diff options
| author |   Zac Medico <zmedico@gentoo.org> | 2020-11-10 03:29:48 -0800 |
|---|---|---|
| committer | Zac Medico <zmedico@gentoo.org> | 2020-11-10 03:35:43 -0800 |
| commit | 9199f894abc83596ae63ebc48a73e0af354d5f40 (patch) | |
| tree | a7244c45e55ed635af8dd9568ccd86c2fee3cdfa | |
| parent | sys-apps/sysvinit: Fixed ${ROOT} check for EAPI-7 (diff) | |
| download | gentoo-9199f894abc83596ae63ebc48a73e0af354d5f40.tar.gz gentoo-9199f894abc83596ae63ebc48a73e0af354d5f40.tar.bz2 gentoo-9199f894abc83596ae63ebc48a73e0af354d5f40.zip | |
app-emulation/snapd: 2.47.1-r1 revbump for bug 753695
Add USE=forced-devmode which can be disabled if you would like
snapd to panic if its confinement feature detection fails.
Bug: https://bugs.gentoo.org/753695
Package-Manager: Portage-3.0.9, Repoman-3.0.2
Signed-off-by: Zac Medico <zmedico@gentoo.org>
| -rw-r--r-- | app-emulation/snapd/files/README.gentoo | 9 | ||||
| -rw-r--r-- | app-emulation/snapd/metadata.xml | 6 | ||||
| -rw-r--r-- | app-emulation/snapd/snapd-2.47.1-r1.ebuild (renamed from app-emulation/snapd/snapd-2.47.1.ebuild) | 12 |
3 files changed, 24 insertions, 3 deletions
diff --git a/app-emulation/snapd/files/README.gentoo b/app-emulation/snapd/files/README.gentoo index 331729cb1650..f2e34601802e 100644 --- a/app-emulation/snapd/files/README.gentoo +++ b/app-emulation/snapd/files/README.gentoo @@ -1,3 +1,12 @@ +*Security Alert* + +Application confinement may be automatically disabled if snapd +fails to detect the required features. If you would like to disable +this automatic behavior, causing snapd to panic if its confinement +feature detection fails, then use this setting in package.use: + + app-emulation/snapd -forced-devmode + Use this command to enable the snapd service: systemctl enable snapd.socket diff --git a/app-emulation/snapd/metadata.xml b/app-emulation/snapd/metadata.xml index 8a398ce38f9b..2d641fece55b 100644 --- a/app-emulation/snapd/metadata.xml +++ b/app-emulation/snapd/metadata.xml @@ -12,5 +12,11 @@ <flag name="apparmor"> Enable AppArmor support. </flag> + <flag name="cgroup-hybrid"> + Default to hybrid (legacy) cgroup hierarchy instead of unified (modern). + </flag> + <flag name="forced-devmode"> + Automatically disable application confinement if feature detection fails. + </flag> </use> </pkgmetadata> diff --git a/app-emulation/snapd/snapd-2.47.1.ebuild b/app-emulation/snapd/snapd-2.47.1-r1.ebuild index 1f8706beb542..9abf9d0b4bf6 100644 --- a/app-emulation/snapd/snapd-2.47.1.ebuild +++ b/app-emulation/snapd/snapd-2.47.1-r1.ebuild @@ -17,8 +17,8 @@ KEYWORDS="~amd64" LICENSE="GPL-3 Apache-2.0 BSD BSD-2 LGPL-3-with-linking-exception MIT" SLOT="0" -IUSE="apparmor gtk kde systemd" -REQUIRED_USE="systemd" +IUSE="apparmor +cgroup-hybrid +forced-devmode gtk kde systemd" +REQUIRED_USE="!forced-devmode? ( cgroup-hybrid ) systemd" CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE @@ -40,7 +40,7 @@ RDEPEND=" ) dev-libs/glib virtual/libudev - systemd? ( sys-apps/systemd ) + systemd? ( sys-apps/systemd[cgroup-hybrid(+)?] ) sys-libs/libcap:= sys-fs/squashfs-tools" @@ -74,6 +74,12 @@ src_prepare() { + "gentoo", \x20 "manjaro",' | patch "${MY_S}/dirs/dirs.go" || die + if ! use forced-devmode; then + sed -e 's#return \(!apparmorFull || cgroupv2\)#//\1\n\tif !apparmorFull || cgroupv2 {\n\t\tpanic("USE=forced-devmode is disabled")\n\t}\n\treturn false#' \ + -i "${MY_S}/sandbox/forcedevmode.go" || die + grep -q 'panic("USE=forced-devmode is disabled")' "${MY_S}/sandbox/forcedevmode.go" || die "failed to disable forced-devmode" + fi + sed -i 's:command -v git >/dev/null:false:' -i "${MY_S}/mkversion.sh" || die pushd "${MY_S}" >/dev/null || die |