bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add --disable-sandbox and DisableSandbox

Browse source 
Signed-off-by: Remi Gacogne <rgacogne@archlinux.org>
This commit is contained in:
Remi Gacogne 2024-05-15 15:36:28 +02:00 committed by Allan McRae
parent eacadbcc41
commit 9f8f94c056
10 changed files with 47 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/pacman.8.asciidoc
View file

@ -200,6 +200,10 @@ Options
beginning with `file://`. Any paths or URLs passed as targets will not be beginning with `file://`. Any paths or URLs passed as targets will not be
modified. This allows mounted guest systems to be properly operated on. modified. This allows mounted guest systems to be properly operated on.
*\--disable-sandbox*::
Disable the default sandbox applied to the process downloading files on Linux
systems. Useful if experiencing landlock related failues while downloading
files when running a Linux kernel that does not support this feature.
Transaction Options (apply to '-S', '-R' and '-U') Transaction Options (apply to '-S', '-R' and '-U')
-------------------------------------------------- --------------------------------------------------

4
doc/pacman.conf.5.asciidoc
View file

@ -211,6 +211,10 @@ Options
Specifies the user to switch to for downloading files. If this config Specifies the user to switch to for downloading files. If this config
option is not set then the downloads are done as the user running pacman. option is not set then the downloads are done as the user running pacman.
*DisableSandbox*::
Disable the default sandbox applied to the process downloading files on Linux
systems. Useful if experiencing landlock related failues while downloading
files when running a Linux kernel that does not support this feature.
Repository Sections Repository Sections
------------------- -------------------

14
lib/libalpm/alpm.h
View file

@ -2300,6 +2300,20 @@ int alpm_option_set_parallel_downloads(alpm_handle_t *handle, unsigned int num_s
/* End of parallel_downloads accessors */ /* End of parallel_downloads accessors */
/** @} */ /** @} */
/** @name Accessors for sandbox
*
* By default, libalpm will sandbox the downloader process.
* @{
*/
/** Enables/disables the sandbox.
* @param handle the context handle
* @param disable_sandbox 0 for enabled, 1 for disabled
* @return 0 on success, -1 on error (pm_errno is set accordingly)
*/
int alpm_option_set_disable_sandbox(alpm_handle_t *handle, unsigned short disable_sandbox);
/* End of disable_sandbox accessors */
/** @} */
/* End of libalpm_options */ /* End of libalpm_options */
/** @} */ /** @} */

8
lib/libalpm/handle.c
View file

@ -951,3 +951,11 @@ int SYMEXPORT alpm_option_set_parallel_downloads(alpm_handle_t *handle,
handle->parallel_downloads = num_streams; handle->parallel_downloads = num_streams;
return 0; return 0;
} }
int SYMEXPORT alpm_option_set_disable_sandbox(alpm_handle_t *handle,
unsigned short disable_sandbox)
{
CHECK_HANDLE(handle, return -1);
handle->disable_sandbox = disable_sandbox;
return 0;
}

1
lib/libalpm/handle.h
View file

@ -65,6 +65,7 @@ struct _alpm_handle_t {
#endif #endif
unsigned short disable_dl_timeout; unsigned short disable_dl_timeout;
unsigned short disable_sandbox;
unsigned int parallel_downloads; /* number of download streams */ unsigned int parallel_downloads; /* number of download streams */
#ifdef HAVE_LIBGPGME #ifdef HAVE_LIBGPGME

2
lib/libalpm/sandbox.c
View file

@ -36,7 +36,7 @@ int SYMEXPORT alpm_sandbox_setup_child(alpm_handle_t *handle, const char* sandbo
ASSERT(sandboxuser != NULL, return -1); ASSERT(sandboxuser != NULL, return -1);
ASSERT(getuid() == 0, return -1); ASSERT(getuid() == 0, return -1);
ASSERT((pw = getpwnam(sandboxuser)), return -1); ASSERT((pw = getpwnam(sandboxuser)), return -1);
if(sandbox_path != NULL) { if(sandbox_path != NULL && !handle->disable_sandbox) {
_alpm_sandbox_fs_restrict_writes_to(handle, sandbox_path); _alpm_sandbox_fs_restrict_writes_to(handle, sandbox_path);
} }
ASSERT(setgid(pw->pw_gid) == 0, return -1); ASSERT(setgid(pw->pw_gid) == 0, return -1);

3
src/pacman/conf.c
View file

@ -629,6 +629,8 @@ static int _parse_options(const char *key, char *value,
config->noprogressbar = 1; config->noprogressbar = 1;
} else if(strcmp(key, "DisableDownloadTimeout") == 0) { } else if(strcmp(key, "DisableDownloadTimeout") == 0) {
config->disable_dl_timeout = 1; config->disable_dl_timeout = 1;
} else if(strcmp(key, "DisableSandbox") == 0) {
config->disable_sandbox = 1;
} else { } else {
pm_printf(ALPM_LOG_WARNING, pm_printf(ALPM_LOG_WARNING,
_("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"), _("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"),
@ -937,6 +939,7 @@ static int setup_libalpm(void)
alpm_option_set_checkspace(handle, config->checkspace); alpm_option_set_checkspace(handle, config->checkspace);
alpm_option_set_usesyslog(handle, config->usesyslog); alpm_option_set_usesyslog(handle, config->usesyslog);
alpm_option_set_sandboxuser(handle, config->sandboxuser); alpm_option_set_sandboxuser(handle, config->sandboxuser);
alpm_option_set_disable_sandbox(handle, config->disable_sandbox);
alpm_option_set_ignorepkgs(handle, config->ignorepkg); alpm_option_set_ignorepkgs(handle, config->ignorepkg);
alpm_option_set_ignoregroups(handle, config->ignoregrp); alpm_option_set_ignoregroups(handle, config->ignoregrp);

4
src/pacman/conf.h
View file

@ -58,6 +58,7 @@ typedef struct __config_t {
unsigned short usesyslog; unsigned short usesyslog;
unsigned short color; unsigned short color;
unsigned short disable_dl_timeout; unsigned short disable_dl_timeout;
unsigned short disable_sandbox;
char *print_format; char *print_format;
/* unfortunately, we have to keep track of paths both here and in the library /* unfortunately, we have to keep track of paths both here and in the library
* because they can come from both the command line or config file, and we * because they can come from both the command line or config file, and we
@ -212,7 +213,8 @@ enum {
OP_DOWNLOADONLY, OP_DOWNLOADONLY,
OP_REFRESH, OP_REFRESH,
OP_ASSUMEINSTALLED, OP_ASSUMEINSTALLED,
OP_DISABLEDLTIMEOUT OP_DISABLEDLTIMEOUT,
OP_DISABLESANDBOX
}; };
/* clean method */ /* clean method */

3
src/pacman/pacman-conf.c
View file

@ -280,6 +280,7 @@ static void dump_config(void)
show_bool("DisableDownloadTimeout", config->disable_dl_timeout); show_bool("DisableDownloadTimeout", config->disable_dl_timeout);
show_bool("ILoveCandy", config->chomp); show_bool("ILoveCandy", config->chomp);
show_bool("NoProgressBar", config->noprogressbar); show_bool("NoProgressBar", config->noprogressbar);
show_bool("DisableSandbox", config->disable_sandbox);
show_int("ParallelDownloads", config->parallel_downloads); show_int("ParallelDownloads", config->parallel_downloads);
@ -397,6 +398,8 @@ static int list_directives(void)
show_bool("ILoveCandy", config->chomp); show_bool("ILoveCandy", config->chomp);
} else if(strcasecmp(i->data, "NoProgressBar") == 0) { } else if(strcasecmp(i->data, "NoProgressBar") == 0) {
show_bool("NoProgressBar", config->noprogressbar); show_bool("NoProgressBar", config->noprogressbar);
} else if(strcasecmp(i->data, "DisableSandbox") == 0) {
show_bool("DisableSandbox", config->disable_sandbox);
} else if(strcasecmp(i->data, "ParallelDownloads") == 0) { } else if(strcasecmp(i->data, "ParallelDownloads") == 0) {
show_int("ParallelDownloads", config->parallel_downloads); show_int("ParallelDownloads", config->parallel_downloads);

6
src/pacman/pacman.c
View file

@ -226,6 +226,8 @@ static void usage(int op, const char * const myname)
addlist(_(" --confirm always ask for confirmation\n")); addlist(_(" --confirm always ask for confirmation\n"));
addlist(_(" --disable-download-timeout\n" addlist(_(" --disable-download-timeout\n"
" use relaxed timeouts for download\n")); " use relaxed timeouts for download\n"));
addlist(_(" --disable-sandbox\n"
" disable the sandbox used for the downloader process\n"));
} }
list = alpm_list_msort(list, alpm_list_count(list), options_cmp); list = alpm_list_msort(list, alpm_list_count(list), options_cmp);
for(i = list; i; i = alpm_list_next(i)) { for(i = list; i; i = alpm_list_next(i)) {
@ -490,6 +492,9 @@ static int parsearg_global(int opt)
case OP_DISABLEDLTIMEOUT: case OP_DISABLEDLTIMEOUT:
config->disable_dl_timeout = 1; config->disable_dl_timeout = 1;
break; break;
case OP_DISABLESANDBOX:
config->disable_sandbox = 1;
break;
case OP_VERBOSE: case OP_VERBOSE:
case 'v': case 'v':
(config->verbose)++; (config->verbose)++;
@ -976,6 +981,7 @@ static int parseargs(int argc, char *argv[])
{"dbonly", no_argument, 0, OP_DBONLY}, {"dbonly", no_argument, 0, OP_DBONLY},
{"color", required_argument, 0, OP_COLOR}, {"color", required_argument, 0, OP_COLOR},
{"disable-download-timeout", no_argument, 0, OP_DISABLEDLTIMEOUT}, {"disable-download-timeout", no_argument, 0, OP_DISABLEDLTIMEOUT},
{"disable-sandbox", no_argument, 0, OP_DISABLESANDBOX},
{0, 0, 0, 0} {0, 0, 0, 0}
}; };