User:Cronolio/build/sandbox

Resources

Sandbox is a library (and helper utility) to run programs in a "sandboxed" environment. This is used as a QA measure to try and prevent applications from modifying files they should not.

Sandbox have systemwide /etc/sandbox.conf config file which is declaring minimal settings and /usr/share/sandbox/sandbox.bashrc file which is preloading sandbox.so library for each shell or make process and add to SANDBOX_WRITE variable portage related directories.

direct usage example

For example we want to sandbox some application which will trying to write into root directory.

root #sandbox mkdir -v /foo

 * ACCESS DENIED:  mkdir:        /foo
mkdir: cannot create directory ‘/foo’: Permission denied
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-2508.log"
 * 
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: mkdir
S: deny
P: /foo
A: /foo
R: /foo
C: mkdir -v /foo 
 * --------------------------------------------------------------------------------

To allow application to write into root directory required to add root path into SANDBOX_WRITE variable.

root #SANDBOX_WRITE="${SANDBOX_WRITE}:/" sandbox mkdir -v /foo

mkdir: created directory '/foo'

Do not forget to remove foo directory.

root #rmdir -v /foo

rmdir: removing directory, '/foo'

portage and sandbox

During the src_unpack, src_compile, src_test and src_install phases, ebuild.sh operates inside a sandbox

(what user is used on which phases)

if emerge runed by root user

phase	sandboxed?	user	change user
fetch	?	portage	feature userfetch enabled by default
unpack	yes	portage	feature userpriv enabled by default
prepare	?	portage
configure	?	portage
compile	yes	portage
test	yes	portage
preinst	?	?
install	yes	root
postinst	?	root
qmerge	no	root
unmerge prerm postrm	no	root