Changeset 98193
- Timestamp:
- Sep 28, 2012, 5:10:50 AM (12 years ago)
- Location:
- trunk/base/src
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/base/src/pextlib1.0/system.c
r98156 r98193 157 157 } 158 158 159 #if 0160 159 /* check if and how we should use sandbox-exec */ 161 160 sandbox = check_sandboxing(interp, &sandbox_exec_path, &profilestr); 162 #endif163 161 164 162 /* -
trunk/base/src/port1.0/portsandbox.tcl
r98156 r98193 36 36 options portsandbox_supported portsandbox_profile 37 37 default portsandbox_supported {[file executable $portutil::autoconf::sandbox_exec_path]} 38 default portsandbox_profile { [portsandbox::get_default_profile]}38 default portsandbox_profile {} 39 39 40 # produce a suitable profile to pass to sandbox-exec40 # set up a suitable profile to pass to sandbox-exec, based on the target 41 41 # command line usage would be: 42 # sandbox-exec -p '(version 1) (allow default) (deny file* (subpath "/usr/local") (subpath "/Library/Frameworks"))' some-command 43 proc portsandbox::get_default_profile {} { 44 global os.major prefix frameworks_dir 45 set prefix_conflict [expr {$prefix == "/usr/local" || [string match $prefix "/usr/local/*"]}] 46 set frameworks_conflict [expr {$frameworks_dir == "/Library/Frameworks" || [string match $frameworks_dir "/Library/Frameworks/*"]}] 47 if {$prefix_conflict && $frameworks_conflict} { 48 return "" 42 # sandbox-exec -p '(version 1) (allow default) (deny file-write*) (allow file-write* <filter>)' some-command 43 proc portsandbox::set_profile {target} { 44 global os.major portsandbox_profile workpath distpath altprefix 45 46 switch $target { 47 activate - 48 deactivate - 49 load - 50 unload { 51 set portsandbox_profile "" 52 return 53 } 54 fetch - 55 mirror - 56 clean { 57 set allow_dirs [list $distpath] 58 } 49 59 } 50 set profile "(version 1) (allow default) (deny " 51 if {${os.major} > 9} { 52 append profile "file* " 53 if {!$prefix_conflict} { 54 append profile {(subpath "/usr/local")} 60 61 # TODO: remove altprefix support 62 lappend allow_dirs $workpath $altprefix 63 64 set portsandbox_profile "(version 1) (allow default) (deny file-write*)" 65 foreach dir $allow_dirs { 66 append portsandbox_profile " (allow file-write* " 67 if {${os.major} > 9} { 68 append portsandbox_profile "(subpath \"${dir}\")" 69 } else { 70 append portsandbox_profile "(regex #\"^${dir}/\")" 55 71 } 56 if {!$frameworks_conflict} { 57 append profile { (subpath "/Library/Frameworks")} 58 } 59 } else { 60 append profile "file-read* file-write* (regex " 61 if {!$prefix_conflict} { 62 append profile {#"^/usr/local/"} 63 } 64 if {!$frameworks_conflict} { 65 append profile { #"^/Library/Frameworks/"} 66 } 67 append profile ")" 72 append portsandbox_profile ")" 68 73 } 69 append profile ")" 70 return $profile 74 append portsandbox_profile " (allow file-write-data (literal \"/dev/null\"))" 71 75 } -
trunk/base/src/port1.0/portutil.tcl
r96538 r98193 1327 1327 set targetname [ditem_key $ditem name] 1328 1328 set target [ditem_key $ditem provides] 1329 portsandbox::set_profile $target 1329 1330 global ${target}.asroot 1330 1331 if { [tbool ${target}.asroot] } {
Note: See TracChangeset
for help on using the changeset viewer.