From 56bd759df1d0c750a065b8c845e93d5dfa6b549d Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Sat, 8 Aug 2015 13:49:04 -0700 Subject: proj/gentoo: Initial commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit represents a new era for Gentoo: Storing the gentoo-x86 tree in Git, as converted from CVS. This commit is the start of the NEW history. Any historical data is intended to be grafted onto this point. Creation process: 1. Take final CVS checkout snapshot 2. Remove ALL ChangeLog* files 3. Transform all Manifests to thin 4. Remove empty Manifests 5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$ 5.1. Do not touch files with -kb/-ko keyword flags. Signed-off-by: Robin H. Johnson X-Thanks: Alec Warner - did the GSoC 2006 migration tests X-Thanks: Robin H. Johnson - infra guy, herding this project X-Thanks: Nguyen Thai Ngoc Duy - Former Gentoo developer, wrote Git features for the migration X-Thanks: Brian Harring - wrote much python to improve cvs2svn X-Thanks: Rich Freeman - validation scripts X-Thanks: Patrick Lauer - Gentoo dev, running new 2014 work in migration X-Thanks: Michał Górny - scripts, QA, nagging X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed --- sys-apps/sandbox/Manifest | 5 + .../0001-libsandbox-handle-more-at-functions.patch | 42 +++++ sys-apps/sandbox/files/09sandbox | 1 + .../files/sandbox-1.6-disable-pthread.patch | 37 ++++ .../files/sandbox-1.6-disable-qa-static.patch | 13 ++ .../files/sandbox-2.6-check-empty-paths-at.patch | 201 +++++++++++++++++++++ sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 +++ sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch | 13 ++ sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ++++++ sys-apps/sandbox/files/sandbox-2.6-no-pch.patch | 29 +++ .../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ++++++ .../files/sandbox-2.6-static-close-fd.patch | 93 ++++++++++ .../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 +++ sys-apps/sandbox/metadata.xml | 11 ++ sys-apps/sandbox/sandbox-1.6-r2.ebuild | 104 +++++++++++ sys-apps/sandbox/sandbox-2.3-r1.ebuild | 103 +++++++++++ sys-apps/sandbox/sandbox-2.4.ebuild | 100 ++++++++++ sys-apps/sandbox/sandbox-2.5.ebuild | 117 ++++++++++++ sys-apps/sandbox/sandbox-2.6-r1.ebuild | 131 ++++++++++++++ 19 files changed, 1162 insertions(+) create mode 100644 sys-apps/sandbox/Manifest create mode 100644 sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch create mode 100644 sys-apps/sandbox/files/09sandbox create mode 100644 sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch create mode 100644 sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-desktop.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-log-var.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-no-pch.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch create mode 100644 sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch create mode 100644 sys-apps/sandbox/metadata.xml create mode 100644 sys-apps/sandbox/sandbox-1.6-r2.ebuild create mode 100644 sys-apps/sandbox/sandbox-2.3-r1.ebuild create mode 100644 sys-apps/sandbox/sandbox-2.4.ebuild create mode 100644 sys-apps/sandbox/sandbox-2.5.ebuild create mode 100644 sys-apps/sandbox/sandbox-2.6-r1.ebuild (limited to 'sys-apps/sandbox') diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest new file mode 100644 index 000000000000..42aa4b15b3b0 --- /dev/null +++ b/sys-apps/sandbox/Manifest @@ -0,0 +1,5 @@ +DIST sandbox-1.6.tar.lzma 307014 SHA256 52cfd286da3d5d51f3b6e012e409e931b21e32b4f2f16ba5677e46328680f4f4 SHA512 f470599a67443fa107612fef1cc73b64b3146003ae21bb5ae5abd852c4c37aec93ac09be646fda9d55d4c3aeef0cf28a42fa675f2acbb53c1d903e400538ba4c WHIRLPOOL 7c7fbe57cc831d0eb7853476e264a85bb8113620948e761563a872d3d55fd3c0ff063332397199001ea9dcb8258f348b827f337b876b2a26f727f10abbc8f712 +DIST sandbox-2.3.tar.xz 344260 SHA256 8670f7508453c2fd300ca29ad2eb457691c3df01c4c22fa27d4a7c880fd291d5 SHA512 06ddaa6dc0822474c263650e95284af6cb69c60c9443b5caaf95af8140283f937d5594849064847fe3a4ad89b29b6ef6d6e909a9b85bb5d7fcf8b427d0e9c7e4 WHIRLPOOL 5d3f45a0bbb1aeffb8c83f8978bea65764aa438a5abcb50c66b5f66232d972bde84013694f6806fcc0026cd6d37420c69655d66ec5984a1c6f71a68dcfc95d11 +DIST sandbox-2.4.tar.xz 344664 SHA256 450599cb3052296d42f81a04dbbda82d220415fc2d16f5dc6e26b042d580fd3e SHA512 c0f8b789bcabd48e03a20a97c9daa82c48f264d7641ecfa51dff7a2d2c34be398cf1db6235eb0211bf0fa78b07bd6e633e06bc102904bf9dd8a95f9fde1ca615 WHIRLPOOL 22f0f55f6e638275781ab5afa29b1a7f5e7f3335a3d2ff37d9fcce0bf9284b271bf1d69b98bcd4b06fdb9ff1528d044f9fb111a58c2a1a5ce33cbe28c0cb869d +DIST sandbox-2.5.tar.xz 355680 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a SHA512 7b870295bb78c1da5550b650a3983d93e503935a8e8452a29a5c6310cc2c2d569a898ea1534e2c670b4a3e5607504fac55f69da6878e0adc9c2c65a5476b4fb0 WHIRLPOOL 887d36638111b09d77674002c07ebad84c24bc4f645d9fb78e180a6c6e7407eb3fb6857877bc152e0cefb676f01df60b20857b8487ce28ff3e4438aef744fe53 +DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03 diff --git a/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch b/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch new file mode 100644 index 000000000000..09462b7e1b64 --- /dev/null +++ b/sys-apps/sandbox/files/0001-libsandbox-handle-more-at-functions.patch @@ -0,0 +1,42 @@ +From 25425878243c5ca1ff21e6f479e585c60b943930 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 30 Mar 2009 19:56:29 -0400 +Subject: [PATCH] libsandbox: handle more *at functions + +Add some more *at functions to the main checking code. + +URL: http://bugs.gentoo.org/264320 +Signed-off-by: Mike Frysinger +Reported-by: Harald van Dijk +--- + libsandbox/libsandbox.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c +index 88248af..c3f0b55 100644 +--- a/libsandbox/libsandbox.c ++++ b/libsandbox/libsandbox.c +@@ -681,15 +681,20 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func, + sb_nr == SB_NR_CREAT || + sb_nr == SB_NR_CREAT64 || + sb_nr == SB_NR_MKDIR || ++ sb_nr == SB_NR_MKDIRAT || + sb_nr == SB_NR_MKNOD || + sb_nr == SB_NR_MKNODAT || + sb_nr == SB_NR__XMKNOD || + sb_nr == SB_NR___XMKNOD || + sb_nr == SB_NR___XMKNODAT || + sb_nr == SB_NR_MKFIFO || ++ sb_nr == SB_NR_MKFIFOAT || + sb_nr == SB_NR_LINK || ++ sb_nr == SB_NR_LINKAT || + sb_nr == SB_NR_SYMLINK || ++ sb_nr == SB_NR_SYMLINKAT || + sb_nr == SB_NR_RENAME || ++ sb_nr == SB_NR_RENAMEAT || + sb_nr == SB_NR_LUTIMES || + sb_nr == SB_NR_UTIMENSAT || + sb_nr == SB_NR_UTIME || +-- +1.6.2 + diff --git a/sys-apps/sandbox/files/09sandbox b/sys-apps/sandbox/files/09sandbox new file mode 100644 index 000000000000..9181eb068caf --- /dev/null +++ b/sys-apps/sandbox/files/09sandbox @@ -0,0 +1 @@ +CONFIG_PROTECT_MASK="/etc/sandbox.d" diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch new file mode 100644 index 000000000000..490bc41c0eed --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.6-disable-pthread.patch @@ -0,0 +1,37 @@ +http://bugs.gentoo.org/263657 + +disable pthread locks ... this is how stable has always worked, so there +wont be any regressions ... + +diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c +index 034d0e7..595d17f 100644 +--- a/libsandbox/libsandbox.c ++++ b/libsandbox/libsandbox.c +@@ -814,9 +814,6 @@ + return result; + } + +-/* Need to protect the global sbcontext structure */ +-static pthread_mutex_t sb_syscall_lock = PTHREAD_MUTEX_INITIALIZER; +- + bool before_syscall(int dirfd, int sb_nr, const char *func, const char *file, int flags) + { + int old_errno = errno; +@@ -843,8 +840,6 @@ + file = at_file_buf; + } + +- pthread_mutex_lock(&sb_syscall_lock); +- + if (!sb_init) { + init_context(&sbcontext); + sb_init = true; +@@ -885,8 +880,6 @@ + + result = check_syscall(&sbcontext, sb_nr, func, file, flags); + +- pthread_mutex_unlock(&sb_syscall_lock); +- + if (0 == result) { + if ((NULL != getenv(ENV_SANDBOX_PID)) && (is_env_on(ENV_SANDBOX_ABORT))) + diff --git a/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch b/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch new file mode 100644 index 000000000000..754ef01968c9 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.6-disable-qa-static.patch @@ -0,0 +1,13 @@ +sandbox-1.7 traces static apps so disable the qa notice as it just scares +users ... dont want scary stuff in stable! + +--- libsandbox/wrapper-funcs/__wrapper_exec.c ++++ libsandbox/wrapper-funcs/__wrapper_exec.c +@@ -221,7 +221,6 @@ + if (!FUNCTION_SANDBOX_SAFE(path)) + return result; + +- sb_check_exec(path, argv); + } + #endif + diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch new file mode 100644 index 000000000000..e4dc5290ed50 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch @@ -0,0 +1,201 @@ +From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 24 Dec 2012 19:41:49 -0500 +Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before + checking the dirfd + +When it comes to processing errors, an empty path is checked before +an invalid dirfd. Make sure sandbox matches that behavior for the +random testsuites out there that look for this. + +URL: https://bugs.gentoo.org/346929 +Reported-by: Marien Zwart +Signed-off-by: Mike Frysinger +--- + libsandbox/wrapper-funcs/__pre_check.c | 2 ++ + libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------ + libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++----------- + libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------ + libsandbox/wrappers.h | 2 ++ + tests/mkdirat-3.sh | 7 +++++++ + tests/mkdirat.at | 1 + + tests/openat-2.sh | 9 +++++++++ + tests/openat.at | 1 + + tests/unlinkat-4.sh | 7 +++++++ + tests/unlinkat.at | 1 + + 11 files changed, 44 insertions(+), 35 deletions(-) + create mode 100755 tests/mkdirat-3.sh + create mode 100755 tests/openat-2.sh + create mode 100755 tests/unlinkat-4.sh + +diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c +index 2d5711f..28ad91f 100644 +--- a/libsandbox/wrapper-funcs/__pre_check.c ++++ b/libsandbox/wrapper-funcs/__pre_check.c +@@ -20,3 +20,5 @@ + #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF + # include "unlinkat_pre_check.c" + #endif ++ ++#include "__pre_at_check.c" +diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c +index 77a65df..0b48d1f 100644 +--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c ++++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c +@@ -1,20 +1,13 @@ + bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) + { + char canonic[SB_PATH_MAX]; +- char dirfd_path[SB_PATH_MAX]; + + save_errno(); + +- /* Expand the dirfd path first */ +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ /* Check incoming args against common *at issues */ ++ char dirfd_path[SB_PATH_MAX]; ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Then break down any relative/symlink paths */ + if (-1 == canonicalize(pathname, canonic)) +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c +index 0127708..5fd5eaa 100644 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c +@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int + + save_errno(); + +- /* Expand the dirfd path first */ ++ /* Check incoming args against common *at issues */ + char dirfd_path[SB_PATH_MAX]; +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Doesn't exist -> skip permission checks */ + struct stat st; +diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c +index 9f5e7d7..c004d15 100644 +--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c ++++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c +@@ -1,20 +1,13 @@ + bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd) + { + char canonic[SB_PATH_MAX]; +- char dirfd_path[SB_PATH_MAX]; + + save_errno(); + +- /* Expand the dirfd path first */ +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { +- case -1: +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", +- func, pathname, strerror(errno)); +- return false; +- case 0: +- pathname = dirfd_path; +- break; +- } ++ /* Check incoming args against common *at issues */ ++ char dirfd_path[SB_PATH_MAX]; ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) ++ return false; + + /* Then break down any relative/symlink paths */ + if (-1 == canonicalize(pathname, canonic)) +diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h +index 5b97787..0aa58bb 100644 +--- a/libsandbox/wrappers.h ++++ b/libsandbox/wrappers.h +@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn + attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); + attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); + attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); ++attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, ++ char *dirfd_path, size_t dirfd_path_len); + + #endif +-- +1.8.1.2 + +From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 24 Dec 2012 19:41:49 -0500 +Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before + checking the dirfd [missing file] + +When it comes to processing errors, an empty path is checked before +an invalid dirfd. Make sure sandbox matches that behavior for the +random testsuites out there that look for this. + +Forgot to `git add` in the previous commit :/. + +URL: https://bugs.gentoo.org/346929 +Reported-by: Marien Zwart +Signed-off-by: Mike Frysinger +--- + libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c + +diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c +new file mode 100644 +index 0000000..f72c40c +--- /dev/null ++++ b/libsandbox/wrapper-funcs/__pre_at_check.c +@@ -0,0 +1,34 @@ ++/* ++ * common *at() pre-checks. ++ * ++ * Copyright 1999-2012 Gentoo Foundation ++ * Licensed under the GPL-2 ++ */ ++ ++/* We assume the parent has nested use with save/restore errno */ ++bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, ++ char *dirfd_path, size_t dirfd_path_len) ++{ ++ /* the empty path name should fail with ENOENT before any dirfd ++ * checks get a chance to run #346929 ++ */ ++ if (*pathname && *pathname[0] == '\0') { ++ errno = ENOENT; ++ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", ++ func, *pathname, strerror(errno)); ++ return false; ++ } ++ ++ /* Expand the dirfd path first */ ++ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) { ++ case -1: ++ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", ++ func, *pathname, strerror(errno)); ++ return false; ++ case 0: ++ *pathname = dirfd_path; ++ break; ++ } ++ ++ return true; ++} +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch new file mode 100644 index 000000000000..fbecb0727f97 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch @@ -0,0 +1,30 @@ +From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 17 Nov 2012 14:14:26 -0500 +Subject: [PATCH] sandbox.desktop: drop .svg from Icon field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +URL: http://bugs.gentoo.org/443672 +Reported-by: Petteri Räty +Signed-off-by: Mike Frysinger +--- + data/sandbox.desktop | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/sandbox.desktop b/data/sandbox.desktop +index 5b5b576..27a887e 100644 +--- a/data/sandbox.desktop ++++ b/data/sandbox.desktop +@@ -5,6 +5,6 @@ Type=Application + Comment=launch a sandboxed shell ... useful for debugging ebuilds + Exec=sandbox + TryExec=sandbox +-Icon=sandbox.svg ++Icon=sandbox + Categories=Development; + Terminal=true +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch b/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch new file mode 100644 index 000000000000..fd87d6a272a5 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch @@ -0,0 +1,13 @@ +fix building w/gcc-5 + +--- a/libsandbox/Makefile.in ++++ b/libsandbox/Makefile.in +@@ -68,7 +68,7 @@ sb_nr.h: symbols.h $(SB_NR_FILE) + + TRACE_MAKE_HEADER = \ + $(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \ +- $(COMPILE) -E -include $(top_srcdir)/headers.h - $$f | \ ++ $(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \ + $(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header + trace_syscalls.h: $(GEN_TRACE_SCRIPT) Makefile + if SB_SCHIZO diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch new file mode 100644 index 000000000000..bfea9e55e288 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch @@ -0,0 +1,51 @@ +From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sun, 3 Mar 2013 05:34:09 -0500 +Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values + +Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox +with portage. It changed how the sandbox log env var was accessed by +moving from getenv() to get_sandbox_log(). The latter has path checking +and will kick out values that contain a slash. That means every time a +new process starts, a new sandbox log path will be generated, and when a +program triggers a violation, it'll write to the new file. Meanwhile, +portage itself watches the original one which never gets updated. + +This code has been around forever w/out documentation, and I can't think +of a reason we need it. So punt it. + +Signed-off-by: Mike Frysinger +--- + libsbutil/get_sandbox_log.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c +index a79b399..bdb4278 100644 +--- a/libsbutil/get_sandbox_log.c ++++ b/libsbutil/get_sandbox_log.c +@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c + + sandbox_log_env = getenv(env); + +- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) { +- /* When testing, just use what the env says to */ ++ if (sandbox_log_env) { ++ /* If the env is viable, roll with it. We aren't really ++ * about people breaking the security of the sandbox by ++ * exporting SANDBOX_LOG=/dev/null. ++ */ + strncpy(path, sandbox_log_env, SB_PATH_MAX); + } else { +- /* THIS CHUNK BREAK THINGS BY DOING THIS: +- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log +- */ +- if ((NULL != sandbox_log_env) && +- (NULL != strchr(sandbox_log_env, '/'))) +- sandbox_log_env = NULL; +- + snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s", + SANDBOX_LOG_LOCATION, prefix, + (sandbox_log_env == NULL ? "" : sandbox_log_env), +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch new file mode 100644 index 000000000000..fe2274927f43 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch @@ -0,0 +1,29 @@ +gcc crashes when trying to use pch under hardened kernels + +http://bugs.gentoo.org/425524 + +--- Makefile.in ++++ Makefile.in +@@ -300,7 +300,7 @@ + src \ + tests + +-SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch ++SANDBOX_PCH = + BUILT_SOURCES = $(SANDBOX_PCH) + noinst_LTLIBRARIES = libpch.la + nodist_libpch_la_SOURCES = $(SANDBOX_PCH) +@@ -862,10 +862,9 @@ + $(builddir)/headers.h.gch: headers.h + $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP) + +-libsbutil: libsbutil/headers.h.gch +-libsandbox: libsbutil libsandbox/headers.h.gch +-src: libsbutil headers.h.gch +-tests: src headers.h.gch ++libsandbox: libsbutil ++src: libsbutil ++tests: src + + ChangeLog: + touch ChangeLog diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch new file mode 100644 index 000000000000..0101ece2c2bc --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch @@ -0,0 +1,54 @@ +From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 24 Dec 2012 18:46:29 -0500 +Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW) + +We don't check for O_NOFOLLOW in the open wrappers, so we end up +returning the wrong error when operating on broken symlinks. + +URL: https://bugs.gentoo.org/413441 +Reported-by: Marien Zwart +Signed-off-by: Mike Frysinger +--- + libsandbox/wrapper-funcs/__64_post.h | 1 + + libsandbox/wrapper-funcs/__64_pre.h | 1 + + libsandbox/wrapper-funcs/openat_pre_check.c | 2 +- + tests/open-2.sh | 10 ++++++++++ + tests/open.at | 1 + + 5 files changed, 14 insertions(+), 1 deletion(-) + create mode 100755 tests/open-2.sh + +diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h +index 2fd2182..82d2a16 100644 +--- a/libsandbox/wrapper-funcs/__64_post.h ++++ b/libsandbox/wrapper-funcs/__64_post.h +@@ -1,3 +1,4 @@ + #undef SB64 + #undef stat ++#undef lstat + #undef off_t +diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h +index 2132110..0b34b25 100644 +--- a/libsandbox/wrapper-funcs/__64_pre.h ++++ b/libsandbox/wrapper-funcs/__64_pre.h +@@ -1,3 +1,4 @@ + #define SB64 + #define stat stat64 ++#define lstat lstat64 + #define off_t off64_t +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c +index c827ee6..0127708 100644 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c +@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int + + /* Doesn't exist -> skip permission checks */ + struct stat st; +- if (-1 == stat(pathname, &st)) { ++ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) { + sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", + func, pathname, strerror(errno)); + return false; +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch new file mode 100644 index 000000000000..7fc0972507b4 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch @@ -0,0 +1,93 @@ +From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 23 Jun 2012 11:52:51 -0700 +Subject: [PATCH] libsandbox: clean up open file handles in parent tracing + process + +Currently, if a non-static app sets up a pipe (with cloexec enabled) and +executes a static app, the handle to that pipe is left open in the parent +process. This causes trouble when the parent is waiting for that to be +closed immediately. + +Since none of the fds in the forked parent process matter to us, we can +just go ahead and clean up all fds before we start tracing the child. + +URL: http://bugs.gentoo.org/364877 +Reported-by: Victor Stinner +Signed-off-by: Mike Frysinger +--- + libsandbox/trace.c | 3 +- + libsbutil/sb_close.c | 26 +++++++++++- + libsbutil/sbutil.h | 1 + + tests/Makefile.am | 2 + + tests/pipe-fork_static_tst.c | 18 +++++++++ + tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ + tests/script-9.sh | 5 +++ + tests/script.at | 1 + + 8 files changed, 149 insertions(+), 2 deletions(-) + create mode 100644 tests/pipe-fork_static_tst.c + create mode 100644 tests/pipe-fork_tst.c + create mode 100755 tests/script-9.sh + +diff --git a/libsandbox/trace.c b/libsandbox/trace.c +index 32ad2d6..dfbab18 100644 +--- a/libsandbox/trace.c ++++ b/libsandbox/trace.c +@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[]) + /* Not all kernel versions support this, so ignore return */ + ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); + #endif ++ sb_close_all_fds(); + trace_loop(); +- return; ++ sb_ebort("ISE: child should have quit, as should we\n"); + } + + sb_debug("child setting up ..."); +diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c +index 17a4560..5379197 100644 +--- a/libsbutil/sb_close.c ++++ b/libsbutil/sb_close.c +@@ -29,3 +29,27 @@ int sb_close(int fd) + + return res; + } ++ ++/* Quickly close all the open fds (good for daemonization) */ ++void sb_close_all_fds(void) ++{ ++ DIR *dirp; ++ struct dirent *de; ++ int dfd, fd; ++ const char *fd_dir = sb_get_fd_dir(); ++ ++ dirp = opendir(fd_dir); ++ if (!dirp) ++ sb_ebort("could not process %s\n", fd_dir); ++ dfd = dirfd(dirp); ++ ++ while ((de = readdir(dirp)) != NULL) { ++ if (de->d_name[0] == '.') ++ continue; ++ fd = atoi(de->d_name); ++ if (fd != dfd) ++ close(fd); ++ } ++ ++ closedir(dirp); ++} +diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h +index 02b88cb..479734b 100644 +--- a/libsbutil/sbutil.h ++++ b/libsbutil/sbutil.h +@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode); + size_t sb_read(int fd, void *buf, size_t count); + size_t sb_write(int fd, const void *buf, size_t count); + int sb_close(int fd); ++void sb_close_all_fds(void); + int sb_copy_file_to_fd(const char *file, int ofd); + + /* Reliable output */ +-- +1.8.1.2 + diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch new file mode 100644 index 000000000000..7e7382286577 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch @@ -0,0 +1,27 @@ +From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Fri, 6 Jul 2012 14:58:16 -0400 +Subject: [PATCH] libsandbox: fix hppa trace code + +URL: https://bugs.gentoo.org/425062 +Reported-by: Jeroen Roovers +Signed-off-by: Mike Frysinger +--- + libsandbox/trace/linux/hppa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c +index d23b0d1..5414354 100644 +--- a/libsandbox/trace/linux/hppa.c ++++ b/libsandbox/trace/linux/hppa.c +@@ -1,5 +1,5 @@ +-#define trace_reg_sysnum (20 * 4) /* PT_GR20 */ +-#define trace_reg_ret (28 * 4) /* PT_GR28 */ ++#define trace_reg_sysnum gr[20] ++#define trace_reg_ret gr[28] + + static unsigned long trace_arg(void *vregs, int num) + { +-- +1.7.9.7 + diff --git a/sys-apps/sandbox/metadata.xml b/sys-apps/sandbox/metadata.xml new file mode 100644 index 000000000000..9e13eaea5173 --- /dev/null +++ b/sys-apps/sandbox/metadata.xml @@ -0,0 +1,11 @@ + + + + + + + + sandbox@gentoo.org + Sandbox Maintainers + + diff --git a/sys-apps/sandbox/sandbox-1.6-r2.ebuild b/sys-apps/sandbox/sandbox-1.6-r2.ebuild new file mode 100644 index 000000000000..c62785bae1c7 --- /dev/null +++ b/sys-apps/sandbox/sandbox-1.6-r2.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic toolchain-funcs multilib unpacker + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.lzma + http://dev.gentoo.org/~vapier/dist/${P}.tar.lzma" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" +IUSE="" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +EMULTILIB_PKG="true" +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" +} + +src_unpack() { + unpacker_src_unpack + cd "${S}" + epatch "${FILESDIR}"/${P}-disable-qa-static.patch + epatch "${FILESDIR}"/${P}-disable-pthread.patch + epatch "${FILESDIR}"/0001-libsandbox-handle-more-at-functions.patch +} + +src_compile() { + filter-lfs-flags #90228 + + local OABI=${ABI} + for ABI in $(get_install_abis) ; do + mkdir "${WORKDIR}/build-${ABI}" + cd "${WORKDIR}/build-${ABI}" + + multilib_toolchain_setup ${ABI} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf ${myconf} || die + einfo "Building sandbox for ABI=${ABI}..." + emake || die + done + ABI=${OABI} +} + +src_test() { + local OABI=${ABI} + for ABI in $(get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Checking sandbox for ABI=${ABI}..." + emake check || die "make check failed for ${ABI}" + done + ABI=${OABI} +} + +src_install() { + local OABI=${ABI} + for ABI in $(get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Installing sandbox for ABI=${ABI}..." + emake DESTDIR="${D}" install || die "make install failed for ${ABI}" + done + ABI=${OABI} + + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox + + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + elog ${old//${ROOT}} + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; + fi +} + +pkg_postinst() { + chmod 0755 "${ROOT}"/etc/sandbox.d #265376 +} diff --git a/sys-apps/sandbox/sandbox-2.3-r1.ebuild b/sys-apps/sandbox/sandbox-2.3-r1.ebuild new file mode 100644 index 000000000000..33880b226e7d --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.3-r1.ebuild @@ -0,0 +1,103 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic toolchain-funcs multilib unpacker + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + http://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" +IUSE="multilib" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +EMULTILIB_PKG="true" +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" +} + +sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } + +src_compile() { + filter-lfs-flags #90228 + + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + mkdir "${WORKDIR}/build-${ABI}" + cd "${WORKDIR}/build-${ABI}" + + use multilib && multilib_toolchain_setup ${ABI} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf ${myconf} || die + einfo "Building sandbox for ABI=${ABI}..." + emake || die + done + ABI=${OABI} +} + +src_test() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Checking sandbox for ABI=${ABI}..." + emake check || die "make check failed for ${ABI}" + done + ABI=${OABI} +} + +src_install() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Installing sandbox for ABI=${ABI}..." + emake DESTDIR="${D}" install || die "make install failed for ${ABI}" + insinto /etc/sandbox.d #333131 + doins etc/sandbox.d/00default || die + done + ABI=${OABI} + + doenvd "${FILESDIR}"/09sandbox + + # fix 00default install #333131 + rm "${D}"/etc/sandbox.d/*.in || die + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox + + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + elog ${old//${ROOT}} + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; + fi +} + +pkg_postinst() { + chmod 0755 "${ROOT}"/etc/sandbox.d #265376 +} diff --git a/sys-apps/sandbox/sandbox-2.4.ebuild b/sys-apps/sandbox/sandbox-2.4.ebuild new file mode 100644 index 000000000000..ec5de60c3a8b --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.4.ebuild @@ -0,0 +1,100 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic toolchain-funcs multilib unpacker + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + http://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" +IUSE="multilib" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +EMULTILIB_PKG="true" +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" +} + +sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } + +src_compile() { + filter-lfs-flags #90228 + + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + mkdir "${WORKDIR}/build-${ABI}" + cd "${WORKDIR}/build-${ABI}" + + use multilib && multilib_toolchain_setup ${ABI} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf ${myconf} || die + einfo "Building sandbox for ABI=${ABI}..." + emake || die + done + ABI=${OABI} +} + +src_test() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Checking sandbox for ABI=${ABI}..." + emake check || die "make check failed for ${ABI}" + done + ABI=${OABI} +} + +src_install() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Installing sandbox for ABI=${ABI}..." + emake DESTDIR="${D}" install || die "make install failed for ${ABI}" + insinto /etc/sandbox.d #333131 + doins etc/sandbox.d/00default || die + done + ABI=${OABI} + + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox + + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + elog ${old//${ROOT}} + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; + fi +} + +pkg_postinst() { + chmod 0755 "${ROOT}"/etc/sandbox.d #265376 +} diff --git a/sys-apps/sandbox/sandbox-2.5.ebuild b/sys-apps/sandbox/sandbox-2.5.ebuild new file mode 100644 index 000000000000..1e8271016d4f --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.5.ebuild @@ -0,0 +1,117 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + http://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" +IUSE="multilib" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +EMULTILIB_PKG="true" +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" +} + +sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } + +sb_foreach_abi() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Running $1 for ABI=${ABI}..." + "$@" + done + ABI=${OABI} +} + +sb_configure() { + mkdir "${WORKDIR}/build-${ABI}" + cd "${WORKDIR}/build-${ABI}" + + use multilib && multilib_toolchain_setup ${ABI} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf ${myconf} || die +} + +sb_compile() { + emake || die +} + +src_compile() { + filter-lfs-flags #90228 + + # Run configures in parallel! + multijob_init + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + multijob_child_init sb_configure + done + ABI=${OABI} + multijob_finish + + sb_foreach_abi sb_compile +} + +sb_test() { + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die +} + +src_test() { + sb_foreach_abi sb_test +} + +sb_install() { + emake DESTDIR="${D}" install || die + insinto /etc/sandbox.d #333131 + doins etc/sandbox.d/00default || die +} + +src_install() { + sb_foreach_abi sb_install + + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox + + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + elog ${old//${ROOT}} + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; + fi +} + +pkg_postinst() { + chmod 0755 "${ROOT}"/etc/sandbox.d #265376 +} diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild new file mode 100644 index 000000000000..8d23317553c1 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.6-r1.ebuild @@ -0,0 +1,131 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + http://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" +IUSE="multilib" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +EMULTILIB_PKG="true" +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" +} + +sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } + +sb_foreach_abi() { + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + cd "${WORKDIR}/build-${ABI}" + einfo "Running $1 for ABI=${ABI}..." + "$@" + done + ABI=${OABI} +} + +src_unpack() { + unpacker + cd "${S}" + epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062 + epatch "${FILESDIR}"/${P}-log-var.patch + epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877 + epatch "${FILESDIR}"/${P}-desktop.patch #443672 + epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441 + epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929 + epatch "${FILESDIR}"/${P}-no-pch.patch #425524 + epatch "${FILESDIR}"/${P}-gcc-5.patch + epatch_user +} + +sb_configure() { + mkdir "${WORKDIR}/build-${ABI}" + cd "${WORKDIR}/build-${ABI}" + + use multilib && multilib_toolchain_setup ${ABI} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf ${myconf} || die +} + +sb_compile() { + emake || die +} + +src_compile() { + filter-lfs-flags #90228 + + # Run configures in parallel! + multijob_init + local OABI=${ABI} + for ABI in $(sb_get_install_abis) ; do + multijob_child_init sb_configure + done + ABI=${OABI} + multijob_finish + + sb_foreach_abi sb_compile +} + +sb_test() { + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die +} + +src_test() { + sb_foreach_abi sb_test +} + +sb_install() { + emake DESTDIR="${D}" install || die + insinto /etc/sandbox.d #333131 + doins etc/sandbox.d/00default || die +} + +src_install() { + sb_foreach_abi sb_install + + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox + + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + elog ${old//${ROOT}} + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; + fi +} + +pkg_postinst() { + chmod 0755 "${ROOT}"/etc/sandbox.d #265376 +} -- cgit v1.2.3-65-gdbad