1 |
commit: 66af02c4670b0c8547c27810c1e2ddbe60c5788c |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 8 07:53:09 2018 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Feb 8 07:59:22 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66af02c4 |
7 |
|
8 |
sys-apps/man-db: Revbump adding seccomp support. Removed old. |
9 |
|
10 |
Package-Manager: Portage-2.3.24, Repoman-2.3.6 |
11 |
|
12 |
.../files/man-db-2.8.0-libseccomp_automagic.patch | 99 +++++++++++++--- |
13 |
.../files/man-db-2.8.0-refactor_drop_privs.patch | 120 ++++++++++++++++++++ |
14 |
.../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 +++++++++++++++++++++ |
15 |
...{man-db-2.8.0.ebuild => man-db-2.8.0-r1.ebuild} | 19 ++-- |
16 |
4 files changed, 335 insertions(+), 29 deletions(-) |
17 |
|
18 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch |
19 |
index 333bc5fe295..cf9c1257317 100644 |
20 |
--- a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch |
21 |
+++ b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch |
22 |
@@ -1,42 +1,107 @@ |
23 |
-From c693c0d6c41e777def51984035710779697d1989 Mon Sep 17 00:00:00 2001 |
24 |
+From 3d4ab15670079aa8e898f80a650b3be941230486 Mon Sep 17 00:00:00 2001 |
25 |
From: Lars Wendler <polynomial-c@g.o> |
26 |
-Date: Tue, 6 Feb 2018 14:41:22 +0100 |
27 |
-Subject: [PATCH] Change libseccomp logic to not be automagic only. |
28 |
+Date: Tue, 6 Feb 2018 15:30:21 +0100 |
29 |
+Subject: [PATCH] Change libseccomp logic to not be automagic only |
30 |
|
31 |
-Introduce --with-libseccomp configure option so that users can disable |
32 |
-seccomp even if libseccomp is available on the system. |
33 |
-The default is unchanged to before this patch. If no --with(out)-libseccomp |
34 |
-has been given on command line, the macro looks for presence of libseccomp |
35 |
-and uses that if found. |
36 |
+Introduce --without-libseccomp configure option so that users can |
37 |
+disable seccomp even if libseccomp is available on the system. |
38 |
+ |
39 |
+The default is unchanged from before this patch. If no |
40 |
+--with(out)-libseccomp has been given on the command line, the macro |
41 |
+looks for presence of libseccomp and uses that if found. |
42 |
+ |
43 |
+* m4/man-libseccomp.m4: Guard pkg-config test with a command-line |
44 |
+option. |
45 |
--- |
46 |
- m4/man-libseccomp.m4 | 19 ++++++++++++++----- |
47 |
- 1 file changed, 14 insertions(+), 5 deletions(-) |
48 |
|
49 |
+diff --git a/configure b/configure |
50 |
+index 3f949306..8eaca64e 100755 |
51 |
+--- a/configure |
52 |
++++ b/configure |
53 |
+@@ -1718,6 +1718,7 @@ with_included_regex |
54 |
+ enable_nls |
55 |
+ with_libiconv_prefix |
56 |
+ with_libintl_prefix |
57 |
++with_libseccomp |
58 |
+ ' |
59 |
+ ac_precious_vars='build_alias |
60 |
+ host_alias |
61 |
+@@ -2459,6 +2460,7 @@ Optional Packages: |
62 |
+ --without-libiconv-prefix don't search for libiconv in includedir and libdir |
63 |
+ --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib |
64 |
+ --without-libintl-prefix don't search for libintl in includedir and libdir |
65 |
++ --without-libseccomp do not confine subprocesses using seccomp |
66 |
+ |
67 |
+ Some influential environment variables: |
68 |
+ CC C compiler command |
69 |
+@@ -47295,6 +47297,15 @@ fi |
70 |
+ |
71 |
+ # Check for libseccomp library. |
72 |
+ |
73 |
++# Check whether --with-libseccomp was given. |
74 |
++if test "${with_libseccomp+set}" = set; then : |
75 |
++ withval=$with_libseccomp; |
76 |
++else |
77 |
++ with_libseccomp=check |
78 |
++fi |
79 |
++ |
80 |
++ if test "x$with_libseccomp" != "xno"; then |
81 |
++ |
82 |
+ pkg_failed=no |
83 |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libseccomp" >&5 |
84 |
+ $as_echo_n "checking for libseccomp... " >&6; } |
85 |
+@@ -47353,11 +47364,15 @@ fi |
86 |
+ # Put the nasty error message in config.log where it belongs |
87 |
+ echo "$libseccomp_PKG_ERRORS" >&5 |
88 |
+ |
89 |
+- : |
90 |
++ if test "x$with_libseccomp" = "xyes"; then |
91 |
++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5 |
92 |
++ fi |
93 |
+ elif test $pkg_failed = untried; then |
94 |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 |
95 |
+ $as_echo "no" >&6; } |
96 |
+- : |
97 |
++ if test "x$with_libseccomp" = "xyes"; then |
98 |
++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5 |
99 |
++ fi |
100 |
+ else |
101 |
+ libseccomp_CFLAGS=$pkg_cv_libseccomp_CFLAGS |
102 |
+ libseccomp_LIBS=$pkg_cv_libseccomp_LIBS |
103 |
+@@ -47367,6 +47382,7 @@ $as_echo "yes" >&6; } |
104 |
+ $as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h |
105 |
+ |
106 |
+ fi |
107 |
++ fi |
108 |
+ |
109 |
+ |
110 |
+ { $as_echo "$as_me:${as_lineno-$LINENO}: default CC = \"$CC\"" >&5 |
111 |
diff --git a/m4/man-libseccomp.m4 b/m4/man-libseccomp.m4 |
112 |
-index a9377317..17a52f72 100644 |
113 |
+index a9377317..c90e3aa4 100644 |
114 |
--- a/m4/man-libseccomp.m4 |
115 |
+++ b/m4/man-libseccomp.m4 |
116 |
@@ -1,9 +1,18 @@ |
117 |
- # man-libseccomp.m4 serial 1 |
118 |
+-# man-libseccomp.m4 serial 1 |
119 |
++# man-libseccomp.m4 serial 2 |
120 |
dnl MAN_LIBSECCOMP |
121 |
-dnl Check for the libseccomp library. |
122 |
-+dnl Add a --with-libseccomp option. |
123 |
++dnl Add a --without-libseccomp option; check for the libseccomp library. |
124 |
AC_DEFUN([MAN_LIBSECCOMP], |
125 |
-[PKG_CHECK_MODULES([libseccomp], [libseccomp], |
126 |
- [AC_DEFINE([HAVE_LIBSECCOMP], [1], |
127 |
- [Define to 1 if you have the `libseccomp' library.])], |
128 |
- [:]) |
129 |
+ [AC_ARG_WITH([libseccomp], |
130 |
-+ [AS_HELP_STRING([--with-libseccomp], |
131 |
-+ [use libseccomp to do most subprocessing])], |
132 |
++ [AS_HELP_STRING([--without-libseccomp], |
133 |
++ [do not confine subprocesses using seccomp])], |
134 |
+ [], |
135 |
+ [with_libseccomp=check]) |
136 |
+ if test "x$with_libseccomp" != "xno"; then |
137 |
+ PKG_CHECK_MODULES([libseccomp], [libseccomp], |
138 |
+ [AC_DEFINE([HAVE_LIBSECCOMP], [1], |
139 |
+ [Define to 1 if you have the `libseccomp' library.])], |
140 |
-+ [if test "xyes" = "x$with_libseccomp"; then |
141 |
-+ AC_MSG_ERROR(--with-libseccomp given but cannot find libseccomp) |
142 |
++ [if test "x$with_libseccomp" = "xyes"; then |
143 |
++ AC_MSG_ERROR([--with-libseccomp given but cannot find libseccomp]) |
144 |
+ fi]) |
145 |
+ fi |
146 |
]) # MAN_LIBSECCOMP |
147 |
|
148 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
149 |
new file mode 100644 |
150 |
index 00000000000..87db57afb9e |
151 |
--- /dev/null |
152 |
+++ b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
153 |
@@ -0,0 +1,120 @@ |
154 |
+From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 |
155 |
+From: Colin Watson <cjwatson@××××××.org> |
156 |
+Date: Wed, 7 Feb 2018 12:23:15 +0000 |
157 |
+Subject: Refactor do_system_drop_privs |
158 |
+ |
159 |
+Now that we have pipecmd_pre_exec, this can be simplified quite a bit. |
160 |
+ |
161 |
+* lib/security.c (drop_privs): New function. |
162 |
+(do_system_drop_privs_child, do_system_drop_privs): Remove. |
163 |
+* lib/security.h (drop_privs): Add prototype. |
164 |
+(do_system_drop_privs): Remove prototype. |
165 |
+* src/man.c (make_browser): Add drop_privs pre-exec hook to browser |
166 |
+command. |
167 |
+(format_display): Call browser using pipeline_run rather than |
168 |
+do_system_drop_privs, since it now has a pre-exec hook to drop |
169 |
+privileges. |
170 |
+--- |
171 |
+ lib/security.c | 37 +++---------------------------------- |
172 |
+ lib/security.h | 2 +- |
173 |
+ src/man.c | 7 +++++-- |
174 |
+ 3 files changed, 9 insertions(+), 37 deletions(-) |
175 |
+ |
176 |
+diff --git a/lib/security.c b/lib/security.c |
177 |
+index 6e84de8..c9b365d 100644 |
178 |
+--- a/lib/security.c |
179 |
++++ b/lib/security.c |
180 |
+@@ -158,42 +158,11 @@ void regain_effective_privs (void) |
181 |
+ #endif /* MAN_OWNER */ |
182 |
+ } |
183 |
+ |
184 |
+-#ifdef MAN_OWNER |
185 |
+-void do_system_drop_privs_child (void *data) |
186 |
++/* Pipeline command pre-exec hook to permanently drop privileges. */ |
187 |
++void drop_privs (void *data ATTRIBUTE_UNUSED) |
188 |
+ { |
189 |
+- pipeline *p = data; |
190 |
+- |
191 |
++#ifdef MAN_OWNER |
192 |
+ if (idpriv_drop ()) |
193 |
+ gripe_set_euid (); |
194 |
+- exit (pipeline_run (p)); |
195 |
+-} |
196 |
+-#endif /* MAN_OWNER */ |
197 |
+- |
198 |
+-/* The safest way to execute a pipeline with no effective privileges is to |
199 |
+- * fork, permanently drop privileges in the child, run the pipeline from the |
200 |
+- * child, and wait for it to die. |
201 |
+- * |
202 |
+- * It is possible to use saved IDs to avoid the fork, since effective IDs |
203 |
+- * are copied to saved IDs on execve; we used to do this. However, forking |
204 |
+- * is not expensive enough to justify the extra code. |
205 |
+- * |
206 |
+- * Note that this frees the supplied pipeline. |
207 |
+- */ |
208 |
+-int do_system_drop_privs (pipeline *p) |
209 |
+-{ |
210 |
+-#ifdef MAN_OWNER |
211 |
+- pipecmd *child_cmd; |
212 |
+- pipeline *child; |
213 |
+- int status; |
214 |
+- |
215 |
+- child_cmd = pipecmd_new_function ("unprivileged child", |
216 |
+- do_system_drop_privs_child, NULL, p); |
217 |
+- child = pipeline_new_commands (child_cmd, NULL); |
218 |
+- status = pipeline_run (child); |
219 |
+- |
220 |
+- pipeline_free (p); |
221 |
+- return status; |
222 |
+-#else /* !MAN_OWNER */ |
223 |
+- return pipeline_run (p); |
224 |
+ #endif /* MAN_OWNER */ |
225 |
+ } |
226 |
+diff --git a/lib/security.h b/lib/security.h |
227 |
+index 7545502..851127d 100644 |
228 |
+--- a/lib/security.h |
229 |
++++ b/lib/security.h |
230 |
+@@ -27,7 +27,7 @@ |
231 |
+ /* security.c */ |
232 |
+ extern void drop_effective_privs (void); |
233 |
+ extern void regain_effective_privs (void); |
234 |
+-extern int do_system_drop_privs (struct pipeline *p); |
235 |
++extern void drop_privs (void *data); |
236 |
+ extern void init_security (void); |
237 |
+ extern int running_setuid (void); |
238 |
+ extern struct passwd *get_man_owner (void); |
239 |
+diff --git a/src/man.c b/src/man.c |
240 |
+index 959d6cc..ff7ebc7 100644 |
241 |
+--- a/src/man.c |
242 |
++++ b/src/man.c |
243 |
+@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, |
244 |
+ static pipeline *make_browser (const char *pattern, const char *file) |
245 |
+ { |
246 |
+ pipeline *p; |
247 |
++ pipecmd *cmd; |
248 |
+ char *browser = xmalloc (1); |
249 |
+ int found_percent_s = 0; |
250 |
+ char *percent; |
251 |
+@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) |
252 |
+ free (esc_file); |
253 |
+ } |
254 |
+ |
255 |
+- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); |
256 |
++ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); |
257 |
++ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); |
258 |
++ p = pipeline_new_commands (cmd, NULL); |
259 |
+ pipeline_ignore_signals (p, 1); |
260 |
+ free (browser); |
261 |
+ |
262 |
+@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, |
263 |
+ pipeline *browser; |
264 |
+ debug ("Trying browser: %s\n", candidate); |
265 |
+ browser = make_browser (candidate, htmlfile); |
266 |
+- disp_status = do_system_drop_privs (browser); |
267 |
++ disp_status = pipeline_run (browser); |
268 |
+ if (!disp_status) |
269 |
+ break; |
270 |
+ } |
271 |
+-- |
272 |
+cgit v1.0-41-gc330 |
273 |
+ |
274 |
|
275 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
276 |
new file mode 100644 |
277 |
index 00000000000..f513ee8cca6 |
278 |
--- /dev/null |
279 |
+++ b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
280 |
@@ -0,0 +1,126 @@ |
281 |
+From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 |
282 |
+From: Colin Watson <cjwatson@××××××.org> |
283 |
+Date: Wed, 7 Feb 2018 13:44:30 +0000 |
284 |
+Subject: [PATCH] Fix manconv under seccomp when man is setuid |
285 |
+ |
286 |
+We must drop privileges before loading the sandbox. |
287 |
+ |
288 |
+Reported by Lars Wendler. |
289 |
+ |
290 |
+* src/manconv_client.c (manconv_pre_exec): New function. |
291 |
+(manconv_stdin): Move setuid hack to ... |
292 |
+(add_manconv): ... here, now implemented using a custom pre-exec hook. |
293 |
+We no longer have a fall-through if dropping privileges fails, since |
294 |
+that's now harder to do and wasn't really necessary in the first place. |
295 |
+--- |
296 |
+ src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- |
297 |
+ 1 file changed, 45 insertions(+), 35 deletions(-) |
298 |
+ |
299 |
+diff --git a/src/manconv_client.c b/src/manconv_client.c |
300 |
+index d6e010b0..41ce4790 100644 |
301 |
+--- a/src/manconv_client.c |
302 |
++++ b/src/manconv_client.c |
303 |
+@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) |
304 |
+ struct manconv_codes *codes = data; |
305 |
+ pipeline *p; |
306 |
+ |
307 |
+-#ifdef MAN_OWNER |
308 |
+- /* iconv_open may not work correctly in setuid processes; in GNU |
309 |
+- * libc, gconv modules may be linked against other gconv modules and |
310 |
+- * rely on RPATH $ORIGIN to load those modules from the correct |
311 |
+- * path, but $ORIGIN is disabled in setuid processes. It is |
312 |
+- * impossible to reset libc's idea of setuidness without creating a |
313 |
+- * whole new process image. Therefore, if the calling process is |
314 |
+- * setuid, we must drop privileges and execute manconv. |
315 |
+- * |
316 |
+- * If dropping privileges fails, fall through to the in-process |
317 |
+- * code, as in some situations it may actually manage to work. |
318 |
+- */ |
319 |
+- if (running_setuid () && !idpriv_drop ()) { |
320 |
+- char **from_code; |
321 |
+- char *sources = NULL; |
322 |
+- pipecmd *cmd; |
323 |
+- |
324 |
+- for (from_code = codes->from; *from_code; ++from_code) { |
325 |
+- sources = appendstr (sources, *from_code, NULL); |
326 |
+- if (*(from_code + 1)) |
327 |
+- sources = appendstr (sources, ":", NULL); |
328 |
+- } |
329 |
+- |
330 |
+- cmd = pipecmd_new_args (MANCONV, "-f", sources, |
331 |
+- "-t", codes->to, NULL); |
332 |
+- free (sources); |
333 |
+- |
334 |
+- if (quiet >= 2) |
335 |
+- pipecmd_arg (cmd, "-q"); |
336 |
+- |
337 |
+- pipecmd_exec (cmd); |
338 |
+- /* never returns */ |
339 |
+- } |
340 |
+-#endif /* MAN_OWNER */ |
341 |
+- |
342 |
+ p = decompress_fdopen (dup (STDIN_FILENO)); |
343 |
+ pipeline_start (p); |
344 |
+ manconv (p, codes->from, codes->to); |
345 |
+@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) |
346 |
+ pipeline_free (p); |
347 |
+ } |
348 |
+ |
349 |
++#ifdef MAN_OWNER |
350 |
++static void manconv_pre_exec (void *data) |
351 |
++{ |
352 |
++ /* We must drop privileges before loading the sandbox, since our |
353 |
++ * seccomp filter doesn't allow setresuid and friends. |
354 |
++ */ |
355 |
++ drop_privs (NULL); |
356 |
++ sandbox_load (data); |
357 |
++} |
358 |
++#endif /* MAN_OWNER */ |
359 |
++ |
360 |
+ static void free_manconv_codes (void *data) |
361 |
+ { |
362 |
+ struct manconv_codes *codes = data; |
363 |
+@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) |
364 |
+ name = appendstr (name, " -t ", codes->to, NULL); |
365 |
+ if (quiet >= 2) |
366 |
+ name = appendstr (name, " -q", NULL); |
367 |
++ |
368 |
++#ifdef MAN_OWNER |
369 |
++ /* iconv_open may not work correctly in setuid processes; in GNU |
370 |
++ * libc, gconv modules may be linked against other gconv modules and |
371 |
++ * rely on RPATH $ORIGIN to load those modules from the correct |
372 |
++ * path, but $ORIGIN is disabled in setuid processes. It is |
373 |
++ * impossible to reset libc's idea of setuidness without creating a |
374 |
++ * whole new process image. Therefore, if the calling process is |
375 |
++ * setuid, we must drop privileges and execute manconv. |
376 |
++ */ |
377 |
++ if (running_setuid ()) { |
378 |
++ char **from_code; |
379 |
++ char *sources = NULL; |
380 |
++ |
381 |
++ cmd = pipecmd_new_args (MANCONV, "-f", NULL); |
382 |
++ for (from_code = codes->from; *from_code; ++from_code) { |
383 |
++ sources = appendstr (sources, *from_code, NULL); |
384 |
++ if (*(from_code + 1)) |
385 |
++ sources = appendstr (sources, ":", NULL); |
386 |
++ } |
387 |
++ pipecmd_arg (cmd, sources); |
388 |
++ free (sources); |
389 |
++ pipecmd_args (cmd, "-t", codes->to, NULL); |
390 |
++ if (quiet >= 2) |
391 |
++ pipecmd_arg (cmd, "-q"); |
392 |
++ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, |
393 |
++ sandbox); |
394 |
++ free (name); |
395 |
++ free_manconv_codes (codes); |
396 |
++ pipeline_command (p, cmd); |
397 |
++ return; |
398 |
++ } |
399 |
++#endif /* MAN_OWNER */ |
400 |
++ |
401 |
+ cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, |
402 |
+ codes); |
403 |
+ free (name); |
404 |
+-- |
405 |
+2.16.1 |
406 |
+ |
407 |
|
408 |
diff --git a/sys-apps/man-db/man-db-2.8.0.ebuild b/sys-apps/man-db/man-db-2.8.0-r1.ebuild |
409 |
similarity index 87% |
410 |
rename from sys-apps/man-db/man-db-2.8.0.ebuild |
411 |
rename to sys-apps/man-db/man-db-2.8.0-r1.ebuild |
412 |
index 10c1e80763d..1ff3ca11d5c 100644 |
413 |
--- a/sys-apps/man-db/man-db-2.8.0.ebuild |
414 |
+++ b/sys-apps/man-db/man-db-2.8.0-r1.ebuild |
415 |
@@ -3,7 +3,7 @@ |
416 |
|
417 |
EAPI=6 |
418 |
|
419 |
-inherit autotools ltprune user versionator |
420 |
+inherit ltprune user versionator |
421 |
|
422 |
DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" |
423 |
HOMEPAGE="http://www.nongnu.org/man-db/" |
424 |
@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" |
425 |
LICENSE="GPL-3" |
426 |
SLOT="0" |
427 |
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" |
428 |
-IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" |
429 |
+IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib" |
430 |
|
431 |
CDEPEND=" |
432 |
!sys-apps/man |
433 |
@@ -21,6 +21,7 @@ CDEPEND=" |
434 |
berkdb? ( sys-libs/db:= ) |
435 |
gdbm? ( sys-libs/gdbm:= ) |
436 |
!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) |
437 |
+ seccomp? ( sys-libs/libseccomp ) |
438 |
zlib? ( sys-libs/zlib ) |
439 |
" |
440 |
DEPEND=" |
441 |
@@ -39,7 +40,9 @@ RDEPEND=" |
442 |
PDEPEND="manpager? ( app-text/manpager )" |
443 |
|
444 |
PATCHES=( |
445 |
- "${FILESDIR}/${PN}-2.8.0-libseccomp_automagic.patch" |
446 |
+ "${FILESDIR}/${P}-refactor_drop_privs.patch" |
447 |
+ "${FILESDIR}/${P}-seccomp_suid.patch" |
448 |
+ "${FILESDIR}/${P}-libseccomp_automagic.patch" |
449 |
) |
450 |
|
451 |
pkg_setup() { |
452 |
@@ -52,11 +55,6 @@ pkg_setup() { |
453 |
fi |
454 |
} |
455 |
|
456 |
-src_prepare() { |
457 |
- default |
458 |
- eautoreconf |
459 |
-} |
460 |
- |
461 |
src_configure() { |
462 |
export ac_cv_lib_z_gzopen=$(usex zlib) |
463 |
local myeconfargs=( |
464 |
@@ -67,10 +65,7 @@ src_configure() { |
465 |
--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" |
466 |
$(use_enable nls) |
467 |
$(use_enable static-libs static) |
468 |
- # fails to show any man page with this error message: |
469 |
- # man: /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE: Bad system call |
470 |
- # This will be made optional or hard enabled once the issue has been resolved. |
471 |
- --without-libseccomp |
472 |
+ $(use_with seccomp libseccomp) |
473 |
--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) |
474 |
) |
475 |
econf "${myeconfargs[@]}" |