Add directories to sandbox?

Clemens Lang cal at macports.org
Wed Jul 24 13:37:19 PDT 2013 

On Wed, Jul 24, 2013 at 03:56:19PM -0400, Daniel J. Luke wrote:
> Is there a way (planned?) for a port to be able to supply a (list of)
> path(s) to add to the sandbox?

There is an option portsandbox_profile [1], which is set in proc
target_run in portutil.tcl, line 1323 [2] by calling
portsandbox::set_profile $target [3].

Since portsandbox_profile is reset with every call to
portsandbox::set_profile you cannot modify the sandbox on a global
Portfile level. You can, however, modify it in a phase, e.g. in
pre-destroot (note this will be valid throughout the destroot and
post-destroot blocks):

pre-destroot {
	set paths [list "/Library/Java/Extensions"]
	foreach path $paths {
		set profile_str "(allow file-write* ("
		if {${os.major} > 9} {
			append profile_str "subpath \"${path}\""
		} else {
			append profile_str "regex #\"^[quotemeta ${path}]/\""
		}
		append profile_str "))"
		portsandbox_profile-append $profile_str
	}
}

We should probably make a PortGroup to simplify this and hide the pesky
details of writing the sandbox profile string. When I tried this
yesterday I had problems appending a string to portsandbox_profile using
portsandbox_profile-append without quote chars showing up in the final
profile string, so definitely check for that when you try (might just
have been a problem present in trunk, though). For more information, see
yesterday morning's IRC log[4].

> Alternatively, if I could just set it off in the post-destroot block
> (or just add that path for post-destroot), that would be swell.

portsandbox_active off should also work in phases.

Since we're already discussing limitations of the sandbox mechanism: If
you port needs to execute a binary that is SUID or SGID, it will fail
with the sandbox enabled. Use this workaround[5]:

  (allow process-exec (regex \"^[quotemeta $path]\$\") (with no-profile))

[1] http://trac.macports.org/browser/tags/release_2_2_0/base/src/port1.0/portsandbox.tcl#L36
[2] http://trac.macports.org/browser/tags/release_2_2_0/base/src/port1.0/portutil.tcl#L1323
[3] http://trac.macports.org/browser/tags/release_2_2_0/base/src/port1.0/portutil.tcl#L1342
[4] http://echelog.com/logs/browse/macports/1374530400
[5] This might not work on platforms that do not support regex matching
    in profile strings.

-- 
Clemens Lang

More information about the macports-dev mailing list