1 |
commit: 0a43a1114f05d985cef96402cab1451580a6339b |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Dec 31 12:51:36 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Dec 31 12:52:10 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a43a111 |
7 |
|
8 |
sys-apps/file: allow faccessat2 syscall in seccomp for sandbox-2.30 |
9 |
|
10 |
Closes: https://bugs.gentoo.org/889046 |
11 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
12 |
|
13 |
.../{file-5.43-r1.ebuild => file-5.43-r2.ebuild} | 4 ++-- |
14 |
.../file/{file-5.44.ebuild => file-5.44-r1.ebuild} | 5 ++-- |
15 |
sys-apps/file/file-9999.ebuild | 6 ++--- |
16 |
.../file/files/file-5.43-portage-sandbox.patch | 28 ++++++++++++++++++++++ |
17 |
.../files/file-5.43-seccomp-fstatat64-musl.patch | 22 +++++++++++++++++ |
18 |
sys-apps/file/files/file-5.44-seccomp-utimes.patch | 18 ++++++++++++++ |
19 |
6 files changed, 76 insertions(+), 7 deletions(-) |
20 |
|
21 |
diff --git a/sys-apps/file/file-5.43-r1.ebuild b/sys-apps/file/file-5.43-r2.ebuild |
22 |
similarity index 96% |
23 |
rename from sys-apps/file/file-5.43-r1.ebuild |
24 |
rename to sys-apps/file/file-5.43-r2.ebuild |
25 |
index 10bf50a18e4f..610753073aa6 100644 |
26 |
--- a/sys-apps/file/file-5.43-r1.ebuild |
27 |
+++ b/sys-apps/file/file-5.43-r2.ebuild |
28 |
@@ -49,8 +49,8 @@ BDEPEND+=" |
29 |
)" |
30 |
|
31 |
PATCHES=( |
32 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
33 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
34 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #713710 #728978 |
35 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
36 |
"${FILESDIR}/${P}-configure-clang16.patch" |
37 |
) |
38 |
|
39 |
|
40 |
diff --git a/sys-apps/file/file-5.44.ebuild b/sys-apps/file/file-5.44-r1.ebuild |
41 |
similarity index 95% |
42 |
rename from sys-apps/file/file-5.44.ebuild |
43 |
rename to sys-apps/file/file-5.44-r1.ebuild |
44 |
index 99d5b362b9c5..c29778951f51 100644 |
45 |
--- a/sys-apps/file/file-5.44.ebuild |
46 |
+++ b/sys-apps/file/file-5.44-r1.ebuild |
47 |
@@ -52,9 +52,10 @@ BDEPEND+=" |
48 |
)" |
49 |
|
50 |
PATCHES=( |
51 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
52 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
53 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
54 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 |
55 |
"${FILESDIR}/file-5.44-limits-solaris.patch" # applied upstream |
56 |
+ "${FILESDIR}/file-5.44-seccomp-utimes.patch" # upstream |
57 |
) |
58 |
|
59 |
src_prepare() { |
60 |
|
61 |
diff --git a/sys-apps/file/file-9999.ebuild b/sys-apps/file/file-9999.ebuild |
62 |
index 81f60050024c..c83ce4f71f81 100644 |
63 |
--- a/sys-apps/file/file-9999.ebuild |
64 |
+++ b/sys-apps/file/file-9999.ebuild |
65 |
@@ -18,7 +18,7 @@ else |
66 |
SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz" |
67 |
SRC_URI+=" verify-sig? ( ftp://ftp.astron.com/pub/file/${P}.tar.gz.asc )" |
68 |
|
69 |
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
70 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
71 |
|
72 |
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-file )" |
73 |
fi |
74 |
@@ -52,8 +52,8 @@ BDEPEND+=" |
75 |
)" |
76 |
|
77 |
PATCHES=( |
78 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
79 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
80 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
81 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 |
82 |
) |
83 |
|
84 |
src_prepare() { |
85 |
|
86 |
diff --git a/sys-apps/file/files/file-5.43-portage-sandbox.patch b/sys-apps/file/files/file-5.43-portage-sandbox.patch |
87 |
new file mode 100644 |
88 |
index 000000000000..f9e715cc366f |
89 |
--- /dev/null |
90 |
+++ b/sys-apps/file/files/file-5.43-portage-sandbox.patch |
91 |
@@ -0,0 +1,28 @@ |
92 |
+Allow syscalls for Gentoo's portage sandbox |
93 |
+ |
94 |
+- Add getcwd (bug #728978) |
95 |
+- Add faccessat2 (bug #889046) |
96 |
+ |
97 |
+Bug: https://bugs.gentoo.org/728978 |
98 |
+Bug: https://bugs.gentoo.org/889046 |
99 |
+--- a/src/seccomp.c |
100 |
++++ b/src/seccomp.c |
101 |
+@@ -174,6 +174,9 @@ enable_sandbox_full(void) |
102 |
+ ALLOW_RULE(exit_group); |
103 |
+ #ifdef __NR_faccessat |
104 |
+ ALLOW_RULE(faccessat); |
105 |
++#endif |
106 |
++#ifdef __NR_faccessat2 |
107 |
++ ALLOW_RULE(faccessat2); |
108 |
+ #endif |
109 |
+ ALLOW_RULE(fcntl); |
110 |
+ ALLOW_RULE(fcntl64); |
111 |
+@@ -237,6 +240,8 @@ enable_sandbox_full(void) |
112 |
+ ALLOW_RULE(write); |
113 |
+ ALLOW_RULE(writev); |
114 |
+ |
115 |
++ // needed by Gentoo's portage sandbox |
116 |
++ ALLOW_RULE(getcwd); |
117 |
+ |
118 |
+ #if 0 |
119 |
+ // needed by valgrind |
120 |
|
121 |
diff --git a/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch |
122 |
new file mode 100644 |
123 |
index 000000000000..a039882ac8d7 |
124 |
--- /dev/null |
125 |
+++ b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch |
126 |
@@ -0,0 +1,22 @@ |
127 |
+From 8c13923a8e17a02be0989649b2edc20124816729 Mon Sep 17 00:00:00 2001 |
128 |
+From: Mike Gilbert <floppym@g.o> |
129 |
+Date: Tue, 15 Jun 2021 16:08:22 -0400 |
130 |
+Subject: [PATCH] seccomp: undef fstatat64 to avoid build failure on musl |
131 |
+ |
132 |
+sys/stat.h in musl does this: |
133 |
+ |
134 |
+ #define fstatat64 fstatat |
135 |
+ |
136 |
+Counteract this with an #undef. |
137 |
+ |
138 |
+Bug: https://bugs.gentoo.org/789336 |
139 |
+--- a/src/seccomp.c |
140 |
++++ b/src/seccomp.c |
141 |
+@@ -182,6 +182,7 @@ enable_sandbox_full(void) |
142 |
+ #endif |
143 |
+ ALLOW_RULE(fstat64); |
144 |
+ #ifdef __NR_fstatat64 |
145 |
++#undef fstatat64 |
146 |
+ ALLOW_RULE(fstatat64); |
147 |
+ #endif |
148 |
+ ALLOW_RULE(futex); |
149 |
|
150 |
diff --git a/sys-apps/file/files/file-5.44-seccomp-utimes.patch b/sys-apps/file/files/file-5.44-seccomp-utimes.patch |
151 |
new file mode 100644 |
152 |
index 000000000000..49f1c2e4b739 |
153 |
--- /dev/null |
154 |
+++ b/sys-apps/file/files/file-5.44-seccomp-utimes.patch |
155 |
@@ -0,0 +1,18 @@ |
156 |
+https://github.com/file/file/commit/1590a653b520123d47070a47436abfba42d4c943 |
157 |
+ |
158 |
+From 1590a653b520123d47070a47436abfba42d4c943 Mon Sep 17 00:00:00 2001 |
159 |
+From: Christos Zoulas <christos@××××××.com> |
160 |
+Date: Mon, 26 Dec 2022 18:57:29 +0000 |
161 |
+Subject: [PATCH] PR/408: SpraxDev: Add utimes to the allow list for -p |
162 |
+ |
163 |
+--- a/src/seccomp.c |
164 |
++++ b/src/seccomp.c |
165 |
+@@ -233,6 +233,7 @@ enable_sandbox_full(void) |
166 |
+ ALLOW_RULE(umask); // Used in file_pipe2file() |
167 |
+ ALLOW_RULE(getpid); // Used by glibc in file_pipe2file() |
168 |
+ ALLOW_RULE(unlink); |
169 |
++ ALLOW_RULE(utimes); |
170 |
+ ALLOW_RULE(write); |
171 |
+ ALLOW_RULE(writev); |
172 |
+ |
173 |
+ |