| 1 |
commit: 0a43a1114f05d985cef96402cab1451580a6339b |
| 2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sat Dec 31 12:51:36 2022 +0000 |
| 4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Dec 31 12:52:10 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a43a111 |
| 7 |
|
| 8 |
sys-apps/file: allow faccessat2 syscall in seccomp for sandbox-2.30 |
| 9 |
|
| 10 |
Closes: https://bugs.gentoo.org/889046 |
| 11 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
| 12 |
|
| 13 |
.../{file-5.43-r1.ebuild => file-5.43-r2.ebuild} | 4 ++-- |
| 14 |
.../file/{file-5.44.ebuild => file-5.44-r1.ebuild} | 5 ++-- |
| 15 |
sys-apps/file/file-9999.ebuild | 6 ++--- |
| 16 |
.../file/files/file-5.43-portage-sandbox.patch | 28 ++++++++++++++++++++++ |
| 17 |
.../files/file-5.43-seccomp-fstatat64-musl.patch | 22 +++++++++++++++++ |
| 18 |
sys-apps/file/files/file-5.44-seccomp-utimes.patch | 18 ++++++++++++++ |
| 19 |
6 files changed, 76 insertions(+), 7 deletions(-) |
| 20 |
|
| 21 |
diff --git a/sys-apps/file/file-5.43-r1.ebuild b/sys-apps/file/file-5.43-r2.ebuild |
| 22 |
similarity index 96% |
| 23 |
rename from sys-apps/file/file-5.43-r1.ebuild |
| 24 |
rename to sys-apps/file/file-5.43-r2.ebuild |
| 25 |
index 10bf50a18e4f..610753073aa6 100644 |
| 26 |
--- a/sys-apps/file/file-5.43-r1.ebuild |
| 27 |
+++ b/sys-apps/file/file-5.43-r2.ebuild |
| 28 |
@@ -49,8 +49,8 @@ BDEPEND+=" |
| 29 |
)" |
| 30 |
|
| 31 |
PATCHES=( |
| 32 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
| 33 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 34 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #713710 #728978 |
| 35 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 36 |
"${FILESDIR}/${P}-configure-clang16.patch" |
| 37 |
) |
| 38 |
|
| 39 |
|
| 40 |
diff --git a/sys-apps/file/file-5.44.ebuild b/sys-apps/file/file-5.44-r1.ebuild |
| 41 |
similarity index 95% |
| 42 |
rename from sys-apps/file/file-5.44.ebuild |
| 43 |
rename to sys-apps/file/file-5.44-r1.ebuild |
| 44 |
index 99d5b362b9c5..c29778951f51 100644 |
| 45 |
--- a/sys-apps/file/file-5.44.ebuild |
| 46 |
+++ b/sys-apps/file/file-5.44-r1.ebuild |
| 47 |
@@ -52,9 +52,10 @@ BDEPEND+=" |
| 48 |
)" |
| 49 |
|
| 50 |
PATCHES=( |
| 51 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
| 52 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 53 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 54 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 |
| 55 |
"${FILESDIR}/file-5.44-limits-solaris.patch" # applied upstream |
| 56 |
+ "${FILESDIR}/file-5.44-seccomp-utimes.patch" # upstream |
| 57 |
) |
| 58 |
|
| 59 |
src_prepare() { |
| 60 |
|
| 61 |
diff --git a/sys-apps/file/file-9999.ebuild b/sys-apps/file/file-9999.ebuild |
| 62 |
index 81f60050024c..c83ce4f71f81 100644 |
| 63 |
--- a/sys-apps/file/file-9999.ebuild |
| 64 |
+++ b/sys-apps/file/file-9999.ebuild |
| 65 |
@@ -18,7 +18,7 @@ else |
| 66 |
SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz" |
| 67 |
SRC_URI+=" verify-sig? ( ftp://ftp.astron.com/pub/file/${P}.tar.gz.asc )" |
| 68 |
|
| 69 |
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
| 70 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
| 71 |
|
| 72 |
BDEPEND="verify-sig? ( sec-keys/openpgp-keys-file )" |
| 73 |
fi |
| 74 |
@@ -52,8 +52,8 @@ BDEPEND+=" |
| 75 |
)" |
| 76 |
|
| 77 |
PATCHES=( |
| 78 |
- "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 |
| 79 |
- "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 80 |
+ "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet |
| 81 |
+ "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 |
| 82 |
) |
| 83 |
|
| 84 |
src_prepare() { |
| 85 |
|
| 86 |
diff --git a/sys-apps/file/files/file-5.43-portage-sandbox.patch b/sys-apps/file/files/file-5.43-portage-sandbox.patch |
| 87 |
new file mode 100644 |
| 88 |
index 000000000000..f9e715cc366f |
| 89 |
--- /dev/null |
| 90 |
+++ b/sys-apps/file/files/file-5.43-portage-sandbox.patch |
| 91 |
@@ -0,0 +1,28 @@ |
| 92 |
+Allow syscalls for Gentoo's portage sandbox |
| 93 |
+ |
| 94 |
+- Add getcwd (bug #728978) |
| 95 |
+- Add faccessat2 (bug #889046) |
| 96 |
+ |
| 97 |
+Bug: https://bugs.gentoo.org/728978 |
| 98 |
+Bug: https://bugs.gentoo.org/889046 |
| 99 |
+--- a/src/seccomp.c |
| 100 |
++++ b/src/seccomp.c |
| 101 |
+@@ -174,6 +174,9 @@ enable_sandbox_full(void) |
| 102 |
+ ALLOW_RULE(exit_group); |
| 103 |
+ #ifdef __NR_faccessat |
| 104 |
+ ALLOW_RULE(faccessat); |
| 105 |
++#endif |
| 106 |
++#ifdef __NR_faccessat2 |
| 107 |
++ ALLOW_RULE(faccessat2); |
| 108 |
+ #endif |
| 109 |
+ ALLOW_RULE(fcntl); |
| 110 |
+ ALLOW_RULE(fcntl64); |
| 111 |
+@@ -237,6 +240,8 @@ enable_sandbox_full(void) |
| 112 |
+ ALLOW_RULE(write); |
| 113 |
+ ALLOW_RULE(writev); |
| 114 |
+ |
| 115 |
++ // needed by Gentoo's portage sandbox |
| 116 |
++ ALLOW_RULE(getcwd); |
| 117 |
+ |
| 118 |
+ #if 0 |
| 119 |
+ // needed by valgrind |
| 120 |
|
| 121 |
diff --git a/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch |
| 122 |
new file mode 100644 |
| 123 |
index 000000000000..a039882ac8d7 |
| 124 |
--- /dev/null |
| 125 |
+++ b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch |
| 126 |
@@ -0,0 +1,22 @@ |
| 127 |
+From 8c13923a8e17a02be0989649b2edc20124816729 Mon Sep 17 00:00:00 2001 |
| 128 |
+From: Mike Gilbert <floppym@g.o> |
| 129 |
+Date: Tue, 15 Jun 2021 16:08:22 -0400 |
| 130 |
+Subject: [PATCH] seccomp: undef fstatat64 to avoid build failure on musl |
| 131 |
+ |
| 132 |
+sys/stat.h in musl does this: |
| 133 |
+ |
| 134 |
+ #define fstatat64 fstatat |
| 135 |
+ |
| 136 |
+Counteract this with an #undef. |
| 137 |
+ |
| 138 |
+Bug: https://bugs.gentoo.org/789336 |
| 139 |
+--- a/src/seccomp.c |
| 140 |
++++ b/src/seccomp.c |
| 141 |
+@@ -182,6 +182,7 @@ enable_sandbox_full(void) |
| 142 |
+ #endif |
| 143 |
+ ALLOW_RULE(fstat64); |
| 144 |
+ #ifdef __NR_fstatat64 |
| 145 |
++#undef fstatat64 |
| 146 |
+ ALLOW_RULE(fstatat64); |
| 147 |
+ #endif |
| 148 |
+ ALLOW_RULE(futex); |
| 149 |
|
| 150 |
diff --git a/sys-apps/file/files/file-5.44-seccomp-utimes.patch b/sys-apps/file/files/file-5.44-seccomp-utimes.patch |
| 151 |
new file mode 100644 |
| 152 |
index 000000000000..49f1c2e4b739 |
| 153 |
--- /dev/null |
| 154 |
+++ b/sys-apps/file/files/file-5.44-seccomp-utimes.patch |
| 155 |
@@ -0,0 +1,18 @@ |
| 156 |
+https://github.com/file/file/commit/1590a653b520123d47070a47436abfba42d4c943 |
| 157 |
+ |
| 158 |
+From 1590a653b520123d47070a47436abfba42d4c943 Mon Sep 17 00:00:00 2001 |
| 159 |
+From: Christos Zoulas <christos@××××××.com> |
| 160 |
+Date: Mon, 26 Dec 2022 18:57:29 +0000 |
| 161 |
+Subject: [PATCH] PR/408: SpraxDev: Add utimes to the allow list for -p |
| 162 |
+ |
| 163 |
+--- a/src/seccomp.c |
| 164 |
++++ b/src/seccomp.c |
| 165 |
+@@ -233,6 +233,7 @@ enable_sandbox_full(void) |
| 166 |
+ ALLOW_RULE(umask); // Used in file_pipe2file() |
| 167 |
+ ALLOW_RULE(getpid); // Used by glibc in file_pipe2file() |
| 168 |
+ ALLOW_RULE(unlink); |
| 169 |
++ ALLOW_RULE(utimes); |
| 170 |
+ ALLOW_RULE(write); |
| 171 |
+ ALLOW_RULE(writev); |
| 172 |
+ |
| 173 |
+ |
Archives