gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70

Always disable libcap-ng dependency.
Drop cap_ipc_lock capability setting that was needed for libcap-ng case,
but does not work right with glib-2.70 stricter security checks. This
unbreaks the dbus service when ran with glib-2.70 or later.
This matches what was done in Fedora and Debian for the time being (they
had always built with our equivalent of USE=caps) to fix the compatibility.

There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work
afterwards, however when it doesn't, it fallbacks to arguably less secure
malloc (the memory could be swapped out) and doesn't lose actual
functionality. This was the case already with larger keyrings, and thus
not a security regression in practice. If you want extra security, encrypt
your swap.

Further technical details were discussed in:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862
https://gitlab.gnome.org/GNOME/glib/-/issues/2316

Bug: https://bugs.gentoo.org/815154
Package-Manager: Portage-3.0.20, Repoman-3.0.2
Signed-off-by: Mart Raudsepp <leio@gentoo.org>

1 files changed, 79 insertions, 0 deletions

diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
new file mode 100644
index 000000000000..a6174f16178a
--- /dev/null
+++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{7..9} )
+
+inherit gnome2 pam python-any-r1 virtualx
+
+DESCRIPTION="Password and keyring managing daemon"
+HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring"
+
+LICENSE="GPL-2+ LGPL-2+"
+SLOT="0"
+IUSE="pam selinux +ssh-agent test"
+RESTRICT="!test? ( test )"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris"
+
+# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456
+RDEPEND="
+	>=app-crypt/gcr-3.27.90:=[gtk]
+	>=app-crypt/gnupg-2.0.28:=
+	>=app-eselect/eselect-pinentry-0.5
+	app-misc/ca-certificates
+	>=dev-libs/glib-2.44:2
+	>=dev-libs/libgcrypt-1.2.2:0=
+	pam? ( sys-libs/pam )
+	selinux? ( sec-policy/selinux-gnome )
+	ssh-agent? ( net-misc/openssh )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	>=app-eselect/eselect-pinentry-0.5
+	app-text/docbook-xml-dtd:4.3
+	dev-libs/libxslt
+	>=sys-devel/gettext-0.19.8
+	virtual/pkgconfig
+	test? ( ${PYTHON_DEPS} )
+"
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	# Disable stupid CFLAGS with debug enabled
+	sed -e 's/CFLAGS="$CFLAGS -g"//' \
+		-e 's/CFLAGS="$CFLAGS -O0"//' \
+		-i configure.ac configure || die
+
+	gnome2_src_prepare
+}
+
+src_configure() {
+	gnome2_src_configure \
+		--without-libcap-ng \
+		$(use_enable pam) \
+		$(use_with pam pam-dir $(getpam_mod_dir)) \
+		$(use_enable selinux) \
+		$(use_enable ssh-agent) \
+		--enable-doc
+}
+
+src_test() {
+	# Needs dbus-run-session to not get:
+	# ERROR: test-dbus-search process failed: -6
+	"${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die
+	GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check
+}
+
+pkg_postinst() {
+	# cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70
+	# Never install as suid root, this breaks dbus activation, see bug #513870
+	gnome2_pkg_postinst
+
+	if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then
+		ewarn "Please select pinentry-gnome3 as default pinentry provider:"
+		ewarn " # eselect pinentry set pinentry-gnome3"
+	fi
+}