Contributed by jose on from the more-security dept.
this makes our build infrastructure systrace aware original idea from jsyn@, discussed and first tests at c2k3 Warning! - this commit is different from all patches sent around, please remove them before updating - due to a few bugs in systrace this is currently not ready for the casual porter and several ports will fail to build, you've been warned The idea of this patch is to help a porter when developing a new port. With systrace the configure, build and fake stages are not allowed to open network connections or write outside some well defined directories. This way misbehaving programs will be noticed due to logfile entries in /var/log/messages and the port can be fixed. There is generally no need for endusers to use this, as the checksum ensures that ports in the future will behave the same as they did when porting. :) To activate systrace'd port building, set USE_SYSTRACE=Yes (e.g. in /etc/mk.conf)There are some known issues, and a noticable performance hit for some people. However, this should help manage the risk associated with the ports tree and third-party software.
(Comments are closed)