From c2a3e929650d327c5f57ec2f646b1cb749d60843 Mon Sep 17 00:00:00 2001 From: Mart Raudsepp Date: Wed, 29 Sep 2021 15:11:13 +0300 Subject: gnome-base/gnome-keyring: drop IUSE=caps for compat with glib-2.70 Always disable libcap-ng dependency. Drop cap_ipc_lock capability setting that was needed for libcap-ng case, but does not work right with glib-2.70 stricter security checks. This unbreaks the dbus service when ran with glib-2.70 or later. This matches what was done in Fedora and Debian for the time being (they had always built with our equivalent of USE=caps) to fix the compatibility. There must be enough memlock limit (RLIMIT_MEMLOCK) for this to work afterwards, however when it doesn't, it fallbacks to arguably less secure malloc (the memory could be swapped out) and doesn't lose actual functionality. This was the case already with larger keyrings, and thus not a security regression in practice. If you want extra security, encrypt your swap. Further technical details were discussed in: https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/77 https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/41 https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1862 https://gitlab.gnome.org/GNOME/glib/-/issues/2316 Bug: https://bugs.gentoo.org/815154 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Mart Raudsepp --- .../gnome-keyring/gnome-keyring-40.0-r1.ebuild | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild (limited to 'gnome-base/gnome-keyring') diff --git a/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild new file mode 100644 index 000000000000..a6174f16178a --- /dev/null +++ b/gnome-base/gnome-keyring/gnome-keyring-40.0-r1.ebuild @@ -0,0 +1,79 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +PYTHON_COMPAT=( python3_{7..9} ) + +inherit gnome2 pam python-any-r1 virtualx + +DESCRIPTION="Password and keyring managing daemon" +HOMEPAGE="https://wiki.gnome.org/Projects/GnomeKeyring" + +LICENSE="GPL-2+ LGPL-2+" +SLOT="0" +IUSE="pam selinux +ssh-agent test" +RESTRICT="!test? ( test )" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x86-solaris" + +# Replace gkd gpg-agent with pinentry[gnome-keyring] one, bug #547456 +RDEPEND=" + >=app-crypt/gcr-3.27.90:=[gtk] + >=app-crypt/gnupg-2.0.28:= + >=app-eselect/eselect-pinentry-0.5 + app-misc/ca-certificates + >=dev-libs/glib-2.44:2 + >=dev-libs/libgcrypt-1.2.2:0= + pam? ( sys-libs/pam ) + selinux? ( sec-policy/selinux-gnome ) + ssh-agent? ( net-misc/openssh ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + >=app-eselect/eselect-pinentry-0.5 + app-text/docbook-xml-dtd:4.3 + dev-libs/libxslt + >=sys-devel/gettext-0.19.8 + virtual/pkgconfig + test? ( ${PYTHON_DEPS} ) +" + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + # Disable stupid CFLAGS with debug enabled + sed -e 's/CFLAGS="$CFLAGS -g"//' \ + -e 's/CFLAGS="$CFLAGS -O0"//' \ + -i configure.ac configure || die + + gnome2_src_prepare +} + +src_configure() { + gnome2_src_configure \ + --without-libcap-ng \ + $(use_enable pam) \ + $(use_with pam pam-dir $(getpam_mod_dir)) \ + $(use_enable selinux) \ + $(use_enable ssh-agent) \ + --enable-doc +} + +src_test() { + # Needs dbus-run-session to not get: + # ERROR: test-dbus-search process failed: -6 + "${BROOT}${GLIB_COMPILE_SCHEMAS}" --allow-any-name "${S}/schema" || die + GSETTINGS_SCHEMA_DIR="${S}/schema" virtx dbus-run-session emake check +} + +pkg_postinst() { + # cap_ipc_lock only needed if building --with-libcap-ng, but that breaks with glib-2.70 + # Never install as suid root, this breaks dbus activation, see bug #513870 + gnome2_pkg_postinst + + if ! [[ $(eselect pinentry show | grep "pinentry-gnome3") ]] ; then + ewarn "Please select pinentry-gnome3 as default pinentry provider:" + ewarn " # eselect pinentry set pinentry-gnome3" + fi +} -- cgit v1.2.3-65-gdbad