diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2021-10-23 21:12:13 -0400 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2021-10-23 21:13:05 -0400 |
| commit | 288877d0e268087dacb4b593202e28f86b6d31d4 (patch) | |
| tree | 159988f5ef1e228e07e054a5cf4a1bce445714ca /sys-apps | |
| parent | dev-python/tzlocal: Keyword 4.0.1 arm64, #818877 (diff) | |
| download | gentoo-288877d0e268087dacb4b593202e28f86b6d31d4.tar.gz gentoo-288877d0e268087dacb4b593202e28f86b6d31d4.tar.bz2 gentoo-288877d0e268087dacb4b593202e28f86b6d31d4.zip | |
sys-apps/sandbox: version bump to 2.27
Add USE=nnp flag to control new NO_NEW_PRIVS behavior. In case things
go horribly wrong, can easily flip the flag off to keep from blowing
everyone up.
Bug: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/sandbox/Manifest | 1 | ||||
| -rw-r--r-- | sys-apps/sandbox/metadata.xml | 3 | ||||
| -rw-r--r-- | sys-apps/sandbox/sandbox-2.27.ebuild | 64 |
3 files changed, 68 insertions, 0 deletions
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest index 121fc4437e1c..744bc206cac1 100644 --- a/sys-apps/sandbox/Manifest +++ b/sys-apps/sandbox/Manifest @@ -1,3 +1,4 @@ DIST sandbox-2.24.tar.xz 438408 BLAKE2B 5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843 SHA512 8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0 DIST sandbox-2.25.tar.xz 436004 BLAKE2B c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c SHA512 4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d DIST sandbox-2.26.tar.xz 444412 BLAKE2B 3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161 SHA512 f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa +DIST sandbox-2.27.tar.xz 448948 BLAKE2B 03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104 SHA512 2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7 diff --git a/sys-apps/sandbox/metadata.xml b/sys-apps/sandbox/metadata.xml index e270f4674f61..11e084f7c9b9 100644 --- a/sys-apps/sandbox/metadata.xml +++ b/sys-apps/sandbox/metadata.xml @@ -5,4 +5,7 @@ <email>sandbox@gentoo.org</email> <name>Sandbox Maintainers</name> </maintainer> +<use> + <flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo)</flag> +</use> </pkgmetadata> diff --git a/sys-apps/sandbox/sandbox-2.27.ebuild b/sys-apps/sandbox/sandbox-2.27.ebuild new file mode 100644 index 000000000000..ed70783105b7 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.27.ebuild @@ -0,0 +1,64 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit flag-o-matic multilib-minimal multiprocessing + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox" +SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="+nnp" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" +} + +src_prepare() { + default + + if ! use nnp ; then + sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die + fi + + # sandbox uses `__asm__ (".symver "...` which does + # not play well with gcc's LTO: https://gcc.gnu.org/PR48200 + append-flags -fno-lto + append-ldflags -fno-lto +} + +multilib_src_configure() { + filter-lfs-flags #90228 + + ECONF_SOURCE="${S}" econf +} + +multilib_src_test() { + # Default sandbox build will run with --jobs set to # cpus. + # -j1 to prevent test faiures caused by file descriptor + # injection GNU make does. + emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" +} + +multilib_src_install_all() { + doenvd "${FILESDIR}"/09sandbox + + dodoc AUTHORS ChangeLog* README.md +} + +pkg_postinst() { + mkdir -p "${EROOT}"/var/log/sandbox + chown root:portage "${EROOT}"/var/log/sandbox + chmod 0770 "${EROOT}"/var/log/sandbox +} |