Index: bin/ebuild.sh
===================================================================
--- bin/ebuild.sh	(revision 13625)
+++ bin/ebuild.sh	(working copy)
@@ -6,7 +6,7 @@
 PORTAGE_BIN_PATH="${PORTAGE_BIN_PATH:-/usr/lib/portage/bin}"
 PORTAGE_PYM_PATH="${PORTAGE_PYM_PATH:-/usr/lib/portage/pym}"
 
-export SANDBOX_PREDICT="${SANDBOX_PREDICT:+${SANDBOX_PREDICT}:}/proc/self/maps:/dev/console:/dev/random"
+export SANDBOX_PREDICT="${SANDBOX_PREDICT:+$SANDBOX_PREDICT:}/proc/self/maps:/dev/console:/dev/random${PORTAGE_GPG_DIR:+:$PORTAGE_GPG_DIR}"
 export SANDBOX_WRITE="${SANDBOX_WRITE:+${SANDBOX_WRITE}:}/dev/shm:/dev/stdout:/dev/stderr:${PORTAGE_TMPDIR}"
 export SANDBOX_READ="${SANDBOX_READ:+${SANDBOX_READ}:}/:/dev/shm:/dev/stdin:${PORTAGE_TMPDIR}"
 # Don't use sandbox's BASH_ENV for new shells because it does
@@ -21,10 +21,6 @@
 	unset PORTAGE_ROOTPATH
 fi
 
-if [ ! -z "${PORTAGE_GPG_DIR}" ]; then
-	SANDBOX_PREDICT="${SANDBOX_PREDICT}:${PORTAGE_GPG_DIR}"
-fi
-
 # These two functions wrap sourcing and calling respectively.  At present they
 # perform a qa check to make sure eclasses and ebuilds and profiles don't mess
 # with shell opts (shopts).  Ebuilds/eclasses changing shopts should reset them 
@@ -86,13 +82,10 @@
 
 [[ $PORTAGE_QUIET != "" ]] && export PORTAGE_QUIET
 
-# the sandbox is disabled by default except when overridden in the relevant stages
-export SANDBOX_ON="0"
-
 # sandbox support functions; defined prior to profile.bashrc srcing, since the profile might need to add a default exception (/usr/lib64/conftest fex)
 _sb_append_var() {
-	local _v=$1 ; shift
-	local var="SANDBOX_${_v}"
+	local _v=$1 var="SANDBOX_$1"
+	shift
 	[[ -z $1 || -n $2 ]] && die "Usage: add$(echo ${_v} | \
 		LC_ALL=C tr [:upper:] [:lower:]) <colon-delimited list of paths>"
 	export ${var}="${!var:+${!var}:}$1"
@@ -105,6 +98,56 @@
 adddeny()    { _sb_append_var DENY    "$@" ; }
 addpredict() { _sb_append_var PREDICT "$@" ; }
 
+declare -i SANDBOX_ON PORTAGE_SANDBOX_N=0
+PORTAGE_SANDBOX_ON=()
+_sbPush() {
+	PORTAGE_SANDBOX_ON[PORTAGE_SANDBOX_N++]=$SANDBOX_ON
+	if (($1)); then _sbOn; else _sbOff; fi
+}
+_sbPop() {
+	((PORTAGE_SANDBOX_N)) || die '[sandbox] pop mismatch'
+	if ((${PORTAGE_SANDBOX_ON[PORTAGE_SANDBOX_N]})); then _sbOn; else _sbOff; fi
+	unset 'PORTAGE_SANDBOX_ON[--PORTAGE_SANDBOX_N]'
+}
+_sbOn() { export SANDBOX_ON=1; }
+_sbOff() { export SANDBOX_ON=0; }
+
+if hasq sydbox $FEATURES; then
+echo -n '' >/dev/sydbox/exec_lock \
+	|| die '[FEATURES=sydbox] Unable to write to /dev/sydbox/exec_lock'
+_sbOn() {
+	((SANDBOX_ON)) && return
+	SANDBOX_ON=1
+	:>/dev/sydbox/on
+}
+_sbOff() {
+	((SANDBOX_ON)) || [[ $1 ]] || return 0
+	SANDBOX_ON=0
+	:>/dev/sydbox/off
+}
+addwrite() {
+	_sb_append_var WRITE "$@"
+	local f
+	for f; do
+		:> "/dev/sydbox/write/$f"
+	done
+}
+addpredict() {
+	_sb_append_var PREDICT "$@"
+	local f
+	for f; do
+		:> "/dev/sydbox/predict/$f"
+	done
+}
+# better: declare -r oIFS=$IFS
+oIFS=$IFS; IFS=:
+addpredict $SANDBOX_PREDICT
+addwrite $SANDBOX_WRITE
+IFS=$oIFS; unset oIFS
+fi
+# the sandbox is disabled by default except when overridden in the relevant stages
+_sbOff -f
+
 lchown() {
 	chown -h "$@"
 }
@@ -954,6 +997,7 @@
 		ewarn "Skipping make test/check due to ebuild restriction."
 		vecho ">>> Test phase [explicitly disabled]: ${CATEGORY}/${PF}"
 	else
+		# TODO <igli> save/restore for sydbox, zmedico?
 		local save_sp=${SANDBOX_PREDICT}
 		addpredict /
 		[ -n "$EBUILD_PHASE" ] && rm -f "$T/logging/$EBUILD_PHASE"
@@ -1673,7 +1717,7 @@
 	# called. Any variables that need to be relied upon should already be
 	# filtered out above.
 	(
-		export SANDBOX_ON=1
+		_sbOn
 		source "${T}/environment" || exit $?
 		# We have to temporarily disable sandbox since the
 		# SANDBOX_{DENY,READ,PREDICT,WRITE} values we've just loaded
@@ -1710,7 +1754,7 @@
 # === === === === === functions end, main part begins === === === === ===
 # === === === === === === === === === === === === === === === === === ===
 
-export SANDBOX_ON="1"
+_sbOn
 export S=${WORKDIR}/${P}
 
 unset E_IUSE E_DEPEND E_RDEPEND E_PDEPEND
@@ -1778,31 +1822,45 @@
 	for x in SANDBOX_DENY SANDBOX_READ SANDBOX_PREDICT SANDBOX_WRITE ; do
 		export PORTAGE_${x}=${!x}
 	done
-	PORTAGE_SANDBOX_ON=${SANDBOX_ON}
-	export SANDBOX_ON=1
 	source "${T}"/environment || \
 		die "error sourcing environment"
 	# We have to temporarily disable sandbox since the
 	# SANDBOX_{DENY,READ,PREDICT,WRITE} values we've just loaded
 	# may be unusable (triggering in spurious sandbox violations)
 	# until we've merged them with our current values.
-	export SANDBOX_ON=0
+	if hasq sydbox $FEATURES; then
+		_sbPush $SANDBOX_ON
+		z=1
+	else _sbPush 0
+		z=0
+	fi
+	oIFS=$IFS
 	for x in SANDBOX_DENY SANDBOX_PREDICT SANDBOX_READ SANDBOX_WRITE ; do
-		y="PORTAGE_${x}"
-		if [ -z "${!x}" ] ; then
-			export ${x}=${!y}
-		elif [ -n "${!y}" ] && [ "${!y}" != "${!x}" ] ; then
-			# filter out dupes
-			export ${x}=$(printf "${!y}:${!x}" | tr ":" "\0" | \
-				sort -z -u | tr "\0" ":")
+		y=PORTAGE_$x
+		if [[ -z ${!x} ]]; then
+			export $x=${!y%:}
+		elif [[ ${!y} && ${!y} != "${!x}" ]] ; then
+			# merge in new ones
+			t=${!y}
+			IFS=:; u=(${!x}); IFS=$oIFS
+			for v in "${u[@]}"; do
+				[[ :$t: = *:"$v":* ]] && continue
+				t+=:$v
+				((z)) || continue
+				case $x in
+				SANDBOX_WRITE) :> "/dev/sydbox/write/$v"
+			;; SANDBOX_PREDICT) :> "/dev/sydbox/predict/$v"
+			;;	esac
+			done
+			export $x=${t%:}
+		else export $x
 		fi
-		export ${x}=${!x%:}
-		unset PORTAGE_${x}
+		unset $y
 	done
-	unset x y
-	export SANDBOX_ON=${PORTAGE_SANDBOX_ON}
-	unset PORTAGE_SANDBOX_ON
-	[[ -n $EAPI ]] || EAPI=0
+	_sbPop
+	unset t u v x y z oIFS
+#	unset PORTAGE_SANDBOX_ON
+	: "Using EAPI ${EAPI:=0}"
 fi
 
 _source_ebuild() {
@@ -1962,7 +2020,7 @@
 			! declare -F "pkg_$EBUILD_SH_ARGS" >/dev/null ; then
 			ewarn  "pkg_${EBUILD_SH_ARGS}() is not defined: '${EBUILD##*/}'"
 		fi
-		export SANDBOX_ON="0"
+		_sbOff
 		if [ "${PORTAGE_DEBUG}" != "1" ] || [ "${-/x/}" != "$-" ]; then
 			ebuild_phase_with_hooks pkg_${EBUILD_SH_ARGS}
 		else
@@ -1980,9 +2038,9 @@
 		;;
 	unpack|prepare|configure|compile|test|clean|install)
 		if [[ ${SANDBOX_DISABLED:-0} = 0 ]] ; then
-			export SANDBOX_ON="1"
+			_sbOn
 		else
-			export SANDBOX_ON="0"
+			_sbOff
 		fi
 
 		case "$EBUILD_SH_ARGS" in
@@ -1993,9 +2051,10 @@
 				[[ ${!x-unset} != unset ]] && export $x
 			done
 
-			hasq distcc $FEATURES && [[ -n $DISTCC_DIR ]] && \
-				[[ ${SANDBOX_WRITE/$DISTCC_DIR} = $SANDBOX_WRITE ]] && \
-				addwrite "$DISTCC_DIR"
+			if hasq distcc $FEATURES
+				&& [[ $DISTCC_DIR && :$SANDBOX_WRITE: != *":$DISTCC_DIR:"* ]]
+			then addwrite "$DISTCC_DIR"
+			fi
 
 			x=LIBDIR_$ABI
 			[ -z "$PKG_CONFIG_PATH" -a -n "$ABI" -a -n "${!x}" ] && \
@@ -2051,13 +2110,13 @@
 			dyn_${EBUILD_SH_ARGS}
 			set +x
 		fi
-		export SANDBOX_ON="0"
+		_sbOff
 		;;
 	help|setup|preinst)
 		#pkg_setup needs to be out of the sandbox for tmp file creation;
 		#for example, awking and piping a file in /tmp requires a temp file to be created
 		#in /etc.  If pkg_setup is in the sandbox, both our lilo and apache ebuilds break.
-		export SANDBOX_ON="0"
+		_sbOff
 		if [ "${PORTAGE_DEBUG}" != "1" ] || [ "${-/x/}" != "$-" ]; then
 			dyn_${EBUILD_SH_ARGS}
 		else
@@ -2067,7 +2126,7 @@
 		fi
 		;;
 	depend)
-		export SANDBOX_ON="0"
+		_sbOff
 		set -f
 
 		if [ -n "${dbkey}" ] ; then
@@ -2102,7 +2161,7 @@
 		set +f
 		;;
 	*)
-		export SANDBOX_ON="1"
+		_sbOn
 		echo "Unrecognized EBUILD_SH_ARGS: '${EBUILD_SH_ARGS}'"
 		echo
 		dyn_help