Running external commands in the metadata phase of exheres/ebuild is obviously a
bad idea because this phase is used to generate caches.

Ciaranm has come up with an idea to generate Sydbox access violations when
execve() family functions are called in the metadata phase. This was rather easy
to implement.

I’ve added two Sydbox magic commands, namely /dev/sydbox/ban_exec and
/dev/sydbox/unban_exec . Writing to the former file sets the flag to ban all
execve() calls and writing to the latter unsets the flag.

A small example looks like:

/bin/true # This call succeeds.
/bin/true # This call fails with EACCES.
/bin/true # This call succeeds.

The last thing to do was to add support to Paludis.
I’ve amended my sydbox support commit and added support to ban execve() calls in the metadata phase.
If you’re using my paludis-sydbox branch, make sure to use sydbox-scm and not
0.1_beta4. I think I’ll release 0.1_beta5 with only this change but I have
school tomorrow and I won’t have internet access for two days.