Support escaping network-sandbox through SOCKSv5 proxy

Add a minimal SOCKSv5-over-UNIX-socket proxy to Portage, and start it
whenever ebuilds are started with network-sandbox enabled. Pass the
socket address in PORTAGE_SOCKS5_PROXY and DISTCC_SOCKS_PROXY variables.
The proxy can be used to escape the network sandbox whenever network
access is really desired, e.g. in distcc.

The proxy is based on asynchronous I/O using the asyncio module.
Therefore, it requires the asyncio module that is built-in in Python 3.4
and available stand-alone for Python 3.3. Escaping the sandbox is not
supported with older versions of Python.

The proxy supports connecting to IPv6 & IPv4 TCP hosts. UDP and socket
binding are not supported. SOCKSv5 authentication schemes are not
supported (UNIX sockets provide a security layer).

1 files changed, 7 insertions, 0 deletions

diff --git a/man/make.conf.5 b/man/make.conf.5
index ed5fc7869..84b7191cd 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -436,6 +436,13 @@ from putting 64bit libraries into anything other than (/usr)/lib64.
 .B network\-sandbox
 Isolate the ebuild phase functions from host network interfaces.
 Supported only on Linux. Requires network namespace support in kernel.
+
+If asyncio Python module is available (requires Python 3.3, built-in
+since Python 3.4) Portage will additionally spawn an isolated SOCKSv5
+proxy on UNIX socket. The socket address will be exported
+as PORTAGE_SOCKS5_PROXY and the processes running inside the sandbox
+can use it to access host's network when desired. Portage automatically
+configures new enough distcc to use the proxy.
 .TP
 .B news
 Enable GLEP 42 news support. See