1 |
commit: 1452587eeadccfe5e58bde990d67f6447bbddb33 |
2 |
Author: Jory A. Pratt <anarchy <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Sep 1 18:01:04 2013 +0000 |
4 |
Commit: Jory Pratt <anarchy <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 1 18:01:04 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=commit;h=1452587e |
7 |
|
8 |
Add pch useflag to sandbox-2.6 for hardened support |
9 |
|
10 |
--- |
11 |
sys-apps/sandbox/Manifest | 10 + |
12 |
sys-apps/sandbox/files/09sandbox | 1 + |
13 |
.../files/sandbox-2.6-check-empty-paths-at.patch | 201 +++++++++++++++++++++ |
14 |
sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 +++ |
15 |
.../sandbox/files/sandbox-2.6-hardened-pch.patch | 88 +++++++++ |
16 |
sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ++++++ |
17 |
.../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ++++++ |
18 |
.../files/sandbox-2.6-static-close-fd.patch | 93 ++++++++++ |
19 |
.../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 +++ |
20 |
sys-apps/sandbox/sandbox-2.6-r1.ebuild | 132 ++++++++++++++ |
21 |
10 files changed, 687 insertions(+) |
22 |
|
23 |
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest |
24 |
new file mode 100644 |
25 |
index 0000000..33c0d48 |
26 |
--- /dev/null |
27 |
+++ b/sys-apps/sandbox/Manifest |
28 |
@@ -0,0 +1,10 @@ |
29 |
+AUX 09sandbox 37 SHA256 73e9e9d12ba54f1c649813ec86107924050528852c890a8ba1e2853796781bbe SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a WHIRLPOOL 80d55a34d3faf3314f2b9de2200d4b46a800128514be9e30eb59e5f03fb7a0a5197a9e5b5ab33d6b68d35bf83c86a1bd7ba734a33ccd382fe0af3b2c2a11d0bd |
30 |
+AUX sandbox-2.6-check-empty-paths-at.patch 7454 SHA256 a48759a4d3e9a70713473b6fad59bdd750b5cd37e7d632c786205ff20004ae2c SHA512 5eba7915dedf57f44c37881e9c6b48db8733d1493779a33127d08bb9ea77056d788ec9ace72c13eb101f42f01c95309c7cebca6c76212a8c99a8655372c0b7d7 WHIRLPOOL 46eb3a8ef8f22030cd793f3b16adc190b5750019c0df83e161c6918f08555a8ad890c1425b03cbf7e53ebcd34a07a9dd9b594d0c0fe31834656ffce3d58fa284 |
31 |
+AUX sandbox-2.6-desktop.patch 875 SHA256 2eecf67790aeac210f9aa899a86f7664776ed65d9b55159e1b359162dfb9ff74 SHA512 b72ec7f414d19bf513dfb1aea10523fa5dc07a1375d8f08f664d204b64b23c891a79ca14987528c595936f441e1f595b366aabbc57313667c7639d73d089ed9a WHIRLPOOL 7f787b8be9b5712eb2b2a0cd2ff825df1045ebf1cc4e73a50f610e620d30752045690a5c28835465d0ab0c3c4a9eaf8b92a5c123cd741ad69dfedb31aa457fa0 |
32 |
+AUX sandbox-2.6-hardened-pch.patch 2615 SHA256 b24500876b595dcaee46e23dffedc50729ce7af1c7fbfce9cead2cd7a8566ff3 SHA512 439f78d0261996a648053f3b34a9fa34eb0d145862136769a3d448f5314be76046d02a0bcce8fd9cfb59d82fdafe79653c182d104f98c4b51be2c08ce835c8bd WHIRLPOOL 8221650ad746161af71a1b1f5f041a5696b4168d2c1fd3fb1997ba0464ef14de50592d9dd4ecc6981f812ae50e4d2c18c138a40bcdcce1b7f6d5b84f711211a6 |
33 |
+AUX sandbox-2.6-log-var.patch 2039 SHA256 f464a29cdd9de0c510277310f4febc8f96515ff2ff03fc92df1c75b9cbd75619 SHA512 cf6f900b4078eff5870b63b2bc7c81c5b00488e030d7e9ce3007693e9d1339ac6201ddacfaff552c6c9b99b6d32383229133c80190404b7e4fde06ad376b2050 WHIRLPOOL db99737a6567788194f7b37b12b92fcfb4c263df40f40aef9e0a3ef2b6a1523331313b791fffa2b26775b646795364ab1db1711eb4329cda3337df27aebfeffa |
34 |
+AUX sandbox-2.6-open-nofollow.patch 2027 SHA256 c8816ae4e1991f9941abd43ec4bfdbf4e99cf36ee90694f77ab88754c53785ce SHA512 dd5222f32a40def38c9719363a24c48d5b112e3560b44c5f32afc3daa0614fe9bc5cb68ca8ac69032cc8d6299f09b25d4d7c72e16892188b42768ffb28c19f07 WHIRLPOOL 03cb5fb9df04a8d7f92855c292a6c431d01d330fecae198f2c4b95d824454f10ce1ad66db1a9d54d1bef5f74989cf6debb2d98de28ee0c2c6a09c1a0752b5519 |
35 |
+AUX sandbox-2.6-static-close-fd.patch 2945 SHA256 807eb4dc1ba6543c94a90a9a53bb89f42079ea20ed7c196f82d65f280e5de96a SHA512 e2f57c4d80816241f3ba4828c2b27c67d1d604b14b2d575888a978e5c4e8e47e60e3a609d81e59c615bc5b7cee6194cc362e255ae8508f632862a35180c30de8 WHIRLPOOL e08f60227fe954894d3a3a01297e9988f4d7722ea75ffbd2b0f3971d38c8ce00af230fcaecb1f53243a868d54f48bb680e2d547bbeb2ee3e5a11f8942d2084fd |
36 |
+AUX sandbox-2.6-trace-hppa.patch 850 SHA256 20688b2f33162f95af4af5e3c7d3700f2e7776e454b785ac1398f0870f84efa9 SHA512 fb7bf2202f960e952edc1e52fe4b6b085042158223d96b9baa899e871abcdef711ede3122c971120f55f71cc1aad71496a6079222dbaaa6c14b0c6f7ea182454 WHIRLPOOL 80f7fb529b912d19d81b9d71ee4a648db7b217583f2e8f2054cc666839030ea7d0112d69d52a2bf35c4d3549ffbd81dbd0cd39d5993bfabbb43bcb6a4455ade4 |
37 |
+DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03 |
38 |
+EBUILD sandbox-2.6-r1.ebuild 3161 SHA256 964556ee3f429cedbd54d4ea9c8c9a468b886199f390b909864e5c35a454bfa4 SHA512 25492535b1a623482c3bec466a3cfc8277ef5f82e3548085dc35a0ac24c5ab5cbedd32ad99c9da07dccd9c116b1c5a532908c5a3023aea6cdfb4dd94ec380c04 WHIRLPOOL 6fb8b8d1426bc8f6e0496bf6afe693bf544fdabacbdefdb310261e0d5dc0ba7548c26a8d26d4c29e8885805ebccc5e9852c3a2573cd6815960aa8f9ee2d21973 |
39 |
|
40 |
diff --git a/sys-apps/sandbox/files/09sandbox b/sys-apps/sandbox/files/09sandbox |
41 |
new file mode 100644 |
42 |
index 0000000..9181eb0 |
43 |
--- /dev/null |
44 |
+++ b/sys-apps/sandbox/files/09sandbox |
45 |
@@ -0,0 +1 @@ |
46 |
+CONFIG_PROTECT_MASK="/etc/sandbox.d" |
47 |
|
48 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch |
49 |
new file mode 100644 |
50 |
index 0000000..e4dc529 |
51 |
--- /dev/null |
52 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch |
53 |
@@ -0,0 +1,201 @@ |
54 |
+From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001 |
55 |
+From: Mike Frysinger <vapier@g.o> |
56 |
+Date: Mon, 24 Dec 2012 19:41:49 -0500 |
57 |
+Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before |
58 |
+ checking the dirfd |
59 |
+ |
60 |
+When it comes to processing errors, an empty path is checked before |
61 |
+an invalid dirfd. Make sure sandbox matches that behavior for the |
62 |
+random testsuites out there that look for this. |
63 |
+ |
64 |
+URL: https://bugs.gentoo.org/346929 |
65 |
+Reported-by: Marien Zwart <marienz@g.o> |
66 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
67 |
+--- |
68 |
+ libsandbox/wrapper-funcs/__pre_check.c | 2 ++ |
69 |
+ libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------ |
70 |
+ libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++----------- |
71 |
+ libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------ |
72 |
+ libsandbox/wrappers.h | 2 ++ |
73 |
+ tests/mkdirat-3.sh | 7 +++++++ |
74 |
+ tests/mkdirat.at | 1 + |
75 |
+ tests/openat-2.sh | 9 +++++++++ |
76 |
+ tests/openat.at | 1 + |
77 |
+ tests/unlinkat-4.sh | 7 +++++++ |
78 |
+ tests/unlinkat.at | 1 + |
79 |
+ 11 files changed, 44 insertions(+), 35 deletions(-) |
80 |
+ create mode 100755 tests/mkdirat-3.sh |
81 |
+ create mode 100755 tests/openat-2.sh |
82 |
+ create mode 100755 tests/unlinkat-4.sh |
83 |
+ |
84 |
+diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c |
85 |
+index 2d5711f..28ad91f 100644 |
86 |
+--- a/libsandbox/wrapper-funcs/__pre_check.c |
87 |
++++ b/libsandbox/wrapper-funcs/__pre_check.c |
88 |
+@@ -20,3 +20,5 @@ |
89 |
+ #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF |
90 |
+ # include "unlinkat_pre_check.c" |
91 |
+ #endif |
92 |
++ |
93 |
++#include "__pre_at_check.c" |
94 |
+diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c |
95 |
+index 77a65df..0b48d1f 100644 |
96 |
+--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c |
97 |
++++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c |
98 |
+@@ -1,20 +1,13 @@ |
99 |
+ bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) |
100 |
+ { |
101 |
+ char canonic[SB_PATH_MAX]; |
102 |
+- char dirfd_path[SB_PATH_MAX]; |
103 |
+ |
104 |
+ save_errno(); |
105 |
+ |
106 |
+- /* Expand the dirfd path first */ |
107 |
+- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { |
108 |
+- case -1: |
109 |
+- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", |
110 |
+- func, pathname, strerror(errno)); |
111 |
+- return false; |
112 |
+- case 0: |
113 |
+- pathname = dirfd_path; |
114 |
+- break; |
115 |
+- } |
116 |
++ /* Check incoming args against common *at issues */ |
117 |
++ char dirfd_path[SB_PATH_MAX]; |
118 |
++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) |
119 |
++ return false; |
120 |
+ |
121 |
+ /* Then break down any relative/symlink paths */ |
122 |
+ if (-1 == canonicalize(pathname, canonic)) |
123 |
+diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c |
124 |
+index 0127708..5fd5eaa 100644 |
125 |
+--- a/libsandbox/wrapper-funcs/openat_pre_check.c |
126 |
++++ b/libsandbox/wrapper-funcs/openat_pre_check.c |
127 |
+@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int |
128 |
+ |
129 |
+ save_errno(); |
130 |
+ |
131 |
+- /* Expand the dirfd path first */ |
132 |
++ /* Check incoming args against common *at issues */ |
133 |
+ char dirfd_path[SB_PATH_MAX]; |
134 |
+- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { |
135 |
+- case -1: |
136 |
+- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", |
137 |
+- func, pathname, strerror(errno)); |
138 |
+- return false; |
139 |
+- case 0: |
140 |
+- pathname = dirfd_path; |
141 |
+- break; |
142 |
+- } |
143 |
++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) |
144 |
++ return false; |
145 |
+ |
146 |
+ /* Doesn't exist -> skip permission checks */ |
147 |
+ struct stat st; |
148 |
+diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c |
149 |
+index 9f5e7d7..c004d15 100644 |
150 |
+--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c |
151 |
++++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c |
152 |
+@@ -1,20 +1,13 @@ |
153 |
+ bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd) |
154 |
+ { |
155 |
+ char canonic[SB_PATH_MAX]; |
156 |
+- char dirfd_path[SB_PATH_MAX]; |
157 |
+ |
158 |
+ save_errno(); |
159 |
+ |
160 |
+- /* Expand the dirfd path first */ |
161 |
+- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { |
162 |
+- case -1: |
163 |
+- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", |
164 |
+- func, pathname, strerror(errno)); |
165 |
+- return false; |
166 |
+- case 0: |
167 |
+- pathname = dirfd_path; |
168 |
+- break; |
169 |
+- } |
170 |
++ /* Check incoming args against common *at issues */ |
171 |
++ char dirfd_path[SB_PATH_MAX]; |
172 |
++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) |
173 |
++ return false; |
174 |
+ |
175 |
+ /* Then break down any relative/symlink paths */ |
176 |
+ if (-1 == canonicalize(pathname, canonic)) |
177 |
+diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h |
178 |
+index 5b97787..0aa58bb 100644 |
179 |
+--- a/libsandbox/wrappers.h |
180 |
++++ b/libsandbox/wrappers.h |
181 |
+@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn |
182 |
+ attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); |
183 |
+ attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); |
184 |
+ attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); |
185 |
++attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, |
186 |
++ char *dirfd_path, size_t dirfd_path_len); |
187 |
+ |
188 |
+ #endif |
189 |
+-- |
190 |
+1.8.1.2 |
191 |
+ |
192 |
+From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001 |
193 |
+From: Mike Frysinger <vapier@g.o> |
194 |
+Date: Mon, 24 Dec 2012 19:41:49 -0500 |
195 |
+Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before |
196 |
+ checking the dirfd [missing file] |
197 |
+ |
198 |
+When it comes to processing errors, an empty path is checked before |
199 |
+an invalid dirfd. Make sure sandbox matches that behavior for the |
200 |
+random testsuites out there that look for this. |
201 |
+ |
202 |
+Forgot to `git add` in the previous commit :/. |
203 |
+ |
204 |
+URL: https://bugs.gentoo.org/346929 |
205 |
+Reported-by: Marien Zwart <marienz@g.o> |
206 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
207 |
+--- |
208 |
+ libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++ |
209 |
+ 1 file changed, 34 insertions(+) |
210 |
+ create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c |
211 |
+ |
212 |
+diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c |
213 |
+new file mode 100644 |
214 |
+index 0000000..f72c40c |
215 |
+--- /dev/null |
216 |
++++ b/libsandbox/wrapper-funcs/__pre_at_check.c |
217 |
+@@ -0,0 +1,34 @@ |
218 |
++/* |
219 |
++ * common *at() pre-checks. |
220 |
++ * |
221 |
++ * Copyright 1999-2012 Gentoo Foundation |
222 |
++ * Licensed under the GPL-2 |
223 |
++ */ |
224 |
++ |
225 |
++/* We assume the parent has nested use with save/restore errno */ |
226 |
++bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, |
227 |
++ char *dirfd_path, size_t dirfd_path_len) |
228 |
++{ |
229 |
++ /* the empty path name should fail with ENOENT before any dirfd |
230 |
++ * checks get a chance to run #346929 |
231 |
++ */ |
232 |
++ if (*pathname && *pathname[0] == '\0') { |
233 |
++ errno = ENOENT; |
234 |
++ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", |
235 |
++ func, *pathname, strerror(errno)); |
236 |
++ return false; |
237 |
++ } |
238 |
++ |
239 |
++ /* Expand the dirfd path first */ |
240 |
++ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) { |
241 |
++ case -1: |
242 |
++ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", |
243 |
++ func, *pathname, strerror(errno)); |
244 |
++ return false; |
245 |
++ case 0: |
246 |
++ *pathname = dirfd_path; |
247 |
++ break; |
248 |
++ } |
249 |
++ |
250 |
++ return true; |
251 |
++} |
252 |
+-- |
253 |
+1.8.1.2 |
254 |
+ |
255 |
|
256 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch |
257 |
new file mode 100644 |
258 |
index 0000000..fbecb07 |
259 |
--- /dev/null |
260 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch |
261 |
@@ -0,0 +1,30 @@ |
262 |
+From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001 |
263 |
+From: Mike Frysinger <vapier@g.o> |
264 |
+Date: Sat, 17 Nov 2012 14:14:26 -0500 |
265 |
+Subject: [PATCH] sandbox.desktop: drop .svg from Icon field |
266 |
+MIME-Version: 1.0 |
267 |
+Content-Type: text/plain; charset=UTF-8 |
268 |
+Content-Transfer-Encoding: 8bit |
269 |
+ |
270 |
+URL: http://bugs.gentoo.org/443672 |
271 |
+Reported-by: Petteri Räty <betelgeuse@g.o> |
272 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
273 |
+--- |
274 |
+ data/sandbox.desktop | 2 +- |
275 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
276 |
+ |
277 |
+diff --git a/data/sandbox.desktop b/data/sandbox.desktop |
278 |
+index 5b5b576..27a887e 100644 |
279 |
+--- a/data/sandbox.desktop |
280 |
++++ b/data/sandbox.desktop |
281 |
+@@ -5,6 +5,6 @@ Type=Application |
282 |
+ Comment=launch a sandboxed shell ... useful for debugging ebuilds |
283 |
+ Exec=sandbox |
284 |
+ TryExec=sandbox |
285 |
+-Icon=sandbox.svg |
286 |
++Icon=sandbox |
287 |
+ Categories=Development; |
288 |
+ Terminal=true |
289 |
+-- |
290 |
+1.8.1.2 |
291 |
+ |
292 |
|
293 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch |
294 |
new file mode 100644 |
295 |
index 0000000..611122a |
296 |
--- /dev/null |
297 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch |
298 |
@@ -0,0 +1,88 @@ |
299 |
+From: Mike Frysinger <vapier@g.o> |
300 |
+Date: Tue, 28 Aug 2012 16:19:56 +0000 (-0400) |
301 |
+Subject: add a configure option to control pch usage |
302 |
+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fsandbox.git;a=commitdiff_plain;h=f2500f5954611d110ac18e9990f42d5a915f8101 |
303 |
+ |
304 |
+add a configure option to control pch usage |
305 |
+ |
306 |
+Mostly for testing purposes. This also tweaks the dependency to fix a |
307 |
+warning when generating the headers.h.pch in subdirs when the toplevel |
308 |
+headers.h.pch already exists. |
309 |
+ |
310 |
+URL: http://bugs.gentoo.org/425524 |
311 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
312 |
+--- |
313 |
+ |
314 |
+diff --git a/Makefile.am b/Makefile.am |
315 |
+index 475c8c0..eb54f42 100644 |
316 |
+--- a/Makefile.am |
317 |
++++ b/Makefile.am |
318 |
+@@ -11,9 +11,9 @@ SUBDIRS = \ |
319 |
+ src \ |
320 |
+ tests |
321 |
+ |
322 |
++noinst_LTLIBRARIES = |
323 |
++ |
324 |
+ SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch |
325 |
+-BUILT_SOURCES = $(SANDBOX_PCH) |
326 |
+-noinst_LTLIBRARIES = libpch.la |
327 |
+ nodist_libpch_la_SOURCES = $(SANDBOX_PCH) |
328 |
+ GCH_CP = ( \ |
329 |
+ src=`dirname $@`/.libs/`basename $@`.o; \ |
330 |
+@@ -30,10 +30,23 @@ $(builddir)/libsandbox/headers.h.gch: headers.h |
331 |
+ $(builddir)/headers.h.gch: headers.h |
332 |
+ $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP) |
333 |
+ |
334 |
+-libsbutil: libsbutil/headers.h.gch |
335 |
+-libsandbox: libsbutil libsandbox/headers.h.gch |
336 |
+-src: libsbutil headers.h.gch |
337 |
+-tests: src headers.h.gch |
338 |
++if SB_BUILD_PCH |
339 |
++BUILT_SOURCES = $(SANDBOX_PCH) |
340 |
++noinst_LTLIBRARIES += libpch.la |
341 |
++ |
342 |
++LIBSBUTIL_PCH = libsbutil/headers.h.gch |
343 |
++LIBSANDBOX_PCH = libsandbox/headers.h.gch |
344 |
++TOP_PCH = headers.h.gch |
345 |
++ |
346 |
++# Make sure we build the subdirs before the top so they don't |
347 |
++# try to use the top level headers.h.pch. |
348 |
++$(TOP_PCH): $(LIBSBUTIL_PCH) $(LIBSANDBOX_PCH) |
349 |
++endif |
350 |
++ |
351 |
++libsbutil: $(LIBSBUTIL_PCH) |
352 |
++libsandbox: libsbutil $(LIBSANDBOX_PCH) |
353 |
++src: libsbutil $(TOP_PCH) |
354 |
++tests: src $(TOP_PCH) |
355 |
+ |
356 |
+ EXTRA_DIST = headers.h localdecls.h ChangeLog.0 |
357 |
+ |
358 |
+diff --git a/configure.ac b/configure.ac |
359 |
+index 661b494..ca0d3ac 100644 |
360 |
+--- a/configure.ac |
361 |
++++ b/configure.ac |
362 |
+@@ -26,7 +26,7 @@ AC_ISC_POSIX |
363 |
+ AC_USE_SYSTEM_EXTENSIONS |
364 |
+ |
365 |
+ dnl Checks for programs. |
366 |
+-AM_PROG_AR |
367 |
++#AM_PROG_AR |
368 |
+ AC_PROG_INSTALL |
369 |
+ AC_PROG_MAKE_SET |
370 |
+ AC_PROG_AWK |
371 |
+@@ -38,6 +38,14 @@ LT_INIT([disable-static]) |
372 |
+ |
373 |
+ AC_PREFIX_DEFAULT([/usr]) |
374 |
+ |
375 |
++dnl allow pch to be controlled |
376 |
++AC_MSG_CHECKING([whether to use pre-compiled sandbox headers]) |
377 |
++AC_ARG_ENABLE([pch], |
378 |
++ [AS_HELP_STRING([--disable-pch],[Disable pre-compiled headers])], |
379 |
++ [],[enable_pch="yes"]) |
380 |
++AM_CONDITIONAL([SB_BUILD_PCH], test "$enable_pch" = "yes") |
381 |
++AC_MSG_RESULT($enable_pch) |
382 |
++ |
383 |
+ dnl multiple personality support (x86 & x86_64: multilib) |
384 |
+ AC_MSG_CHECKING([for multiple personalities]) |
385 |
+ AC_ARG_ENABLE([schizo], |
386 |
+ |
387 |
|
388 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch |
389 |
new file mode 100644 |
390 |
index 0000000..bfea9e5 |
391 |
--- /dev/null |
392 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch |
393 |
@@ -0,0 +1,51 @@ |
394 |
+From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001 |
395 |
+From: Mike Frysinger <vapier@g.o> |
396 |
+Date: Sun, 3 Mar 2013 05:34:09 -0500 |
397 |
+Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values |
398 |
+ |
399 |
+Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox |
400 |
+with portage. It changed how the sandbox log env var was accessed by |
401 |
+moving from getenv() to get_sandbox_log(). The latter has path checking |
402 |
+and will kick out values that contain a slash. That means every time a |
403 |
+new process starts, a new sandbox log path will be generated, and when a |
404 |
+program triggers a violation, it'll write to the new file. Meanwhile, |
405 |
+portage itself watches the original one which never gets updated. |
406 |
+ |
407 |
+This code has been around forever w/out documentation, and I can't think |
408 |
+of a reason we need it. So punt it. |
409 |
+ |
410 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
411 |
+--- |
412 |
+ libsbutil/get_sandbox_log.c | 14 +++++--------- |
413 |
+ 1 file changed, 5 insertions(+), 9 deletions(-) |
414 |
+ |
415 |
+diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c |
416 |
+index a79b399..bdb4278 100644 |
417 |
+--- a/libsbutil/get_sandbox_log.c |
418 |
++++ b/libsbutil/get_sandbox_log.c |
419 |
+@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c |
420 |
+ |
421 |
+ sandbox_log_env = getenv(env); |
422 |
+ |
423 |
+- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) { |
424 |
+- /* When testing, just use what the env says to */ |
425 |
++ if (sandbox_log_env) { |
426 |
++ /* If the env is viable, roll with it. We aren't really |
427 |
++ * about people breaking the security of the sandbox by |
428 |
++ * exporting SANDBOX_LOG=/dev/null. |
429 |
++ */ |
430 |
+ strncpy(path, sandbox_log_env, SB_PATH_MAX); |
431 |
+ } else { |
432 |
+- /* THIS CHUNK BREAK THINGS BY DOING THIS: |
433 |
+- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log |
434 |
+- */ |
435 |
+- if ((NULL != sandbox_log_env) && |
436 |
+- (NULL != strchr(sandbox_log_env, '/'))) |
437 |
+- sandbox_log_env = NULL; |
438 |
+- |
439 |
+ snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s", |
440 |
+ SANDBOX_LOG_LOCATION, prefix, |
441 |
+ (sandbox_log_env == NULL ? "" : sandbox_log_env), |
442 |
+-- |
443 |
+1.8.1.2 |
444 |
+ |
445 |
|
446 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch |
447 |
new file mode 100644 |
448 |
index 0000000..0101ece |
449 |
--- /dev/null |
450 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch |
451 |
@@ -0,0 +1,54 @@ |
452 |
+From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001 |
453 |
+From: Mike Frysinger <vapier@g.o> |
454 |
+Date: Mon, 24 Dec 2012 18:46:29 -0500 |
455 |
+Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW) |
456 |
+ |
457 |
+We don't check for O_NOFOLLOW in the open wrappers, so we end up |
458 |
+returning the wrong error when operating on broken symlinks. |
459 |
+ |
460 |
+URL: https://bugs.gentoo.org/413441 |
461 |
+Reported-by: Marien Zwart <marienz@g.o> |
462 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
463 |
+--- |
464 |
+ libsandbox/wrapper-funcs/__64_post.h | 1 + |
465 |
+ libsandbox/wrapper-funcs/__64_pre.h | 1 + |
466 |
+ libsandbox/wrapper-funcs/openat_pre_check.c | 2 +- |
467 |
+ tests/open-2.sh | 10 ++++++++++ |
468 |
+ tests/open.at | 1 + |
469 |
+ 5 files changed, 14 insertions(+), 1 deletion(-) |
470 |
+ create mode 100755 tests/open-2.sh |
471 |
+ |
472 |
+diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h |
473 |
+index 2fd2182..82d2a16 100644 |
474 |
+--- a/libsandbox/wrapper-funcs/__64_post.h |
475 |
++++ b/libsandbox/wrapper-funcs/__64_post.h |
476 |
+@@ -1,3 +1,4 @@ |
477 |
+ #undef SB64 |
478 |
+ #undef stat |
479 |
++#undef lstat |
480 |
+ #undef off_t |
481 |
+diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h |
482 |
+index 2132110..0b34b25 100644 |
483 |
+--- a/libsandbox/wrapper-funcs/__64_pre.h |
484 |
++++ b/libsandbox/wrapper-funcs/__64_pre.h |
485 |
+@@ -1,3 +1,4 @@ |
486 |
+ #define SB64 |
487 |
+ #define stat stat64 |
488 |
++#define lstat lstat64 |
489 |
+ #define off_t off64_t |
490 |
+diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c |
491 |
+index c827ee6..0127708 100644 |
492 |
+--- a/libsandbox/wrapper-funcs/openat_pre_check.c |
493 |
++++ b/libsandbox/wrapper-funcs/openat_pre_check.c |
494 |
+@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int |
495 |
+ |
496 |
+ /* Doesn't exist -> skip permission checks */ |
497 |
+ struct stat st; |
498 |
+- if (-1 == stat(pathname, &st)) { |
499 |
++ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) { |
500 |
+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", |
501 |
+ func, pathname, strerror(errno)); |
502 |
+ return false; |
503 |
+-- |
504 |
+1.8.1.2 |
505 |
+ |
506 |
|
507 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch |
508 |
new file mode 100644 |
509 |
index 0000000..7fc0972 |
510 |
--- /dev/null |
511 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch |
512 |
@@ -0,0 +1,93 @@ |
513 |
+From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001 |
514 |
+From: Mike Frysinger <vapier@g.o> |
515 |
+Date: Sat, 23 Jun 2012 11:52:51 -0700 |
516 |
+Subject: [PATCH] libsandbox: clean up open file handles in parent tracing |
517 |
+ process |
518 |
+ |
519 |
+Currently, if a non-static app sets up a pipe (with cloexec enabled) and |
520 |
+executes a static app, the handle to that pipe is left open in the parent |
521 |
+process. This causes trouble when the parent is waiting for that to be |
522 |
+closed immediately. |
523 |
+ |
524 |
+Since none of the fds in the forked parent process matter to us, we can |
525 |
+just go ahead and clean up all fds before we start tracing the child. |
526 |
+ |
527 |
+URL: http://bugs.gentoo.org/364877 |
528 |
+Reported-by: Victor Stinner <victor.stinner@×××××××××.com> |
529 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
530 |
+--- |
531 |
+ libsandbox/trace.c | 3 +- |
532 |
+ libsbutil/sb_close.c | 26 +++++++++++- |
533 |
+ libsbutil/sbutil.h | 1 + |
534 |
+ tests/Makefile.am | 2 + |
535 |
+ tests/pipe-fork_static_tst.c | 18 +++++++++ |
536 |
+ tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ |
537 |
+ tests/script-9.sh | 5 +++ |
538 |
+ tests/script.at | 1 + |
539 |
+ 8 files changed, 149 insertions(+), 2 deletions(-) |
540 |
+ create mode 100644 tests/pipe-fork_static_tst.c |
541 |
+ create mode 100644 tests/pipe-fork_tst.c |
542 |
+ create mode 100755 tests/script-9.sh |
543 |
+ |
544 |
+diff --git a/libsandbox/trace.c b/libsandbox/trace.c |
545 |
+index 32ad2d6..dfbab18 100644 |
546 |
+--- a/libsandbox/trace.c |
547 |
++++ b/libsandbox/trace.c |
548 |
+@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[]) |
549 |
+ /* Not all kernel versions support this, so ignore return */ |
550 |
+ ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); |
551 |
+ #endif |
552 |
++ sb_close_all_fds(); |
553 |
+ trace_loop(); |
554 |
+- return; |
555 |
++ sb_ebort("ISE: child should have quit, as should we\n"); |
556 |
+ } |
557 |
+ |
558 |
+ sb_debug("child setting up ..."); |
559 |
+diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c |
560 |
+index 17a4560..5379197 100644 |
561 |
+--- a/libsbutil/sb_close.c |
562 |
++++ b/libsbutil/sb_close.c |
563 |
+@@ -29,3 +29,27 @@ int sb_close(int fd) |
564 |
+ |
565 |
+ return res; |
566 |
+ } |
567 |
++ |
568 |
++/* Quickly close all the open fds (good for daemonization) */ |
569 |
++void sb_close_all_fds(void) |
570 |
++{ |
571 |
++ DIR *dirp; |
572 |
++ struct dirent *de; |
573 |
++ int dfd, fd; |
574 |
++ const char *fd_dir = sb_get_fd_dir(); |
575 |
++ |
576 |
++ dirp = opendir(fd_dir); |
577 |
++ if (!dirp) |
578 |
++ sb_ebort("could not process %s\n", fd_dir); |
579 |
++ dfd = dirfd(dirp); |
580 |
++ |
581 |
++ while ((de = readdir(dirp)) != NULL) { |
582 |
++ if (de->d_name[0] == '.') |
583 |
++ continue; |
584 |
++ fd = atoi(de->d_name); |
585 |
++ if (fd != dfd) |
586 |
++ close(fd); |
587 |
++ } |
588 |
++ |
589 |
++ closedir(dirp); |
590 |
++} |
591 |
+diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h |
592 |
+index 02b88cb..479734b 100644 |
593 |
+--- a/libsbutil/sbutil.h |
594 |
++++ b/libsbutil/sbutil.h |
595 |
+@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode); |
596 |
+ size_t sb_read(int fd, void *buf, size_t count); |
597 |
+ size_t sb_write(int fd, const void *buf, size_t count); |
598 |
+ int sb_close(int fd); |
599 |
++void sb_close_all_fds(void); |
600 |
+ int sb_copy_file_to_fd(const char *file, int ofd); |
601 |
+ |
602 |
+ /* Reliable output */ |
603 |
+-- |
604 |
+1.8.1.2 |
605 |
+ |
606 |
|
607 |
diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch |
608 |
new file mode 100644 |
609 |
index 0000000..7e73822 |
610 |
--- /dev/null |
611 |
+++ b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch |
612 |
@@ -0,0 +1,27 @@ |
613 |
+From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001 |
614 |
+From: Mike Frysinger <vapier@g.o> |
615 |
+Date: Fri, 6 Jul 2012 14:58:16 -0400 |
616 |
+Subject: [PATCH] libsandbox: fix hppa trace code |
617 |
+ |
618 |
+URL: https://bugs.gentoo.org/425062 |
619 |
+Reported-by: Jeroen Roovers <jer@g.o> |
620 |
+Signed-off-by: Mike Frysinger <vapier@g.o> |
621 |
+--- |
622 |
+ libsandbox/trace/linux/hppa.c | 4 ++-- |
623 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
624 |
+ |
625 |
+diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c |
626 |
+index d23b0d1..5414354 100644 |
627 |
+--- a/libsandbox/trace/linux/hppa.c |
628 |
++++ b/libsandbox/trace/linux/hppa.c |
629 |
+@@ -1,5 +1,5 @@ |
630 |
+-#define trace_reg_sysnum (20 * 4) /* PT_GR20 */ |
631 |
+-#define trace_reg_ret (28 * 4) /* PT_GR28 */ |
632 |
++#define trace_reg_sysnum gr[20] |
633 |
++#define trace_reg_ret gr[28] |
634 |
+ |
635 |
+ static unsigned long trace_arg(void *vregs, int num) |
636 |
+ { |
637 |
+-- |
638 |
+1.7.9.7 |
639 |
+ |
640 |
|
641 |
diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild |
642 |
new file mode 100644 |
643 |
index 0000000..25130d2 |
644 |
--- /dev/null |
645 |
+++ b/sys-apps/sandbox/sandbox-2.6-r1.ebuild |
646 |
@@ -0,0 +1,132 @@ |
647 |
+# Copyright 1999-2013 Gentoo Foundation |
648 |
+# Distributed under the terms of the GNU General Public License v2 |
649 |
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/sandbox-2.6-r1.ebuild,v 1.12 2013/07/02 07:43:42 ago Exp $ |
650 |
+ |
651 |
+# |
652 |
+# don't monkey with this ebuild unless contacting portage devs. |
653 |
+# period. |
654 |
+# |
655 |
+ |
656 |
+inherit autotools eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing |
657 |
+ |
658 |
+DESCRIPTION="sandbox'd LD_PRELOAD hack" |
659 |
+HOMEPAGE="http://www.gentoo.org/" |
660 |
+SRC_URI="mirror://gentoo/${P}.tar.xz |
661 |
+ http://dev.gentoo.org/~vapier/dist/${P}.tar.xz" |
662 |
+ |
663 |
+LICENSE="GPL-2" |
664 |
+SLOT="0" |
665 |
+KEYWORDS="alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" |
666 |
+IUSE="multilib pch" |
667 |
+ |
668 |
+DEPEND="app-arch/xz-utils |
669 |
+ >=app-misc/pax-utils-0.1.19" #265376 |
670 |
+RDEPEND="" |
671 |
+ |
672 |
+EMULTILIB_PKG="true" |
673 |
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" |
674 |
+ |
675 |
+sandbox_death_notice() { |
676 |
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" |
677 |
+ ewarn "FEATURES=-sandbox emerge sandbox" |
678 |
+} |
679 |
+ |
680 |
+sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } |
681 |
+ |
682 |
+sb_foreach_abi() { |
683 |
+ local OABI=${ABI} |
684 |
+ for ABI in $(sb_get_install_abis) ; do |
685 |
+ cd "${WORKDIR}/build-${ABI}" |
686 |
+ einfo "Running $1 for ABI=${ABI}..." |
687 |
+ "$@" |
688 |
+ done |
689 |
+ ABI=${OABI} |
690 |
+} |
691 |
+ |
692 |
+src_unpack() { |
693 |
+ unpacker |
694 |
+ cd "${S}" |
695 |
+ epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062 |
696 |
+ epatch "${FILESDIR}"/${P}-log-var.patch |
697 |
+ epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877 |
698 |
+ epatch "${FILESDIR}"/${P}-desktop.patch #443672 |
699 |
+ epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441 |
700 |
+ epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929 |
701 |
+ epatch "${FILESDIR}"/${P}-hardened-pch.patch #425524 |
702 |
+ epatch_user |
703 |
+ |
704 |
+ eautoreconf |
705 |
+} |
706 |
+ |
707 |
+sb_configure() { |
708 |
+ mkdir "${WORKDIR}/build-${ABI}" |
709 |
+ cd "${WORKDIR}/build-${ABI}" |
710 |
+ |
711 |
+ use multilib && multilib_toolchain_setup ${ABI} |
712 |
+ |
713 |
+ einfo "Configuring sandbox for ABI=${ABI}..." |
714 |
+ ECONF_SOURCE="../${P}/" \ |
715 |
+ econf $(use_enable pch) ${myconf} || die |
716 |
+} |
717 |
+ |
718 |
+sb_compile() { |
719 |
+ emake || die |
720 |
+} |
721 |
+ |
722 |
+src_compile() { |
723 |
+ filter-lfs-flags #90228 |
724 |
+ |
725 |
+ # Run configures in parallel! |
726 |
+ multijob_init |
727 |
+ local OABI=${ABI} |
728 |
+ for ABI in $(sb_get_install_abis) ; do |
729 |
+ multijob_child_init sb_configure |
730 |
+ done |
731 |
+ ABI=${OABI} |
732 |
+ multijob_finish |
733 |
+ |
734 |
+ sb_foreach_abi sb_compile |
735 |
+} |
736 |
+ |
737 |
+sb_test() { |
738 |
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die |
739 |
+} |
740 |
+ |
741 |
+src_test() { |
742 |
+ sb_foreach_abi sb_test |
743 |
+} |
744 |
+ |
745 |
+sb_install() { |
746 |
+ emake DESTDIR="${D}" install || die |
747 |
+ insinto /etc/sandbox.d #333131 |
748 |
+ doins etc/sandbox.d/00default || die |
749 |
+} |
750 |
+ |
751 |
+src_install() { |
752 |
+ sb_foreach_abi sb_install |
753 |
+ |
754 |
+ doenvd "${FILESDIR}"/09sandbox |
755 |
+ |
756 |
+ keepdir /var/log/sandbox |
757 |
+ fowners root:portage /var/log/sandbox |
758 |
+ fperms 0770 /var/log/sandbox |
759 |
+ |
760 |
+ cd "${S}" |
761 |
+ dodoc AUTHORS ChangeLog* NEWS README |
762 |
+} |
763 |
+ |
764 |
+pkg_preinst() { |
765 |
+ chown root:portage "${D}"/var/log/sandbox |
766 |
+ chmod 0770 "${D}"/var/log/sandbox |
767 |
+ |
768 |
+ local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') |
769 |
+ if [[ -n ${old} ]] ; then |
770 |
+ elog "Removing old sandbox libraries for you:" |
771 |
+ elog ${old//${ROOT}} |
772 |
+ find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; |
773 |
+ fi |
774 |
+} |
775 |
+ |
776 |
+pkg_postinst() { |
777 |
+ chmod 0755 "${ROOT}"/etc/sandbox.d #265376 |
778 |
+} |