commit: ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa Author: Zac Medico <zmedico <AT> gentoo <DOT> org> AuthorDate: Fri May 18 03:57:59 2018 +0000 Commit: Zac Medico <zmedico <AT> gentoo <DOT> org> CommitDate: Mon May 21 16:57:42 2018 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=ef99f7e9
preinst_selinux_labels: disable LD_PRELOAD sandbox (bug 655996) Since SELinux does not allow LD_PRELOAD across domain transitions, disable the LD_PRELOAD sandbox for preinst_selinux_labels. Bug: https://bugs.gentoo.org/655996 Tested-by: Jason Zaman <perfinion <AT> gentoo.org> pym/_emerge/EbuildPhase.py | 30 +++++++++++++++++++++++++++++- pym/_emerge/MiscFunctionsProcess.py | 6 +++++- pym/portage/package/ebuild/doebuild.py | 28 +++++++++++++++++++++------- 3 files changed, 55 insertions(+), 9 deletions(-) diff --git a/pym/_emerge/EbuildPhase.py b/pym/_emerge/EbuildPhase.py index 890b17870..d057dc45e 100644 --- a/pym/_emerge/EbuildPhase.py +++ b/pym/_emerge/EbuildPhase.py @@ -13,6 +13,7 @@ from _emerge.MiscFunctionsProcess import MiscFunctionsProcess from _emerge.EbuildProcess import EbuildProcess from _emerge.CompositeTask import CompositeTask from _emerge.PackagePhase import PackagePhase +from _emerge.TaskSequence import TaskSequence from portage.package.ebuild.prepare_build_dirs import (_prepare_workdir, _prepare_fake_distdir, _prepare_fake_filesdir) from portage.util import writemsg @@ -275,7 +276,7 @@ class EbuildPhase(CompositeTask): # when FEATURES=compress-build-logs is enabled. fd, logfile = tempfile.mkstemp() os.close(fd) - post_phase = MiscFunctionsProcess(background=self.background, + post_phase = _PostPhaseCommands(background=self.background, commands=post_phase_cmds, fd_pipes=self.fd_pipes, logfile=logfile, phase=self.phase, scheduler=self.scheduler, settings=settings) @@ -405,3 +406,30 @@ class EbuildPhase(CompositeTask): log_path = self.settings.get("PORTAGE_LOG_FILE") self.scheduler.output(msg, log_path=log_path, background=background) + + +class _PostPhaseCommands(CompositeTask): + + __slots__ = ("commands", "fd_pipes", "logfile", "phase", "settings") + + def _start(self): + if isinstance(self.commands, list): + cmds = [({}, self.commands)] + else: + cmds = list(self.commands) + + if 'selinux' not in self.settings.features: + cmds = [(kwargs, commands) for kwargs, commands in + cmds if not kwargs.get('selinux_only')] + + tasks = TaskSequence() + for kwargs, commands in cmds: + # Select args intended for MiscFunctionsProcess. + kwargs = dict((k, v) for k, v in kwargs.items() + if k in ('ld_preload_sandbox',)) + tasks.add(MiscFunctionsProcess(background=self.background, + commands=commands, fd_pipes=self.fd_pipes, + logfile=self.logfile, phase=self.phase, + scheduler=self.scheduler, settings=self.settings, **kwargs)) + + self._start_task(tasks, self._default_final_exit) diff --git a/pym/_emerge/MiscFunctionsProcess.py b/pym/_emerge/MiscFunctionsProcess.py index 99cf5983f..89fd22635 100644 --- a/pym/_emerge/MiscFunctionsProcess.py +++ b/pym/_emerge/MiscFunctionsProcess.py @@ -13,7 +13,7 @@ class MiscFunctionsProcess(AbstractEbuildProcess): Spawns misc-functions.sh with an existing ebuild environment. """ - __slots__ = ('commands',) + __slots__ = ('commands', 'ld_preload_sandbox') def _start(self): settings = self.settings @@ -29,6 +29,10 @@ class MiscFunctionsProcess(AbstractEbuildProcess): AbstractEbuildProcess._start(self) def _spawn(self, args, **kwargs): + # If self.ld_preload_sandbox is None, default to free=False, + # in alignment with the spawn(free=False) default. + kwargs.setdefault('free', False if self.ld_preload_sandbox is None + else not self.ld_preload_sandbox) if self._dummy_pipe_fd is not None: self.settings["PORTAGE_PIPE_FD"] = str(self._dummy_pipe_fd) diff --git a/pym/portage/package/ebuild/doebuild.py b/pym/portage/package/ebuild/doebuild.py index 31b552ff3..c3b89ade2 100644 --- a/pym/portage/package/ebuild/doebuild.py +++ b/pym/portage/package/ebuild/doebuild.py @@ -1722,13 +1722,27 @@ _post_phase_cmds = { "install_symlink_html_docs", "install_hooks"], - "preinst" : [ - "preinst_sfperms", - "preinst_selinux_labels", - "preinst_suid_scan", - "preinst_qa_check", - ], - + "preinst" : ( + ( + # Since SELinux does not allow LD_PRELOAD across domain transitions, + # disable the LD_PRELOAD sandbox for preinst_selinux_labels. + { + "ld_preload_sandbox": False, + "selinux_only": True, + }, + [ + "preinst_selinux_labels", + ], + ), + ( + {}, + [ + "preinst_sfperms", + "preinst_suid_scan", + "preinst_qa_check", + ], + ), + ), "postinst" : [ "postinst_qa_check"], }
