On Tue, Feb 11, 2014 at 1:56 AM, Michael Palimaka <kensing...@gentoo.org> wrote: > > Looks interesting. It reminds me somewhat of autodep[1]. >
Interesting - does this work? I don't see it in portage. One of those ideas I've always wanted to implement is to create a portage hook/patch that looks at the dependencies for the package being built and configures sandbox to block read-access to anything that wasn't explicitly declared. Sandbox works for read-access as well as write-access, though in /etc/sandbox.d/00default read-access is enabled everywhere by default. And, yes, it could be configured to allow access to @system... Rich