summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZac Medico <zmedico@gentoo.org>2006-03-09 09:54:41 +0000
committerZac Medico <zmedico@gentoo.org>2006-03-09 09:54:41 +0000
commitcb2b98ca60a1d56f293914bfb90d0b3385225095 (patch)
tree65a0e56cd696b675cd3c721a6ab75630cc25f2f4
parentabe1c0d6abd20c3d88db99e825496b0878bbcf03 (diff)
downloadportage-cb2b98ca60a1d56f293914bfb90d0b3385225095.tar.gz
portage-cb2b98ca60a1d56f293914bfb90d0b3385225095.tar.bz2
portage-cb2b98ca60a1d56f293914bfb90d0b3385225095.zip
Add a "sesandbox" flag to the spawn function so that it can handle selinux context for the exec call (prevents code duplication).
svn path=/main/trunk/; revision=2834
-rw-r--r--pym/portage.py44
1 files changed, 20 insertions, 24 deletions
diff --git a/pym/portage.py b/pym/portage.py
index 08187a8c8..937529464 100644
--- a/pym/portage.py
+++ b/pym/portage.py
@@ -1630,7 +1630,7 @@ class config:
# XXX This would be to replace getstatusoutput completely.
# XXX Issue: cannot block execution. Deadlock condition.
-def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,**keywords):
+def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,sesandbox=0,fd_pipes=None,**keywords):
"""spawn a subprocess with optional sandbox protection,
depending on whether sandbox is enabled. The "free" argument,
when set to 1, will disable sandboxing. This allows us to
@@ -1659,14 +1659,20 @@ def spawn(mystring,mysettings,debug=0,free=0,droppriv=0,fd_pipes=None,**keywords
free=((droppriv and "usersandbox" not in features) or \
(not droppriv and "sandbox" not in features and "usersandbox" not in features))
+ if sesandbox:
+ con = selinux.getcontext()
+ con = string.replace(con, mysettings["PORTAGE_T"], mysettings["PORTAGE_SANDBOX_T"])
+ selinux.setexec(con)
+
if not free:
keywords["opt_name"] += " sandbox"
return portage_exec.spawn_sandbox(mystring,env=env,**keywords)
else:
keywords["opt_name"] += " bash"
return portage_exec.spawn_bash(mystring,env=env,**keywords)
-
-
+
+ if sesandbox:
+ selinux.setexec(None)
def fetch(myuris, mysettings, listonly=0, fetchonly=0, locks_in_subdir=".locks",use_locks=1, try_mirrors=1):
"fetch files. Will use digest file if available."
@@ -1949,14 +1955,9 @@ def fetch(myuris, mysettings, listonly=0, fetchonly=0, locks_in_subdir=".locks",
myfetch=string.replace(locfetch,"${URI}",loc)
myfetch=string.replace(myfetch,"${FILE}",myfile)
try:
- if selinux_enabled:
- con=selinux.getcontext()
- con=string.replace(con,mysettings["PORTAGE_T"],mysettings["PORTAGE_FETCH_T"])
- selinux.setexec(con)
- myret=spawn(myfetch,mysettings,free=1, droppriv=("userfetch" in mysettings.features))
- selinux.setexec(None)
- else:
- myret=spawn(myfetch,mysettings,free=1, droppriv=("userfetch" in mysettings.features))
+ myret = spawn(myfetch, mysettings, free=1,
+ droppriv=("userfetch" in mysettings.features),
+ sesandbox=selinux_enabled)
finally:
#if root, -always- set the perms.
if os.path.exists(mysettings["DISTDIR"]+"/"+myfile) and (fetched != 1 or os.getuid() == 0) \
@@ -2372,19 +2373,14 @@ def spawnebuild(mydo,actionmap,mysettings,debug,alwaysdep=0,logfile=None):
mycommand = MISC_SH_BINARY + " dyn_" + mydo
else:
mycommand = EBUILD_SH_BINARY + " " + mydo
- if selinux_enabled and ("sesandbox" in features) and (mydo in ["unpack","compile","test","install"]):
- con=selinux.getcontext()
- con=string.replace(con,mysettings["PORTAGE_T"],mysettings["PORTAGE_SANDBOX_T"])
- selinux.setexec(con)
- retval=spawn(mycommand, mysettings, debug=debug,
- free=actionmap[mydo]["args"][0],
- droppriv=actionmap[mydo]["args"][1],logfile=logfile)
- selinux.setexec(None)
- else:
- retval=spawn(mycommand, mysettings, debug=debug,
- free=actionmap[mydo]["args"][0],
- droppriv=actionmap[mydo]["args"][1],logfile=logfile)
- return retval
+ enable_sesandbox = 0
+ if selinux_enabled and "sesandbox" in features and \
+ mydo in ["unpack","compile","test","install"]:
+ enable_sesandbox=1
+ return spawn(mycommand, mysettings, debug=debug,
+ free=actionmap[mydo]["args"][0],
+ droppriv=actionmap[mydo]["args"][1],
+ sesandbox=enable_sesandbox, logfile=logfile)
# chunked out deps for each phase, so that ebuild binary can use it
# to collapse targets down.