On 02/12/2014 01:03 AM, Rich Freeman wrote:
> On Tue, Feb 11, 2014 at 7:39 AM, Michael Palimaka <kensing...@gentoo.org>
> wrote:
>> On 02/11/2014 11:34 PM, Rich Freeman wrote:
>>
>>> One of those ideas I've always wanted to implement is to create a
>>> portage hook/patch that looks at the dependencies for the package
>>> being built and configures sandbox to block read-access to anything
>>> that wasn't explicitly declared. Sandbox works for read-access as
>>> well as write-access, though in /etc/sandbox.d/00default read-access
>>> is enabled everywhere by default.
>>>
>>> And, yes, it could be configured to allow access to @system...
>> That's pretty much what emerge_strict does.
>
> What is emerge_strict? The Google is failing me here...
>
> Rich
>
>
Sorry, I should have clarified. It's provided by autodep, extending the
dependency analysis by denying access to any files not part of the
specified dependencies and @system.
