diff options
author | Amadeusz Żołnowski <aidecoe@gentoo.org> | 2016-06-04 19:14:12 +0100 |
---|---|---|
committer | Amadeusz Żołnowski <aidecoe@gentoo.org> | 2016-06-04 19:14:26 +0100 |
commit | 7f01cbdf444491306d2b8557973f16b48d93ff69 (patch) | |
tree | 80104307057af5a121097e644a3422b5190927aa /sys-apps | |
parent | net-wireless/blueman: include polkit rules for network setup, #584300 (diff) | |
download | gentoo-7f01cbdf444491306d2b8557973f16b48d93ff69.tar.gz gentoo-7f01cbdf444491306d2b8557973f16b48d93ff69.tar.bz2 gentoo-7f01cbdf444491306d2b8557973f16b48d93ff69.zip |
sys-apps/firejail: Allow compile time configuration
Networking features and most Linux kernel security features require root
privileges during configuration. Firejail (as a SUID binary) opens the
access to these features therefore it may be desired to turn off some
of the features on compile time.
Bump EAPI to 6. Depend on x11-wm/xpra for X11 sandboxing feature.
Package-Manager: portage-2.3.0_rc1
Diffstat (limited to 'sys-apps')
-rw-r--r-- | sys-apps/firejail/firejail-0.9.40-r1.ebuild | 42 | ||||
-rw-r--r-- | sys-apps/firejail/metadata.xml | 14 |
2 files changed, 56 insertions, 0 deletions
diff --git a/sys-apps/firejail/firejail-0.9.40-r1.ebuild b/sys-apps/firejail/firejail-0.9.40-r1.ebuild new file mode 100644 index 000000000000..778ced4a2038 --- /dev/null +++ b/sys-apps/firejail/firejail-0.9.40-r1.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +inherit eutils + +DESCRIPTION="Security sandbox for any type of processes" +HOMEPAGE="https://firejail.wordpress.com/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64" +IUSE="+bind +chroot +file-transfer +network network-restricted +seccomp + +userns x11" + +RDEPEND="x11? ( x11-wm/xpra )" + +PATCHES=( "${FILESDIR}"/${P}-sysmacros.patch ) + +src_prepare() { + default + find -name Makefile.in -exec sed -i -r \ + -e '/CFLAGS/s: (-O2|-ggdb) : :g' \ + -e '1iCC=@CC@' {} + || die +} + +src_configure() { + local myeconfargs=( + $(use_enable bind) + $(use_enable chroot) + $(use_enable file-transfer) + $(use_enable network) + $(use_enable seccomp) + $(use_enable userns) + $(use_enable x11) + ) + use network-restricted && myeconfargs+=( --enable-network=restricted ) + econf "${myeconfargs[@]}" +} diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml index 0b1ef011ca9e..004a53cb064b 100644 --- a/sys-apps/firejail/metadata.xml +++ b/sys-apps/firejail/metadata.xml @@ -16,4 +16,18 @@ <upstream> <remote-id type="sourceforge">firejail</remote-id> </upstream> + <use> + <flag name="bind">Enable custom bind mounts</flag> + <flag name="chroot">Enable chrooting to custom directory</flag> + <flag name="file-transfer">Enable file transfers between sandboxes and + the host system</flag> + <flag name="network">Enable networking features</flag> + <flag name="network-restricted">Grant access to --interface, + --net=ethXXX and --netfilter only to root user; regular users are + only allowed --net=none</flag> + <flag name="seccomp">Enable system call filtering</flag> + <flag name="userns">Enable attaching a new user namespace to a + sandbox (--noroot option)</flag> + <flag name="x11">Enable X11 sandboxing</flag> + </use> </pkgmetadata> |