<pre style='margin:0'>
Rainer Müller (raimue) pushed a commit to branch master
in repository macports-base.
</pre>
<p><a href="https://github.com/macports/macports-base/commit/4670c4a1f089943322c0ea8635714b68cbfd0f1a">https://github.com/macports/macports-base/commit/4670c4a1f089943322c0ea8635714b68cbfd0f1a</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 4670c4a portsandbox: add option to deny network access
</span>4670c4a is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 4670c4a1f089943322c0ea8635714b68cbfd0f1a
</span>Author: Rainer Müller <raimue@macports.org>
AuthorDate: Tue Mar 27 00:21:54 2018 +0200
<span style='display:block; white-space:pre;color:#404040;'> portsandbox: add option to deny network access
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> This adds an experimental option to macports.conf that can be used to
</span><span style='display:block; white-space:pre;color:#404040;'> deny network access during all phases except fetch or mirror.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Note this setting can also be controlled from the port command line as
</span><span style='display:block; white-space:pre;color:#404040;'> usual if you want to enable or disable it only for a single build:
</span><span style='display:block; white-space:pre;color:#404040;'> sudo port -v build foo sandbox_network=no
</span>---
src/macports1.0/macports.tcl | 8 ++++++--
src/port1.0/portsandbox.tcl | 13 ++++++++++++-
2 files changed, 18 insertions(+), 3 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/macports1.0/macports.tcl b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index 340da57..da79b90 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/macports1.0/macports.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -56,7 +56,7 @@ namespace eval macports {
</span> macportsuser proxy_override_env proxy_http proxy_https proxy_ftp proxy_rsync proxy_skip \
master_site_local patch_site_local archive_site_local buildfromsource \
revupgrade_autorun revupgrade_mode revupgrade_check_id_loadcmds \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- host_blacklist preferred_hosts sandbox_enable delete_la_files cxx_stdlib \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ host_blacklist preferred_hosts sandbox_enable sandbox_network delete_la_files cxx_stdlib \
</span> packagemaker_path default_compilers pkg_post_unarchive_deletions ui_interactive"
variable user_options {}
variable portinterp_options "\
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -68,7 +68,7 @@ namespace eval macports {
</span> configureccache ccache_dir ccache_size configuredistcc configurepipe buildnicevalue buildmakejobs \
applications_dir current_phase frameworks_dir developer_dir universal_archs build_arch \
os_arch os_endian os_version os_major os_minor os_platform macosx_version macosx_sdk_version macosx_deployment_target \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- packagemaker_path default_compilers sandbox_enable delete_la_files cxx_stdlib \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packagemaker_path default_compilers sandbox_enable sandbox_network delete_la_files cxx_stdlib \
</span> pkg_post_unarchive_deletions $user_options"
# deferred options are only computed when needed.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1073,6 +1073,10 @@ match macports.conf.default."
</span> set macports::sandbox_enable yes
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![info exists macports::sandbox_network]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set macports::sandbox_network no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # make tools we run operate in UTF-8 mode
set env(LANG) en_US.UTF-8
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/src/port1.0/portsandbox.tcl b/src/port1.0/portsandbox.tcl
</span><span style='display:block; white-space:pre;color:#808080;'>index bccfc1b..7008f8a 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/src/port1.0/portsandbox.tcl
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/src/port1.0/portsandbox.tcl
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -42,7 +42,8 @@ default portsandbox_profile {}
</span> # sandbox-exec -p '(version 1) (allow default) (deny file-write*) (allow file-write* <filter>)' some-command
proc portsandbox::set_profile {target} {
global os.major portsandbox_profile workpath distpath \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- package.destpath configure.ccache ccache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ package.destpath configure.ccache ccache_dir \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sandbox_network configure.distcc
</span>
switch $target {
activate -
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -103,4 +104,14 @@ proc portsandbox::set_profile {target} {
</span> }
}
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${sandbox_network}} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {$target ne "fetch" && $target ne "mirror"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${configure.distcc}} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ui_warn "Sandbox will not deny network access due to distcc"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ append portsandbox_profile " (deny network*)"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span> }
</pre><pre style='margin:0'>
</pre>