diff options
| author |   Mike Frysinger <vapier@chromium.org> | 2018-03-05 13:28:50 -0500 |
|---|---|---|
| committer |   Mike Frysinger <vapier@gentoo.org> | 2018-03-05 13:32:18 -0500 |
| commit | 61acdcd13e97339d20c3058a211ee5599831748d (patch) | |
| tree | 7854a75856d3c898a8ea698799875e1ed7e2936b /sys-apps/sed | |
| parent | sys-apps/gawk: add USE=forced-sandbox to always enable --sandbox (diff) | |
| download | gentoo-61acdcd13e97339d20c3058a211ee5599831748d.tar.gz gentoo-61acdcd13e97339d20c3058a211ee5599831748d.tar.bz2 gentoo-61acdcd13e97339d20c3058a211ee5599831748d.zip | |
sys-apps/sed: add USE=forced-sandbox to always enable --sandbox
For building locked down systems, it's nice to be able to force all
awk scripts into a sane/secure mode.
Diffstat (limited to 'sys-apps/sed')
| -rw-r--r-- | sys-apps/sed/metadata.xml | 3 | ||||
| -rw-r--r-- | sys-apps/sed/sed-4.4-r1.ebuild | 66 |
2 files changed, 69 insertions, 0 deletions
diff --git a/sys-apps/sed/metadata.xml b/sys-apps/sed/metadata.xml index b738f8c54a01..ea2a7bdbf75c 100644 --- a/sys-apps/sed/metadata.xml +++ b/sys-apps/sed/metadata.xml @@ -8,4 +8,7 @@ <upstream> <remote-id type="sourceforge">sed</remote-id> </upstream> +<use> + <flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables e/r/w commands)</flag> +</use> </pkgmetadata> diff --git a/sys-apps/sed/sed-4.4-r1.ebuild b/sys-apps/sed/sed-4.4-r1.ebuild new file mode 100644 index 000000000000..26c3858da53b --- /dev/null +++ b/sys-apps/sed/sed-4.4-r1.ebuild @@ -0,0 +1,66 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="Super-useful stream editor" +HOMEPAGE="http://sed.sourceforge.net/" +SRC_URI="mirror://gnu/sed/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd" +IUSE="acl forced-sandbox nls selinux static" + +RDEPEND="acl? ( virtual/acl ) + nls? ( virtual/libintl ) + selinux? ( sys-libs/libselinux )" +DEPEND="${RDEPEND} + nls? ( sys-devel/gettext )" + +src_bootstrap_sed() { + # make sure system-sed works #40786 + export NO_SYS_SED="" + if ! type -p sed > /dev/null ; then + NO_SYS_SED="!!!" + ./bootstrap.sh || die "couldnt bootstrap" + cp sed/sed "${T}"/ || die "couldnt copy" + export PATH="${PATH}:${T}" + emake clean + fi +} + +src_prepare() { + # Don't use sed before bootstrap if we have to recover a broken host sed. + src_bootstrap_sed + + if use forced-sandbox ; then + # Upstream doesn't want to add a configure flag for this. + # https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html + sed -i \ + -e '/^bool sandbox = false;/s:false:true:' \ + sed/sed.c || die + # Make sure the sed took. + grep -q '^bool sandbox = true;' sed/sed.c || die "forcing sandbox failed" + fi +} + +src_configure() { + local myconf=() + if use userland_GNU; then + myconf+=( --exec-prefix="${EPREFIX}" ) + else + myconf+=( --program-prefix=g ) + fi + + export ac_cv_search_setfilecon=$(usex selinux -lselinux) + export ac_cv_header_selinux_{context,selinux}_h=$(usex selinux) + use static && append-ldflags -static + myconf+=( + $(use_enable acl) + $(use_enable nls) + ) + econf "${myconf[@]}" +} |