Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jory Pratt <anarchy@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] dev/anarchy:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
Date: Sun, 01 Sep 2013 18:02:35
Message-Id: 1378058464.1452587eeadccfe5e58bde990d67f6447bbddb33.anarchy@gentoo
1 commit: 1452587eeadccfe5e58bde990d67f6447bbddb33
2 Author: Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
3 AuthorDate: Sun Sep 1 18:01:04 2013 +0000
4 Commit: Jory Pratt <anarchy <AT> gentoo <DOT> org>
5 CommitDate: Sun Sep 1 18:01:04 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=dev/anarchy.git;a=commit;h=1452587e
7
8 Add pch useflag to sandbox-2.6 for hardened support
9
10 ---
11 sys-apps/sandbox/Manifest | 10 +
12 sys-apps/sandbox/files/09sandbox | 1 +
13 .../files/sandbox-2.6-check-empty-paths-at.patch | 201 +++++++++++++++++++++
14 sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 +++
15 .../sandbox/files/sandbox-2.6-hardened-pch.patch | 88 +++++++++
16 sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ++++++
17 .../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ++++++
18 .../files/sandbox-2.6-static-close-fd.patch | 93 ++++++++++
19 .../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 +++
20 sys-apps/sandbox/sandbox-2.6-r1.ebuild | 132 ++++++++++++++
21 10 files changed, 687 insertions(+)
22
23 diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
24 new file mode 100644
25 index 0000000..33c0d48
26 --- /dev/null
27 +++ b/sys-apps/sandbox/Manifest
28 @@ -0,0 +1,10 @@
29 +AUX 09sandbox 37 SHA256 73e9e9d12ba54f1c649813ec86107924050528852c890a8ba1e2853796781bbe SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a WHIRLPOOL 80d55a34d3faf3314f2b9de2200d4b46a800128514be9e30eb59e5f03fb7a0a5197a9e5b5ab33d6b68d35bf83c86a1bd7ba734a33ccd382fe0af3b2c2a11d0bd
30 +AUX sandbox-2.6-check-empty-paths-at.patch 7454 SHA256 a48759a4d3e9a70713473b6fad59bdd750b5cd37e7d632c786205ff20004ae2c SHA512 5eba7915dedf57f44c37881e9c6b48db8733d1493779a33127d08bb9ea77056d788ec9ace72c13eb101f42f01c95309c7cebca6c76212a8c99a8655372c0b7d7 WHIRLPOOL 46eb3a8ef8f22030cd793f3b16adc190b5750019c0df83e161c6918f08555a8ad890c1425b03cbf7e53ebcd34a07a9dd9b594d0c0fe31834656ffce3d58fa284
31 +AUX sandbox-2.6-desktop.patch 875 SHA256 2eecf67790aeac210f9aa899a86f7664776ed65d9b55159e1b359162dfb9ff74 SHA512 b72ec7f414d19bf513dfb1aea10523fa5dc07a1375d8f08f664d204b64b23c891a79ca14987528c595936f441e1f595b366aabbc57313667c7639d73d089ed9a WHIRLPOOL 7f787b8be9b5712eb2b2a0cd2ff825df1045ebf1cc4e73a50f610e620d30752045690a5c28835465d0ab0c3c4a9eaf8b92a5c123cd741ad69dfedb31aa457fa0
32 +AUX sandbox-2.6-hardened-pch.patch 2615 SHA256 b24500876b595dcaee46e23dffedc50729ce7af1c7fbfce9cead2cd7a8566ff3 SHA512 439f78d0261996a648053f3b34a9fa34eb0d145862136769a3d448f5314be76046d02a0bcce8fd9cfb59d82fdafe79653c182d104f98c4b51be2c08ce835c8bd WHIRLPOOL 8221650ad746161af71a1b1f5f041a5696b4168d2c1fd3fb1997ba0464ef14de50592d9dd4ecc6981f812ae50e4d2c18c138a40bcdcce1b7f6d5b84f711211a6
33 +AUX sandbox-2.6-log-var.patch 2039 SHA256 f464a29cdd9de0c510277310f4febc8f96515ff2ff03fc92df1c75b9cbd75619 SHA512 cf6f900b4078eff5870b63b2bc7c81c5b00488e030d7e9ce3007693e9d1339ac6201ddacfaff552c6c9b99b6d32383229133c80190404b7e4fde06ad376b2050 WHIRLPOOL db99737a6567788194f7b37b12b92fcfb4c263df40f40aef9e0a3ef2b6a1523331313b791fffa2b26775b646795364ab1db1711eb4329cda3337df27aebfeffa
34 +AUX sandbox-2.6-open-nofollow.patch 2027 SHA256 c8816ae4e1991f9941abd43ec4bfdbf4e99cf36ee90694f77ab88754c53785ce SHA512 dd5222f32a40def38c9719363a24c48d5b112e3560b44c5f32afc3daa0614fe9bc5cb68ca8ac69032cc8d6299f09b25d4d7c72e16892188b42768ffb28c19f07 WHIRLPOOL 03cb5fb9df04a8d7f92855c292a6c431d01d330fecae198f2c4b95d824454f10ce1ad66db1a9d54d1bef5f74989cf6debb2d98de28ee0c2c6a09c1a0752b5519
35 +AUX sandbox-2.6-static-close-fd.patch 2945 SHA256 807eb4dc1ba6543c94a90a9a53bb89f42079ea20ed7c196f82d65f280e5de96a SHA512 e2f57c4d80816241f3ba4828c2b27c67d1d604b14b2d575888a978e5c4e8e47e60e3a609d81e59c615bc5b7cee6194cc362e255ae8508f632862a35180c30de8 WHIRLPOOL e08f60227fe954894d3a3a01297e9988f4d7722ea75ffbd2b0f3971d38c8ce00af230fcaecb1f53243a868d54f48bb680e2d547bbeb2ee3e5a11f8942d2084fd
36 +AUX sandbox-2.6-trace-hppa.patch 850 SHA256 20688b2f33162f95af4af5e3c7d3700f2e7776e454b785ac1398f0870f84efa9 SHA512 fb7bf2202f960e952edc1e52fe4b6b085042158223d96b9baa899e871abcdef711ede3122c971120f55f71cc1aad71496a6079222dbaaa6c14b0c6f7ea182454 WHIRLPOOL 80f7fb529b912d19d81b9d71ee4a648db7b217583f2e8f2054cc666839030ea7d0112d69d52a2bf35c4d3549ffbd81dbd0cd39d5993bfabbb43bcb6a4455ade4
37 +DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
38 +EBUILD sandbox-2.6-r1.ebuild 3161 SHA256 964556ee3f429cedbd54d4ea9c8c9a468b886199f390b909864e5c35a454bfa4 SHA512 25492535b1a623482c3bec466a3cfc8277ef5f82e3548085dc35a0ac24c5ab5cbedd32ad99c9da07dccd9c116b1c5a532908c5a3023aea6cdfb4dd94ec380c04 WHIRLPOOL 6fb8b8d1426bc8f6e0496bf6afe693bf544fdabacbdefdb310261e0d5dc0ba7548c26a8d26d4c29e8885805ebccc5e9852c3a2573cd6815960aa8f9ee2d21973
39
40 diff --git a/sys-apps/sandbox/files/09sandbox b/sys-apps/sandbox/files/09sandbox
41 new file mode 100644
42 index 0000000..9181eb0
43 --- /dev/null
44 +++ b/sys-apps/sandbox/files/09sandbox
45 @@ -0,0 +1 @@
46 +CONFIG_PROTECT_MASK="/etc/sandbox.d"
47
48 diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
49 new file mode 100644
50 index 0000000..e4dc529
51 --- /dev/null
52 +++ b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
53 @@ -0,0 +1,201 @@
54 +From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001
55 +From: Mike Frysinger <vapier@g.o>
56 +Date: Mon, 24 Dec 2012 19:41:49 -0500
57 +Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before
58 + checking the dirfd
59 +
60 +When it comes to processing errors, an empty path is checked before
61 +an invalid dirfd. Make sure sandbox matches that behavior for the
62 +random testsuites out there that look for this.
63 +
64 +URL: https://bugs.gentoo.org/346929
65 +Reported-by: Marien Zwart <marienz@g.o>
66 +Signed-off-by: Mike Frysinger <vapier@g.o>
67 +---
68 + libsandbox/wrapper-funcs/__pre_check.c | 2 ++
69 + libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------
70 + libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++-----------
71 + libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
72 + libsandbox/wrappers.h | 2 ++
73 + tests/mkdirat-3.sh | 7 +++++++
74 + tests/mkdirat.at | 1 +
75 + tests/openat-2.sh | 9 +++++++++
76 + tests/openat.at | 1 +
77 + tests/unlinkat-4.sh | 7 +++++++
78 + tests/unlinkat.at | 1 +
79 + 11 files changed, 44 insertions(+), 35 deletions(-)
80 + create mode 100755 tests/mkdirat-3.sh
81 + create mode 100755 tests/openat-2.sh
82 + create mode 100755 tests/unlinkat-4.sh
83 +
84 +diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
85 +index 2d5711f..28ad91f 100644
86 +--- a/libsandbox/wrapper-funcs/__pre_check.c
87 ++++ b/libsandbox/wrapper-funcs/__pre_check.c
88 +@@ -20,3 +20,5 @@
89 + #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
90 + # include "unlinkat_pre_check.c"
91 + #endif
92 ++
93 ++#include "__pre_at_check.c"
94 +diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
95 +index 77a65df..0b48d1f 100644
96 +--- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
97 ++++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
98 +@@ -1,20 +1,13 @@
99 + bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
100 + {
101 + char canonic[SB_PATH_MAX];
102 +- char dirfd_path[SB_PATH_MAX];
103 +
104 + save_errno();
105 +
106 +- /* Expand the dirfd path first */
107 +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
108 +- case -1:
109 +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
110 +- func, pathname, strerror(errno));
111 +- return false;
112 +- case 0:
113 +- pathname = dirfd_path;
114 +- break;
115 +- }
116 ++ /* Check incoming args against common *at issues */
117 ++ char dirfd_path[SB_PATH_MAX];
118 ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
119 ++ return false;
120 +
121 + /* Then break down any relative/symlink paths */
122 + if (-1 == canonicalize(pathname, canonic))
123 +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
124 +index 0127708..5fd5eaa 100644
125 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c
126 ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c
127 +@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
128 +
129 + save_errno();
130 +
131 +- /* Expand the dirfd path first */
132 ++ /* Check incoming args against common *at issues */
133 + char dirfd_path[SB_PATH_MAX];
134 +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
135 +- case -1:
136 +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
137 +- func, pathname, strerror(errno));
138 +- return false;
139 +- case 0:
140 +- pathname = dirfd_path;
141 +- break;
142 +- }
143 ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
144 ++ return false;
145 +
146 + /* Doesn't exist -> skip permission checks */
147 + struct stat st;
148 +diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
149 +index 9f5e7d7..c004d15 100644
150 +--- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
151 ++++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
152 +@@ -1,20 +1,13 @@
153 + bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
154 + {
155 + char canonic[SB_PATH_MAX];
156 +- char dirfd_path[SB_PATH_MAX];
157 +
158 + save_errno();
159 +
160 +- /* Expand the dirfd path first */
161 +- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
162 +- case -1:
163 +- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
164 +- func, pathname, strerror(errno));
165 +- return false;
166 +- case 0:
167 +- pathname = dirfd_path;
168 +- break;
169 +- }
170 ++ /* Check incoming args against common *at issues */
171 ++ char dirfd_path[SB_PATH_MAX];
172 ++ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
173 ++ return false;
174 +
175 + /* Then break down any relative/symlink paths */
176 + if (-1 == canonicalize(pathname, canonic))
177 +diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
178 +index 5b97787..0aa58bb 100644
179 +--- a/libsandbox/wrappers.h
180 ++++ b/libsandbox/wrappers.h
181 +@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn
182 + attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
183 + attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
184 + attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
185 ++attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
186 ++ char *dirfd_path, size_t dirfd_path_len);
187 +
188 + #endif
189 +--
190 +1.8.1.2
191 +
192 +From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001
193 +From: Mike Frysinger <vapier@g.o>
194 +Date: Mon, 24 Dec 2012 19:41:49 -0500
195 +Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before
196 + checking the dirfd [missing file]
197 +
198 +When it comes to processing errors, an empty path is checked before
199 +an invalid dirfd. Make sure sandbox matches that behavior for the
200 +random testsuites out there that look for this.
201 +
202 +Forgot to `git add` in the previous commit :/.
203 +
204 +URL: https://bugs.gentoo.org/346929
205 +Reported-by: Marien Zwart <marienz@g.o>
206 +Signed-off-by: Mike Frysinger <vapier@g.o>
207 +---
208 + libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++
209 + 1 file changed, 34 insertions(+)
210 + create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c
211 +
212 +diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c
213 +new file mode 100644
214 +index 0000000..f72c40c
215 +--- /dev/null
216 ++++ b/libsandbox/wrapper-funcs/__pre_at_check.c
217 +@@ -0,0 +1,34 @@
218 ++/*
219 ++ * common *at() pre-checks.
220 ++ *
221 ++ * Copyright 1999-2012 Gentoo Foundation
222 ++ * Licensed under the GPL-2
223 ++ */
224 ++
225 ++/* We assume the parent has nested use with save/restore errno */
226 ++bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
227 ++ char *dirfd_path, size_t dirfd_path_len)
228 ++{
229 ++ /* the empty path name should fail with ENOENT before any dirfd
230 ++ * checks get a chance to run #346929
231 ++ */
232 ++ if (*pathname && *pathname[0] == '\0') {
233 ++ errno = ENOENT;
234 ++ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
235 ++ func, *pathname, strerror(errno));
236 ++ return false;
237 ++ }
238 ++
239 ++ /* Expand the dirfd path first */
240 ++ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) {
241 ++ case -1:
242 ++ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
243 ++ func, *pathname, strerror(errno));
244 ++ return false;
245 ++ case 0:
246 ++ *pathname = dirfd_path;
247 ++ break;
248 ++ }
249 ++
250 ++ return true;
251 ++}
252 +--
253 +1.8.1.2
254 +
255
256 diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
257 new file mode 100644
258 index 0000000..fbecb07
259 --- /dev/null
260 +++ b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
261 @@ -0,0 +1,30 @@
262 +From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001
263 +From: Mike Frysinger <vapier@g.o>
264 +Date: Sat, 17 Nov 2012 14:14:26 -0500
265 +Subject: [PATCH] sandbox.desktop: drop .svg from Icon field
266 +MIME-Version: 1.0
267 +Content-Type: text/plain; charset=UTF-8
268 +Content-Transfer-Encoding: 8bit
269 +
270 +URL: http://bugs.gentoo.org/443672
271 +Reported-by: Petteri Räty <betelgeuse@g.o>
272 +Signed-off-by: Mike Frysinger <vapier@g.o>
273 +---
274 + data/sandbox.desktop | 2 +-
275 + 1 file changed, 1 insertion(+), 1 deletion(-)
276 +
277 +diff --git a/data/sandbox.desktop b/data/sandbox.desktop
278 +index 5b5b576..27a887e 100644
279 +--- a/data/sandbox.desktop
280 ++++ b/data/sandbox.desktop
281 +@@ -5,6 +5,6 @@ Type=Application
282 + Comment=launch a sandboxed shell ... useful for debugging ebuilds
283 + Exec=sandbox
284 + TryExec=sandbox
285 +-Icon=sandbox.svg
286 ++Icon=sandbox
287 + Categories=Development;
288 + Terminal=true
289 +--
290 +1.8.1.2
291 +
292
293 diff --git a/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch
294 new file mode 100644
295 index 0000000..611122a
296 --- /dev/null
297 +++ b/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch
298 @@ -0,0 +1,88 @@
299 +From: Mike Frysinger <vapier@g.o>
300 +Date: Tue, 28 Aug 2012 16:19:56 +0000 (-0400)
301 +Subject: add a configure option to control pch usage
302 +X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fsandbox.git;a=commitdiff_plain;h=f2500f5954611d110ac18e9990f42d5a915f8101
303 +
304 +add a configure option to control pch usage
305 +
306 +Mostly for testing purposes. This also tweaks the dependency to fix a
307 +warning when generating the headers.h.pch in subdirs when the toplevel
308 +headers.h.pch already exists.
309 +
310 +URL: http://bugs.gentoo.org/425524
311 +Signed-off-by: Mike Frysinger <vapier@g.o>
312 +---
313 +
314 +diff --git a/Makefile.am b/Makefile.am
315 +index 475c8c0..eb54f42 100644
316 +--- a/Makefile.am
317 ++++ b/Makefile.am
318 +@@ -11,9 +11,9 @@ SUBDIRS = \
319 + src \
320 + tests
321 +
322 ++noinst_LTLIBRARIES =
323 ++
324 + SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch
325 +-BUILT_SOURCES = $(SANDBOX_PCH)
326 +-noinst_LTLIBRARIES = libpch.la
327 + nodist_libpch_la_SOURCES = $(SANDBOX_PCH)
328 + GCH_CP = ( \
329 + src=`dirname $@`/.libs/`basename $@`.o; \
330 +@@ -30,10 +30,23 @@ $(builddir)/libsandbox/headers.h.gch: headers.h
331 + $(builddir)/headers.h.gch: headers.h
332 + $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP)
333 +
334 +-libsbutil: libsbutil/headers.h.gch
335 +-libsandbox: libsbutil libsandbox/headers.h.gch
336 +-src: libsbutil headers.h.gch
337 +-tests: src headers.h.gch
338 ++if SB_BUILD_PCH
339 ++BUILT_SOURCES = $(SANDBOX_PCH)
340 ++noinst_LTLIBRARIES += libpch.la
341 ++
342 ++LIBSBUTIL_PCH = libsbutil/headers.h.gch
343 ++LIBSANDBOX_PCH = libsandbox/headers.h.gch
344 ++TOP_PCH = headers.h.gch
345 ++
346 ++# Make sure we build the subdirs before the top so they don't
347 ++# try to use the top level headers.h.pch.
348 ++$(TOP_PCH): $(LIBSBUTIL_PCH) $(LIBSANDBOX_PCH)
349 ++endif
350 ++
351 ++libsbutil: $(LIBSBUTIL_PCH)
352 ++libsandbox: libsbutil $(LIBSANDBOX_PCH)
353 ++src: libsbutil $(TOP_PCH)
354 ++tests: src $(TOP_PCH)
355 +
356 + EXTRA_DIST = headers.h localdecls.h ChangeLog.0
357 +
358 +diff --git a/configure.ac b/configure.ac
359 +index 661b494..ca0d3ac 100644
360 +--- a/configure.ac
361 ++++ b/configure.ac
362 +@@ -26,7 +26,7 @@ AC_ISC_POSIX
363 + AC_USE_SYSTEM_EXTENSIONS
364 +
365 + dnl Checks for programs.
366 +-AM_PROG_AR
367 ++#AM_PROG_AR
368 + AC_PROG_INSTALL
369 + AC_PROG_MAKE_SET
370 + AC_PROG_AWK
371 +@@ -38,6 +38,14 @@ LT_INIT([disable-static])
372 +
373 + AC_PREFIX_DEFAULT([/usr])
374 +
375 ++dnl allow pch to be controlled
376 ++AC_MSG_CHECKING([whether to use pre-compiled sandbox headers])
377 ++AC_ARG_ENABLE([pch],
378 ++ [AS_HELP_STRING([--disable-pch],[Disable pre-compiled headers])],
379 ++ [],[enable_pch="yes"])
380 ++AM_CONDITIONAL([SB_BUILD_PCH], test "$enable_pch" = "yes")
381 ++AC_MSG_RESULT($enable_pch)
382 ++
383 + dnl multiple personality support (x86 & x86_64: multilib)
384 + AC_MSG_CHECKING([for multiple personalities])
385 + AC_ARG_ENABLE([schizo],
386 +
387
388 diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
389 new file mode 100644
390 index 0000000..bfea9e5
391 --- /dev/null
392 +++ b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
393 @@ -0,0 +1,51 @@
394 +From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001
395 +From: Mike Frysinger <vapier@g.o>
396 +Date: Sun, 3 Mar 2013 05:34:09 -0500
397 +Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values
398 +
399 +Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
400 +with portage. It changed how the sandbox log env var was accessed by
401 +moving from getenv() to get_sandbox_log(). The latter has path checking
402 +and will kick out values that contain a slash. That means every time a
403 +new process starts, a new sandbox log path will be generated, and when a
404 +program triggers a violation, it'll write to the new file. Meanwhile,
405 +portage itself watches the original one which never gets updated.
406 +
407 +This code has been around forever w/out documentation, and I can't think
408 +of a reason we need it. So punt it.
409 +
410 +Signed-off-by: Mike Frysinger <vapier@g.o>
411 +---
412 + libsbutil/get_sandbox_log.c | 14 +++++---------
413 + 1 file changed, 5 insertions(+), 9 deletions(-)
414 +
415 +diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
416 +index a79b399..bdb4278 100644
417 +--- a/libsbutil/get_sandbox_log.c
418 ++++ b/libsbutil/get_sandbox_log.c
419 +@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
420 +
421 + sandbox_log_env = getenv(env);
422 +
423 +- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
424 +- /* When testing, just use what the env says to */
425 ++ if (sandbox_log_env) {
426 ++ /* If the env is viable, roll with it. We aren't really
427 ++ * about people breaking the security of the sandbox by
428 ++ * exporting SANDBOX_LOG=/dev/null.
429 ++ */
430 + strncpy(path, sandbox_log_env, SB_PATH_MAX);
431 + } else {
432 +- /* THIS CHUNK BREAK THINGS BY DOING THIS:
433 +- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
434 +- */
435 +- if ((NULL != sandbox_log_env) &&
436 +- (NULL != strchr(sandbox_log_env, '/')))
437 +- sandbox_log_env = NULL;
438 +-
439 + snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s",
440 + SANDBOX_LOG_LOCATION, prefix,
441 + (sandbox_log_env == NULL ? "" : sandbox_log_env),
442 +--
443 +1.8.1.2
444 +
445
446 diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
447 new file mode 100644
448 index 0000000..0101ece
449 --- /dev/null
450 +++ b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
451 @@ -0,0 +1,54 @@
452 +From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
453 +From: Mike Frysinger <vapier@g.o>
454 +Date: Mon, 24 Dec 2012 18:46:29 -0500
455 +Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)
456 +
457 +We don't check for O_NOFOLLOW in the open wrappers, so we end up
458 +returning the wrong error when operating on broken symlinks.
459 +
460 +URL: https://bugs.gentoo.org/413441
461 +Reported-by: Marien Zwart <marienz@g.o>
462 +Signed-off-by: Mike Frysinger <vapier@g.o>
463 +---
464 + libsandbox/wrapper-funcs/__64_post.h | 1 +
465 + libsandbox/wrapper-funcs/__64_pre.h | 1 +
466 + libsandbox/wrapper-funcs/openat_pre_check.c | 2 +-
467 + tests/open-2.sh | 10 ++++++++++
468 + tests/open.at | 1 +
469 + 5 files changed, 14 insertions(+), 1 deletion(-)
470 + create mode 100755 tests/open-2.sh
471 +
472 +diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
473 +index 2fd2182..82d2a16 100644
474 +--- a/libsandbox/wrapper-funcs/__64_post.h
475 ++++ b/libsandbox/wrapper-funcs/__64_post.h
476 +@@ -1,3 +1,4 @@
477 + #undef SB64
478 + #undef stat
479 ++#undef lstat
480 + #undef off_t
481 +diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
482 +index 2132110..0b34b25 100644
483 +--- a/libsandbox/wrapper-funcs/__64_pre.h
484 ++++ b/libsandbox/wrapper-funcs/__64_pre.h
485 +@@ -1,3 +1,4 @@
486 + #define SB64
487 + #define stat stat64
488 ++#define lstat lstat64
489 + #define off_t off64_t
490 +diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
491 +index c827ee6..0127708 100644
492 +--- a/libsandbox/wrapper-funcs/openat_pre_check.c
493 ++++ b/libsandbox/wrapper-funcs/openat_pre_check.c
494 +@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
495 +
496 + /* Doesn't exist -> skip permission checks */
497 + struct stat st;
498 +- if (-1 == stat(pathname, &st)) {
499 ++ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
500 + sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
501 + func, pathname, strerror(errno));
502 + return false;
503 +--
504 +1.8.1.2
505 +
506
507 diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
508 new file mode 100644
509 index 0000000..7fc0972
510 --- /dev/null
511 +++ b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
512 @@ -0,0 +1,93 @@
513 +From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001
514 +From: Mike Frysinger <vapier@g.o>
515 +Date: Sat, 23 Jun 2012 11:52:51 -0700
516 +Subject: [PATCH] libsandbox: clean up open file handles in parent tracing
517 + process
518 +
519 +Currently, if a non-static app sets up a pipe (with cloexec enabled) and
520 +executes a static app, the handle to that pipe is left open in the parent
521 +process. This causes trouble when the parent is waiting for that to be
522 +closed immediately.
523 +
524 +Since none of the fds in the forked parent process matter to us, we can
525 +just go ahead and clean up all fds before we start tracing the child.
526 +
527 +URL: http://bugs.gentoo.org/364877
528 +Reported-by: Victor Stinner <victor.stinner@×××××××××.com>
529 +Signed-off-by: Mike Frysinger <vapier@g.o>
530 +---
531 + libsandbox/trace.c | 3 +-
532 + libsbutil/sb_close.c | 26 +++++++++++-
533 + libsbutil/sbutil.h | 1 +
534 + tests/Makefile.am | 2 +
535 + tests/pipe-fork_static_tst.c | 18 +++++++++
536 + tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
537 + tests/script-9.sh | 5 +++
538 + tests/script.at | 1 +
539 + 8 files changed, 149 insertions(+), 2 deletions(-)
540 + create mode 100644 tests/pipe-fork_static_tst.c
541 + create mode 100644 tests/pipe-fork_tst.c
542 + create mode 100755 tests/script-9.sh
543 +
544 +diff --git a/libsandbox/trace.c b/libsandbox/trace.c
545 +index 32ad2d6..dfbab18 100644
546 +--- a/libsandbox/trace.c
547 ++++ b/libsandbox/trace.c
548 +@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[])
549 + /* Not all kernel versions support this, so ignore return */
550 + ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD);
551 + #endif
552 ++ sb_close_all_fds();
553 + trace_loop();
554 +- return;
555 ++ sb_ebort("ISE: child should have quit, as should we\n");
556 + }
557 +
558 + sb_debug("child setting up ...");
559 +diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c
560 +index 17a4560..5379197 100644
561 +--- a/libsbutil/sb_close.c
562 ++++ b/libsbutil/sb_close.c
563 +@@ -29,3 +29,27 @@ int sb_close(int fd)
564 +
565 + return res;
566 + }
567 ++
568 ++/* Quickly close all the open fds (good for daemonization) */
569 ++void sb_close_all_fds(void)
570 ++{
571 ++ DIR *dirp;
572 ++ struct dirent *de;
573 ++ int dfd, fd;
574 ++ const char *fd_dir = sb_get_fd_dir();
575 ++
576 ++ dirp = opendir(fd_dir);
577 ++ if (!dirp)
578 ++ sb_ebort("could not process %s\n", fd_dir);
579 ++ dfd = dirfd(dirp);
580 ++
581 ++ while ((de = readdir(dirp)) != NULL) {
582 ++ if (de->d_name[0] == '.')
583 ++ continue;
584 ++ fd = atoi(de->d_name);
585 ++ if (fd != dfd)
586 ++ close(fd);
587 ++ }
588 ++
589 ++ closedir(dirp);
590 ++}
591 +diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h
592 +index 02b88cb..479734b 100644
593 +--- a/libsbutil/sbutil.h
594 ++++ b/libsbutil/sbutil.h
595 +@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode);
596 + size_t sb_read(int fd, void *buf, size_t count);
597 + size_t sb_write(int fd, const void *buf, size_t count);
598 + int sb_close(int fd);
599 ++void sb_close_all_fds(void);
600 + int sb_copy_file_to_fd(const char *file, int ofd);
601 +
602 + /* Reliable output */
603 +--
604 +1.8.1.2
605 +
606
607 diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
608 new file mode 100644
609 index 0000000..7e73822
610 --- /dev/null
611 +++ b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
612 @@ -0,0 +1,27 @@
613 +From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001
614 +From: Mike Frysinger <vapier@g.o>
615 +Date: Fri, 6 Jul 2012 14:58:16 -0400
616 +Subject: [PATCH] libsandbox: fix hppa trace code
617 +
618 +URL: https://bugs.gentoo.org/425062
619 +Reported-by: Jeroen Roovers <jer@g.o>
620 +Signed-off-by: Mike Frysinger <vapier@g.o>
621 +---
622 + libsandbox/trace/linux/hppa.c | 4 ++--
623 + 1 file changed, 2 insertions(+), 2 deletions(-)
624 +
625 +diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c
626 +index d23b0d1..5414354 100644
627 +--- a/libsandbox/trace/linux/hppa.c
628 ++++ b/libsandbox/trace/linux/hppa.c
629 +@@ -1,5 +1,5 @@
630 +-#define trace_reg_sysnum (20 * 4) /* PT_GR20 */
631 +-#define trace_reg_ret (28 * 4) /* PT_GR28 */
632 ++#define trace_reg_sysnum gr[20]
633 ++#define trace_reg_ret gr[28]
634 +
635 + static unsigned long trace_arg(void *vregs, int num)
636 + {
637 +--
638 +1.7.9.7
639 +
640
641 diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild
642 new file mode 100644
643 index 0000000..25130d2
644 --- /dev/null
645 +++ b/sys-apps/sandbox/sandbox-2.6-r1.ebuild
646 @@ -0,0 +1,132 @@
647 +# Copyright 1999-2013 Gentoo Foundation
648 +# Distributed under the terms of the GNU General Public License v2
649 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/sandbox-2.6-r1.ebuild,v 1.12 2013/07/02 07:43:42 ago Exp $
650 +
651 +#
652 +# don't monkey with this ebuild unless contacting portage devs.
653 +# period.
654 +#
655 +
656 +inherit autotools eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
657 +
658 +DESCRIPTION="sandbox'd LD_PRELOAD hack"
659 +HOMEPAGE="http://www.gentoo.org/"
660 +SRC_URI="mirror://gentoo/${P}.tar.xz
661 + http://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
662 +
663 +LICENSE="GPL-2"
664 +SLOT="0"
665 +KEYWORDS="alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd"
666 +IUSE="multilib pch"
667 +
668 +DEPEND="app-arch/xz-utils
669 + >=app-misc/pax-utils-0.1.19" #265376
670 +RDEPEND=""
671 +
672 +EMULTILIB_PKG="true"
673 +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
674 +
675 +sandbox_death_notice() {
676 + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
677 + ewarn "FEATURES=-sandbox emerge sandbox"
678 +}
679 +
680 +sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
681 +
682 +sb_foreach_abi() {
683 + local OABI=${ABI}
684 + for ABI in $(sb_get_install_abis) ; do
685 + cd "${WORKDIR}/build-${ABI}"
686 + einfo "Running $1 for ABI=${ABI}..."
687 + "$@"
688 + done
689 + ABI=${OABI}
690 +}
691 +
692 +src_unpack() {
693 + unpacker
694 + cd "${S}"
695 + epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062
696 + epatch "${FILESDIR}"/${P}-log-var.patch
697 + epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877
698 + epatch "${FILESDIR}"/${P}-desktop.patch #443672
699 + epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441
700 + epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929
701 + epatch "${FILESDIR}"/${P}-hardened-pch.patch #425524
702 + epatch_user
703 +
704 + eautoreconf
705 +}
706 +
707 +sb_configure() {
708 + mkdir "${WORKDIR}/build-${ABI}"
709 + cd "${WORKDIR}/build-${ABI}"
710 +
711 + use multilib && multilib_toolchain_setup ${ABI}
712 +
713 + einfo "Configuring sandbox for ABI=${ABI}..."
714 + ECONF_SOURCE="../${P}/" \
715 + econf $(use_enable pch) ${myconf} || die
716 +}
717 +
718 +sb_compile() {
719 + emake || die
720 +}
721 +
722 +src_compile() {
723 + filter-lfs-flags #90228
724 +
725 + # Run configures in parallel!
726 + multijob_init
727 + local OABI=${ABI}
728 + for ABI in $(sb_get_install_abis) ; do
729 + multijob_child_init sb_configure
730 + done
731 + ABI=${OABI}
732 + multijob_finish
733 +
734 + sb_foreach_abi sb_compile
735 +}
736 +
737 +sb_test() {
738 + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
739 +}
740 +
741 +src_test() {
742 + sb_foreach_abi sb_test
743 +}
744 +
745 +sb_install() {
746 + emake DESTDIR="${D}" install || die
747 + insinto /etc/sandbox.d #333131
748 + doins etc/sandbox.d/00default || die
749 +}
750 +
751 +src_install() {
752 + sb_foreach_abi sb_install
753 +
754 + doenvd "${FILESDIR}"/09sandbox
755 +
756 + keepdir /var/log/sandbox
757 + fowners root:portage /var/log/sandbox
758 + fperms 0770 /var/log/sandbox
759 +
760 + cd "${S}"
761 + dodoc AUTHORS ChangeLog* NEWS README
762 +}
763 +
764 +pkg_preinst() {
765 + chown root:portage "${D}"/var/log/sandbox
766 + chmod 0770 "${D}"/var/log/sandbox
767 +
768 + local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
769 + if [[ -n ${old} ]] ; then
770 + elog "Removing old sandbox libraries for you:"
771 + elog ${old//${ROOT}}
772 + find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
773 + fi
774 +}
775 +
776 +pkg_postinst() {
777 + chmod 0755 "${ROOT}"/etc/sandbox.d #265376
778 +}
Report Message
Find on MARC Find on Google Groups