From a1a73730bf3367fd7179cb871943a6c91c208db7 Mon Sep 17 00:00:00 2001
From: Clemens Lang <neverpanic@gmail.com>
Date: Fri, 15 Nov 2024 11:42:26 +0100
Subject: [PATCH] port1.0: Allow accessing clonebin in trace mode

Access would previously be allowed, too, because these files are not
installed by a MacPorts port. They did generate a warning, though, which
is not necessary. Adding an explicit whitelist entry silences them.
---
 src/port1.0/port_autoconf.tcl.in | 1 +
 src/port1.0/porttrace.tcl        | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/src/port1.0/port_autoconf.tcl.in b/src/port1.0/port_autoconf.tcl.in
index 328c820da6..3cbc735463 100644
--- a/src/port1.0/port_autoconf.tcl.in
+++ b/src/port1.0/port_autoconf.tcl.in
@@ -79,4 +79,5 @@ namespace eval portutil::autoconf {
 	variable prefix "@prefix_expanded@"
 	variable tcl_package_path "@TCL_PACKAGE_PATH@"
 	variable trace_sipworkaround_path "@DARWINTRACE_SIP_WORKAROUND_PATH@"
+	variable clonebin_path "@CLONEBIN_PATH@"
 }
diff --git a/src/port1.0/porttrace.tcl b/src/port1.0/porttrace.tcl
index 1bd0fc767a..daf4866d43 100644
--- a/src/port1.0/porttrace.tcl
+++ b/src/port1.0/porttrace.tcl
@@ -266,6 +266,8 @@ namespace eval porttrace {
 
         # Grant access to the directory we use to mirror binaries under SIP
         allow trace_sandbox ${portutil::autoconf::trace_sipworkaround_path}
+        # Grant access to MacPorts' clonebin utilities
+        allow trace_sandbox ${portutil::autoconf::clonebin_path}
         # Defer back to MacPorts for dependency checks inside $prefix. This must be at the end,
         # or it'll be used instead of more specific rules.
         ask trace_sandbox $prefix