox $ccachedir
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+ # Defer back to MacPorts for dependency checks inside $prefix. This must be at the end,
+ # or it'll be used instead of more specific rules.
+ ask trace_sandbox $prefix
+
</ins><span class="cx"> ui_debug "Tracelib Sandbox is:"
</span><span class="cx"> foreach sandbox $trace_sandbox {
</span><span class="cx"> ui_debug "\t$sandbox"
</span></span></pre>
</div>
</div>
</body>
</html>