[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/man-db/files/, sys-apps/man-db/
Date:	Thu, 08 Feb 2018 07:59:31
Message-Id:	`1518076762.66af02c4670b0c8547c27810c1e2ddbe60c5788c.polynomial-c@gentoo`

1

commit:     66af02c4670b0c8547c27810c1e2ddbe60c5788c

2

Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

3

AuthorDate: Thu Feb  8 07:53:09 2018 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Thu Feb  8 07:59:22 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66af02c4

7

8

sys-apps/man-db: Revbump adding seccomp support. Removed old.

9

10

Package-Manager: Portage-2.3.24, Repoman-2.3.6

11

12

 .../files/man-db-2.8.0-libseccomp_automagic.patch  |  99 +++++++++++++---

13

 .../files/man-db-2.8.0-refactor_drop_privs.patch   | 120 ++++++++++++++++++++

14

 .../man-db/files/man-db-2.8.0-seccomp_suid.patch   | 126 +++++++++++++++++++++

15

 ...{man-db-2.8.0.ebuild => man-db-2.8.0-r1.ebuild} |  19 ++--

16

 4 files changed, 335 insertions(+), 29 deletions(-)

17

18

diff --git a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch

19

index 333bc5fe295..cf9c1257317 100644

20

--- a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch

21

+++ b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch

22

@@ -1,42 +1,107 @@

23

-From c693c0d6c41e777def51984035710779697d1989 Mon Sep 17 00:00:00 2001

24

+From 3d4ab15670079aa8e898f80a650b3be941230486 Mon Sep 17 00:00:00 2001

25

 From: Lars Wendler <polynomial-c@g.o>

26

-Date: Tue, 6 Feb 2018 14:41:22 +0100

27

-Subject: [PATCH] Change libseccomp logic to not be automagic only.

28

+Date: Tue, 6 Feb 2018 15:30:21 +0100

29

+Subject: [PATCH] Change libseccomp logic to not be automagic only

30

31

-Introduce --with-libseccomp configure option so that users can disable

32

-seccomp even if libseccomp is available on the system.

33

-The default is unchanged to before this patch. If no --with(out)-libseccomp

34

-has been given on command line, the macro looks for presence of libseccomp

35

-and uses that if found.

36

+Introduce --without-libseccomp configure option so that users can

37

+disable seccomp even if libseccomp is available on the system.

38

+

39

+The default is unchanged from before this patch.  If no

40

+--with(out)-libseccomp has been given on the command line, the macro

41

+looks for presence of libseccomp and uses that if found.

42

+

43

+* m4/man-libseccomp.m4: Guard pkg-config test with a command-line

44

+option.

45

---

46

- m4/man-libseccomp.m4 | 19 ++++++++++++++-----

47

- 1 file changed, 14 insertions(+), 5 deletions(-)

48

49

+diff --git a/configure b/configure

50

+index 3f949306..8eaca64e 100755

51

+--- a/configure

52

++++ b/configure

53

+@@ -1718,6 +1718,7 @@ with_included_regex

54

+ enable_nls

55

+ with_libiconv_prefix

56

+ with_libintl_prefix

57

++with_libseccomp

58

+ '

59

+       ac_precious_vars='build_alias

60

+ host_alias

61

+@@ -2459,6 +2460,7 @@ Optional Packages:

62

+   --without-libiconv-prefix     don't search for libiconv in includedir and libdir

63

+   --with-libintl-prefix[=DIR]  search for libintl in DIR/include and DIR/lib

64

+   --without-libintl-prefix     don't search for libintl in includedir and libdir

65

++  --without-libseccomp    do not confine subprocesses using seccomp

66

+

67

+ Some influential environment variables:

68

+   CC          C compiler command

69

+@@ -47295,6 +47297,15 @@ fi

70

+

71

+ # Check for libseccomp library.

72

+

73

++# Check whether --with-libseccomp was given.

74

++if test "${with_libseccomp+set}" = set; then :

75

++  withval=$with_libseccomp;

76

++else

77

++  with_libseccomp=check

78

++fi

79

++

80

++	if test "x$with_libseccomp" != "xno"; then

81

++

82

+ pkg_failed=no

83

+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libseccomp" >&5

84

+ $as_echo_n "checking for libseccomp... " >&6; }

85

+@@ -47353,11 +47364,15 @@ fi

86

+ 	# Put the nasty error message in config.log where it belongs

87

+ 	echo "$libseccomp_PKG_ERRORS" >&5

88

+

89

+-	:

90

++	if test "x$with_libseccomp" = "xyes"; then

91

++				as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5

92

++			 fi

93

+ elif test $pkg_failed = untried; then

94

+      	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

95

+ $as_echo "no" >&6; }

96

+-	:

97

++	if test "x$with_libseccomp" = "xyes"; then

98

++				as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5

99

++			 fi

100

+ else

101

+ 	libseccomp_CFLAGS=$pkg_cv_libseccomp_CFLAGS

102

+ 	libseccomp_LIBS=$pkg_cv_libseccomp_LIBS

103

+@@ -47367,6 +47382,7 @@ $as_echo "yes" >&6; }

104

+ $as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h

105

+

106

+ fi

107

++	fi

108

+

109

+

110

+ { $as_echo "$as_me:${as_lineno-$LINENO}: default CC = \"$CC\"" >&5

111

 diff --git a/m4/man-libseccomp.m4 b/m4/man-libseccomp.m4

112

-index a9377317..17a52f72 100644

113

+index a9377317..c90e3aa4 100644

114

 --- a/m4/man-libseccomp.m4

115

 +++ b/m4/man-libseccomp.m4

116

 @@ -1,9 +1,18 @@

117

- # man-libseccomp.m4 serial 1

118

+-# man-libseccomp.m4 serial 1

119

++# man-libseccomp.m4 serial 2

120

  dnl MAN_LIBSECCOMP

121

 -dnl Check for the libseccomp library.

122

-+dnl Add a --with-libseccomp option.

123

++dnl Add a --without-libseccomp option; check for the libseccomp library.

124

  AC_DEFUN([MAN_LIBSECCOMP],

125

 -[PKG_CHECK_MODULES([libseccomp], [libseccomp],

126

 -	[AC_DEFINE([HAVE_LIBSECCOMP], [1],

127

 -		[Define to 1 if you have the `libseccomp' library.])],

128

 -	[:])

129

 +	[AC_ARG_WITH([libseccomp],

130

-+		[AS_HELP_STRING([--with-libseccomp],

131

-+			       [use libseccomp to do most subprocessing])],

132

++		[AS_HELP_STRING([--without-libseccomp],

133

++				[do not confine subprocesses using seccomp])],

134

 +		[],

135

 +		[with_libseccomp=check])

136

 +	if test "x$with_libseccomp" != "xno"; then

137

 +		PKG_CHECK_MODULES([libseccomp], [libseccomp],

138

 +			[AC_DEFINE([HAVE_LIBSECCOMP], [1],

139

 +				[Define to 1 if you have the `libseccomp' library.])],

140

-+			[if test "xyes" = "x$with_libseccomp"; then

141

-+				AC_MSG_ERROR(--with-libseccomp given but cannot find libseccomp)

142

++			[if test "x$with_libseccomp" = "xyes"; then

143

++				AC_MSG_ERROR([--with-libseccomp given but cannot find libseccomp])

144

 +			 fi])

145

 +	fi

146

  ]) # MAN_LIBSECCOMP

147

148

diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch

149

new file mode 100644

150

index 00000000000..87db57afb9e

151

--- /dev/null

152

+++ b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch

153

@@ -0,0 +1,120 @@

154

+From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001

155

+From: Colin Watson <cjwatson@××××××.org>

156

+Date: Wed, 7 Feb 2018 12:23:15 +0000

157

+Subject: Refactor do_system_drop_privs

158

+

159

+Now that we have pipecmd_pre_exec, this can be simplified quite a bit.

160

+

161

+* lib/security.c (drop_privs): New function.

162

+(do_system_drop_privs_child, do_system_drop_privs): Remove.

163

+* lib/security.h (drop_privs): Add prototype.

164

+(do_system_drop_privs): Remove prototype.

165

+* src/man.c (make_browser): Add drop_privs pre-exec hook to browser

166

+command.

167

+(format_display): Call browser using pipeline_run rather than

168

+do_system_drop_privs, since it now has a pre-exec hook to drop

169

+privileges.

170

+---

171

+ lib/security.c | 37 +++----------------------------------

172

+ lib/security.h |  2 +-

173

+ src/man.c      |  7 +++++--

174

+ 3 files changed, 9 insertions(+), 37 deletions(-)

175

+

176

+diff --git a/lib/security.c b/lib/security.c

177

+index 6e84de8..c9b365d 100644

178

+--- a/lib/security.c

179

++++ b/lib/security.c

180

+@@ -158,42 +158,11 @@ void regain_effective_privs (void)

181

+ #endif /* MAN_OWNER */

182

+ }

183

+

184

+-#ifdef MAN_OWNER

185

+-void do_system_drop_privs_child (void *data)

186

++/* Pipeline command pre-exec hook to permanently drop privileges. */

187

++void drop_privs (void *data ATTRIBUTE_UNUSED)

188

+ {

189

+-	pipeline *p = data;

190

+-

191

++#ifdef MAN_OWNER

192

+ 	if (idpriv_drop ())

193

+ 		gripe_set_euid ();

194

+-	exit (pipeline_run (p));

195

+-}

196

+-#endif /* MAN_OWNER */

197

+-

198

+-/* The safest way to execute a pipeline with no effective privileges is to

199

+- * fork, permanently drop privileges in the child, run the pipeline from the

200

+- * child, and wait for it to die.

201

+- *

202

+- * It is possible to use saved IDs to avoid the fork, since effective IDs

203

+- * are copied to saved IDs on execve; we used to do this.  However, forking

204

+- * is not expensive enough to justify the extra code.

205

+- *

206

+- * Note that this frees the supplied pipeline.

207

+- */

208

+-int do_system_drop_privs (pipeline *p)

209

+-{

210

+-#ifdef MAN_OWNER

211

+-	pipecmd *child_cmd;

212

+-	pipeline *child;

213

+-	int status;

214

+-

215

+-	child_cmd = pipecmd_new_function ("unprivileged child",

216

+-					  do_system_drop_privs_child, NULL, p);

217

+-	child = pipeline_new_commands (child_cmd, NULL);

218

+-	status = pipeline_run (child);

219

+-

220

+-	pipeline_free (p);

221

+-	return status;

222

+-#else  /* !MAN_OWNER */

223

+-	return pipeline_run (p);

224

+ #endif /* MAN_OWNER */

225

+ }

226

+diff --git a/lib/security.h b/lib/security.h

227

+index 7545502..851127d 100644

228

+--- a/lib/security.h

229

++++ b/lib/security.h

230

+@@ -27,7 +27,7 @@

231

+ /* security.c */

232

+ extern void drop_effective_privs (void);

233

+ extern void regain_effective_privs (void);

234

+-extern int do_system_drop_privs (struct pipeline *p);

235

++extern void drop_privs (void *data);

236

+ extern void init_security (void);

237

+ extern int running_setuid (void);

238

+ extern struct passwd *get_man_owner (void);

239

+diff --git a/src/man.c b/src/man.c

240

+index 959d6cc..ff7ebc7 100644

241

+--- a/src/man.c

242

++++ b/src/man.c

243

+@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file,

244

+ static pipeline *make_browser (const char *pattern, const char *file)

245

+ {

246

+ 	pipeline *p;

247

++	pipecmd *cmd;

248

+ 	char *browser = xmalloc (1);

249

+ 	int found_percent_s = 0;

250

+ 	char *percent;

251

+@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file)

252

+ 		free (esc_file);

253

+ 	}

254

+

255

+-	p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL);

256

++	cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL);

257

++	pipecmd_pre_exec (cmd, drop_privs, NULL, NULL);

258

++	p = pipeline_new_commands (cmd, NULL);

259

+ 	pipeline_ignore_signals (p, 1);

260

+ 	free (browser);

261

+

262

+@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp,

263

+ 			pipeline *browser;

264

+ 			debug ("Trying browser: %s\n", candidate);

265

+ 			browser = make_browser (candidate, htmlfile);

266

+-			disp_status = do_system_drop_privs (browser);

267

++			disp_status = pipeline_run (browser);

268

+ 			if (!disp_status)

269

+ 				break;

270

+ 		}

271

+--

272

+cgit v1.0-41-gc330

273

+

274

275

diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch

276

new file mode 100644

277

index 00000000000..f513ee8cca6

278

--- /dev/null

279

+++ b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch

280

@@ -0,0 +1,126 @@

281

+From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001

282

+From: Colin Watson <cjwatson@××××××.org>

283

+Date: Wed, 7 Feb 2018 13:44:30 +0000

284

+Subject: [PATCH] Fix manconv under seccomp when man is setuid

285

+

286

+We must drop privileges before loading the sandbox.

287

+

288

+Reported by Lars Wendler.

289

+

290

+* src/manconv_client.c (manconv_pre_exec): New function.

291

+(manconv_stdin): Move setuid hack to ...

292

+(add_manconv): ... here, now implemented using a custom pre-exec hook.

293

+We no longer have a fall-through if dropping privileges fails, since

294

+that's now harder to do and wasn't really necessary in the first place.

295

+---

296

+ src/manconv_client.c | 80 +++++++++++++++++++++++++++++-----------------------

297

+ 1 file changed, 45 insertions(+), 35 deletions(-)

298

+

299

+diff --git a/src/manconv_client.c b/src/manconv_client.c

300

+index d6e010b0..41ce4790 100644

301

+--- a/src/manconv_client.c

302

++++ b/src/manconv_client.c

303

+@@ -56,41 +56,6 @@ static void manconv_stdin (void *data)

304

+ 	struct manconv_codes *codes = data;

305

+ 	pipeline *p;

306

+

307

+-#ifdef MAN_OWNER

308

+-	/* iconv_open may not work correctly in setuid processes; in GNU

309

+-	 * libc, gconv modules may be linked against other gconv modules and

310

+-	 * rely on RPATH $ORIGIN to load those modules from the correct

311

+-	 * path, but $ORIGIN is disabled in setuid processes.  It is

312

+-	 * impossible to reset libc's idea of setuidness without creating a

313

+-	 * whole new process image.  Therefore, if the calling process is

314

+-	 * setuid, we must drop privileges and execute manconv.

315

+-	 *

316

+-	 * If dropping privileges fails, fall through to the in-process

317

+-	 * code, as in some situations it may actually manage to work.

318

+-	 */

319

+-	if (running_setuid () && !idpriv_drop ()) {

320

+-		char **from_code;

321

+-		char *sources = NULL;

322

+-		pipecmd *cmd;

323

+-

324

+-		for (from_code = codes->from; *from_code; ++from_code) {

325

+-			sources = appendstr (sources, *from_code, NULL);

326

+-			if (*(from_code + 1))

327

+-				sources = appendstr (sources, ":", NULL);

328

+-		}

329

+-

330

+-		cmd = pipecmd_new_args (MANCONV, "-f", sources,

331

+-					"-t", codes->to, NULL);

332

+-		free (sources);

333

+-

334

+-		if (quiet >= 2)

335

+-			pipecmd_arg (cmd, "-q");

336

+-

337

+-		pipecmd_exec (cmd);

338

+-		/* never returns */

339

+-	}

340

+-#endif /* MAN_OWNER */

341

+-

342

+ 	p = decompress_fdopen (dup (STDIN_FILENO));

343

+ 	pipeline_start (p);

344

+ 	manconv (p, codes->from, codes->to);

345

+@@ -98,6 +63,17 @@ static void manconv_stdin (void *data)

346

+ 	pipeline_free (p);

347

+ }

348

+

349

++#ifdef MAN_OWNER

350

++static void manconv_pre_exec (void *data)

351

++{

352

++	/* We must drop privileges before loading the sandbox, since our

353

++	 * seccomp filter doesn't allow setresuid and friends.

354

++	 */

355

++	drop_privs (NULL);

356

++	sandbox_load (data);

357

++}

358

++#endif /* MAN_OWNER */

359

++

360

+ static void free_manconv_codes (void *data)

361

+ {

362

+ 	struct manconv_codes *codes = data;

363

+@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target)

364

+ 	name = appendstr (name, " -t ", codes->to, NULL);

365

+ 	if (quiet >= 2)

366

+ 		name = appendstr (name, " -q", NULL);

367

++

368

++#ifdef MAN_OWNER

369

++	/* iconv_open may not work correctly in setuid processes; in GNU

370

++	 * libc, gconv modules may be linked against other gconv modules and

371

++	 * rely on RPATH $ORIGIN to load those modules from the correct

372

++	 * path, but $ORIGIN is disabled in setuid processes.  It is

373

++	 * impossible to reset libc's idea of setuidness without creating a

374

++	 * whole new process image.  Therefore, if the calling process is

375

++	 * setuid, we must drop privileges and execute manconv.

376

++	 */

377

++	if (running_setuid ()) {

378

++		char **from_code;

379

++		char *sources = NULL;

380

++

381

++		cmd = pipecmd_new_args (MANCONV, "-f", NULL);

382

++		for (from_code = codes->from; *from_code; ++from_code) {

383

++			sources = appendstr (sources, *from_code, NULL);

384

++			if (*(from_code + 1))

385

++				sources = appendstr (sources, ":", NULL);

386

++		}

387

++		pipecmd_arg (cmd, sources);

388

++		free (sources);

389

++		pipecmd_args (cmd, "-t", codes->to, NULL);

390

++		if (quiet >= 2)

391

++			pipecmd_arg (cmd, "-q");

392

++		pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free,

393

++				  sandbox);

394

++		free (name);

395

++		free_manconv_codes (codes);

396

++		pipeline_command (p, cmd);

397

++		return;

398

++	}

399

++#endif /* MAN_OWNER */

400

++

401

+ 	cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes,

402

+ 				    codes);

403

+ 	free (name);

404

+--

405

+2.16.1

406

+

407

408

diff --git a/sys-apps/man-db/man-db-2.8.0.ebuild b/sys-apps/man-db/man-db-2.8.0-r1.ebuild

409

similarity index 87%

410

rename from sys-apps/man-db/man-db-2.8.0.ebuild

411

rename to sys-apps/man-db/man-db-2.8.0-r1.ebuild

412

index 10c1e80763d..1ff3ca11d5c 100644

413

--- a/sys-apps/man-db/man-db-2.8.0.ebuild

414

+++ b/sys-apps/man-db/man-db-2.8.0-r1.ebuild

415

@@ -3,7 +3,7 @@

416

417

 EAPI=6

418

419

-inherit autotools ltprune user versionator

420

+inherit ltprune user versionator

421

422

 DESCRIPTION="a man replacement that utilizes berkdb instead of flat files"

423

 HOMEPAGE="http://www.nongnu.org/man-db/"

424

@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz"

425

 LICENSE="GPL-3"

426

 SLOT="0"

427

 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux"

428

-IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib"

429

+IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib"

430

431

 CDEPEND="

432

 	!sys-apps/man

433

@@ -21,6 +21,7 @@ CDEPEND="

434

 	berkdb? ( sys-libs/db:= )

435

 	gdbm? ( sys-libs/gdbm:= )

436

 	!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) )

437

+	seccomp? ( sys-libs/libseccomp )

438

 	zlib? ( sys-libs/zlib )

439

"

440

 DEPEND="

441

@@ -39,7 +40,9 @@ RDEPEND="

442

 PDEPEND="manpager? ( app-text/manpager )"

443

444

 PATCHES=(

445

-	"${FILESDIR}/${PN}-2.8.0-libseccomp_automagic.patch"

446

+	"${FILESDIR}/${P}-refactor_drop_privs.patch"

447

+	"${FILESDIR}/${P}-seccomp_suid.patch"

448

+	"${FILESDIR}/${P}-libseccomp_automagic.patch"

449

)

450

451

 pkg_setup() {

452

@@ -52,11 +55,6 @@ pkg_setup() {

453

fi

454

}

455

456

-src_prepare() {

457

-	default

458

-	eautoreconf

459

-}

460

-

461

 src_configure() {

462

 	export ac_cv_lib_z_gzopen=$(usex zlib)

463

 	local myeconfargs=(

464

@@ -67,10 +65,7 @@ src_configure() {

465

 		--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x"

466

 		$(use_enable nls)

467

 		$(use_enable static-libs static)

468

-		# fails to show any man page with this error message:

469

-		# man: /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE: Bad system call

470

-		# This will be made optional or hard enabled once the issue has been resolved.

471

-		--without-libseccomp

472

+		$(use_with seccomp libseccomp)

473

 		--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm))

474

)

475

 	econf "${myeconfargs[@]}"

1	commit: 66af02c4670b0c8547c27810c1e2ddbe60c5788c
2	Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3	AuthorDate: Thu Feb 8 07:53:09 2018 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Thu Feb 8 07:59:22 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66af02c4
7
8	sys-apps/man-db: Revbump adding seccomp support. Removed old.
9
10	Package-Manager: Portage-2.3.24, Repoman-2.3.6
11
12	.../files/man-db-2.8.0-libseccomp_automagic.patch \| 99 +++++++++++++---
13	.../files/man-db-2.8.0-refactor_drop_privs.patch \| 120 ++++++++++++++++++++
14	.../man-db/files/man-db-2.8.0-seccomp_suid.patch \| 126 +++++++++++++++++++++
15	...{man-db-2.8.0.ebuild => man-db-2.8.0-r1.ebuild} \| 19 ++--
16	4 files changed, 335 insertions(+), 29 deletions(-)
17
18	diff --git a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch
19	index 333bc5fe295..cf9c1257317 100644
20	--- a/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch
21	+++ b/sys-apps/man-db/files/man-db-2.8.0-libseccomp_automagic.patch
22	@@ -1,42 +1,107 @@
23	-From c693c0d6c41e777def51984035710779697d1989 Mon Sep 17 00:00:00 2001
24	+From 3d4ab15670079aa8e898f80a650b3be941230486 Mon Sep 17 00:00:00 2001
25	From: Lars Wendler <polynomial-c@g.o>
26	-Date: Tue, 6 Feb 2018 14:41:22 +0100
27	-Subject: [PATCH] Change libseccomp logic to not be automagic only.
28	+Date: Tue, 6 Feb 2018 15:30:21 +0100
29	+Subject: [PATCH] Change libseccomp logic to not be automagic only
30
31	-Introduce --with-libseccomp configure option so that users can disable
32	-seccomp even if libseccomp is available on the system.
33	-The default is unchanged to before this patch. If no --with(out)-libseccomp
34	-has been given on command line, the macro looks for presence of libseccomp
35	-and uses that if found.
36	+Introduce --without-libseccomp configure option so that users can
37	+disable seccomp even if libseccomp is available on the system.
38	+
39	+The default is unchanged from before this patch. If no
40	+--with(out)-libseccomp has been given on the command line, the macro
41	+looks for presence of libseccomp and uses that if found.
42	+
43	+* m4/man-libseccomp.m4: Guard pkg-config test with a command-line
44	+option.
45	---
46	- m4/man-libseccomp.m4 \| 19 ++++++++++++++-----
47	- 1 file changed, 14 insertions(+), 5 deletions(-)
48
49	+diff --git a/configure b/configure
50	+index 3f949306..8eaca64e 100755
51	+--- a/configure
52	++++ b/configure
53	+@@ -1718,6 +1718,7 @@ with_included_regex
54	+ enable_nls
55	+ with_libiconv_prefix
56	+ with_libintl_prefix
57	++with_libseccomp
58	+ '
59	+ ac_precious_vars='build_alias
60	+ host_alias
61	+@@ -2459,6 +2460,7 @@ Optional Packages:
62	+ --without-libiconv-prefix don't search for libiconv in includedir and libdir
63	+ --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib
64	+ --without-libintl-prefix don't search for libintl in includedir and libdir
65	++ --without-libseccomp do not confine subprocesses using seccomp
66	+
67	+ Some influential environment variables:
68	+ CC C compiler command
69	+@@ -47295,6 +47297,15 @@ fi
70	+
71	+ # Check for libseccomp library.
72	+
73	++# Check whether --with-libseccomp was given.
74	++if test "${with_libseccomp+set}" = set; then :
75	++ withval=$with_libseccomp;
76	++else
77	++ with_libseccomp=check
78	++fi
79	++
80	++ if test "x$with_libseccomp" != "xno"; then
81	++
82	+ pkg_failed=no
83	+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libseccomp" >&5
84	+ $as_echo_n "checking for libseccomp... " >&6; }
85	+@@ -47353,11 +47364,15 @@ fi
86	+ # Put the nasty error message in config.log where it belongs
87	+ echo "$libseccomp_PKG_ERRORS" >&5
88	+
89	+- :
90	++ if test "x$with_libseccomp" = "xyes"; then
91	++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5
92	++ fi
93	+ elif test $pkg_failed = untried; then
94	+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
95	+ $as_echo "no" >&6; }
96	+- :
97	++ if test "x$with_libseccomp" = "xyes"; then
98	++ as_fn_error $? "--with-libseccomp given but cannot find libseccomp" "$LINENO" 5
99	++ fi
100	+ else
101	+ libseccomp_CFLAGS=$pkg_cv_libseccomp_CFLAGS
102	+ libseccomp_LIBS=$pkg_cv_libseccomp_LIBS
103	+@@ -47367,6 +47382,7 @@ $as_echo "yes" >&6; }
104	+ $as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h
105	+
106	+ fi
107	++ fi
108	+
109	+
110	+ { $as_echo "$as_me:${as_lineno-$LINENO}: default CC = \"$CC\"" >&5
111	diff --git a/m4/man-libseccomp.m4 b/m4/man-libseccomp.m4
112	-index a9377317..17a52f72 100644
113	+index a9377317..c90e3aa4 100644
114	--- a/m4/man-libseccomp.m4
115	+++ b/m4/man-libseccomp.m4
116	@@ -1,9 +1,18 @@
117	- # man-libseccomp.m4 serial 1
118	+-# man-libseccomp.m4 serial 1
119	++# man-libseccomp.m4 serial 2
120	dnl MAN_LIBSECCOMP
121	-dnl Check for the libseccomp library.
122	-+dnl Add a --with-libseccomp option.
123	++dnl Add a --without-libseccomp option; check for the libseccomp library.
124	AC_DEFUN([MAN_LIBSECCOMP],
125	-[PKG_CHECK_MODULES([libseccomp], [libseccomp],
126	- [AC_DEFINE([HAVE_LIBSECCOMP], [1],
127	- [Define to 1 if you have the `libseccomp' library.])],
128	- [:])
129	+ [AC_ARG_WITH([libseccomp],
130	-+ [AS_HELP_STRING([--with-libseccomp],
131	-+ [use libseccomp to do most subprocessing])],
132	++ [AS_HELP_STRING([--without-libseccomp],
133	++ [do not confine subprocesses using seccomp])],
134	+ [],
135	+ [with_libseccomp=check])
136	+ if test "x$with_libseccomp" != "xno"; then
137	+ PKG_CHECK_MODULES([libseccomp], [libseccomp],
138	+ [AC_DEFINE([HAVE_LIBSECCOMP], [1],
139	+ [Define to 1 if you have the `libseccomp' library.])],
140	-+ [if test "xyes" = "x$with_libseccomp"; then
141	-+ AC_MSG_ERROR(--with-libseccomp given but cannot find libseccomp)
142	++ [if test "x$with_libseccomp" = "xyes"; then
143	++ AC_MSG_ERROR([--with-libseccomp given but cannot find libseccomp])
144	+ fi])
145	+ fi
146	]) # MAN_LIBSECCOMP
147
148	diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch
149	new file mode 100644
150	index 00000000000..87db57afb9e
151	--- /dev/null
152	+++ b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch
153	@@ -0,0 +1,120 @@
154	+From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001
155	+From: Colin Watson <cjwatson@××××××.org>
156	+Date: Wed, 7 Feb 2018 12:23:15 +0000
157	+Subject: Refactor do_system_drop_privs
158	+
159	+Now that we have pipecmd_pre_exec, this can be simplified quite a bit.
160	+
161	+* lib/security.c (drop_privs): New function.
162	+(do_system_drop_privs_child, do_system_drop_privs): Remove.
163	+* lib/security.h (drop_privs): Add prototype.
164	+(do_system_drop_privs): Remove prototype.
165	+* src/man.c (make_browser): Add drop_privs pre-exec hook to browser
166	+command.
167	+(format_display): Call browser using pipeline_run rather than
168	+do_system_drop_privs, since it now has a pre-exec hook to drop
169	+privileges.
170	+---
171	+ lib/security.c \| 37 +++----------------------------------
172	+ lib/security.h \| 2 +-
173	+ src/man.c \| 7 +++++--
174	+ 3 files changed, 9 insertions(+), 37 deletions(-)
175	+
176	+diff --git a/lib/security.c b/lib/security.c
177	+index 6e84de8..c9b365d 100644
178	+--- a/lib/security.c
179	++++ b/lib/security.c
180	+@@ -158,42 +158,11 @@ void regain_effective_privs (void)
181	+ #endif /* MAN_OWNER */
182	+ }
183	+
184	+-#ifdef MAN_OWNER
185	+-void do_system_drop_privs_child (void *data)
186	++/* Pipeline command pre-exec hook to permanently drop privileges. */
187	++void drop_privs (void *data ATTRIBUTE_UNUSED)
188	+ {
189	+- pipeline *p = data;
190	+-
191	++#ifdef MAN_OWNER
192	+ if (idpriv_drop ())
193	+ gripe_set_euid ();
194	+- exit (pipeline_run (p));
195	+-}
196	+-#endif /* MAN_OWNER */
197	+-
198	+-/* The safest way to execute a pipeline with no effective privileges is to
199	+- * fork, permanently drop privileges in the child, run the pipeline from the
200	+- * child, and wait for it to die.
201	+- *
202	+- * It is possible to use saved IDs to avoid the fork, since effective IDs
203	+- * are copied to saved IDs on execve; we used to do this. However, forking
204	+- * is not expensive enough to justify the extra code.
205	+- *
206	+- * Note that this frees the supplied pipeline.
207	+- */
208	+-int do_system_drop_privs (pipeline *p)
209	+-{
210	+-#ifdef MAN_OWNER
211	+- pipecmd *child_cmd;
212	+- pipeline *child;
213	+- int status;
214	+-
215	+- child_cmd = pipecmd_new_function ("unprivileged child",
216	+- do_system_drop_privs_child, NULL, p);
217	+- child = pipeline_new_commands (child_cmd, NULL);
218	+- status = pipeline_run (child);
219	+-
220	+- pipeline_free (p);
221	+- return status;
222	+-#else /* !MAN_OWNER */
223	+- return pipeline_run (p);
224	+ #endif /* MAN_OWNER */
225	+ }
226	+diff --git a/lib/security.h b/lib/security.h
227	+index 7545502..851127d 100644
228	+--- a/lib/security.h
229	++++ b/lib/security.h
230	+@@ -27,7 +27,7 @@
231	+ /* security.c */
232	+ extern void drop_effective_privs (void);
233	+ extern void regain_effective_privs (void);
234	+-extern int do_system_drop_privs (struct pipeline *p);
235	++extern void drop_privs (void *data);
236	+ extern void init_security (void);
237	+ extern int running_setuid (void);
238	+ extern struct passwd *get_man_owner (void);
239	+diff --git a/src/man.c b/src/man.c
240	+index 959d6cc..ff7ebc7 100644
241	+--- a/src/man.c
242	++++ b/src/man.c
243	+@@ -1481,6 +1481,7 @@ static pipeline make_roff_command (const char dir, const char *file,
244	+ static pipeline make_browser (const char pattern, const char *file)
245	+ {
246	+ pipeline *p;
247	++ pipecmd *cmd;
248	+ char *browser = xmalloc (1);
249	+ int found_percent_s = 0;
250	+ char *percent;
251	+@@ -1526,7 +1527,9 @@ static pipeline make_browser (const char pattern, const char *file)
252	+ free (esc_file);
253	+ }
254	+
255	+- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL);
256	++ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL);
257	++ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL);
258	++ p = pipeline_new_commands (cmd, NULL);
259	+ pipeline_ignore_signals (p, 1);
260	+ free (browser);
261	+
262	+@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp,
263	+ pipeline *browser;
264	+ debug ("Trying browser: %s\n", candidate);
265	+ browser = make_browser (candidate, htmlfile);
266	+- disp_status = do_system_drop_privs (browser);
267	++ disp_status = pipeline_run (browser);
268	+ if (!disp_status)
269	+ break;
270	+ }
271	+--
272	+cgit v1.0-41-gc330
273	+
274
275	diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch
276	new file mode 100644
277	index 00000000000..f513ee8cca6
278	--- /dev/null
279	+++ b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch
280	@@ -0,0 +1,126 @@
281	+From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001
282	+From: Colin Watson <cjwatson@××××××.org>
283	+Date: Wed, 7 Feb 2018 13:44:30 +0000
284	+Subject: [PATCH] Fix manconv under seccomp when man is setuid
285	+
286	+We must drop privileges before loading the sandbox.
287	+
288	+Reported by Lars Wendler.
289	+
290	+* src/manconv_client.c (manconv_pre_exec): New function.
291	+(manconv_stdin): Move setuid hack to ...
292	+(add_manconv): ... here, now implemented using a custom pre-exec hook.
293	+We no longer have a fall-through if dropping privileges fails, since
294	+that's now harder to do and wasn't really necessary in the first place.
295	+---
296	+ src/manconv_client.c \| 80 +++++++++++++++++++++++++++++-----------------------
297	+ 1 file changed, 45 insertions(+), 35 deletions(-)
298	+
299	+diff --git a/src/manconv_client.c b/src/manconv_client.c
300	+index d6e010b0..41ce4790 100644
301	+--- a/src/manconv_client.c
302	++++ b/src/manconv_client.c
303	+@@ -56,41 +56,6 @@ static void manconv_stdin (void *data)
304	+ struct manconv_codes *codes = data;
305	+ pipeline *p;
306	+
307	+-#ifdef MAN_OWNER
308	+- /* iconv_open may not work correctly in setuid processes; in GNU
309	+- * libc, gconv modules may be linked against other gconv modules and
310	+- * rely on RPATH $ORIGIN to load those modules from the correct
311	+- * path, but $ORIGIN is disabled in setuid processes. It is
312	+- * impossible to reset libc's idea of setuidness without creating a
313	+- * whole new process image. Therefore, if the calling process is
314	+- * setuid, we must drop privileges and execute manconv.
315	+- *
316	+- * If dropping privileges fails, fall through to the in-process
317	+- * code, as in some situations it may actually manage to work.
318	+- */
319	+- if (running_setuid () && !idpriv_drop ()) {
320	+- char **from_code;
321	+- char *sources = NULL;
322	+- pipecmd *cmd;
323	+-
324	+- for (from_code = codes->from; *from_code; ++from_code) {
325	+- sources = appendstr (sources, *from_code, NULL);
326	+- if (*(from_code + 1))
327	+- sources = appendstr (sources, ":", NULL);
328	+- }
329	+-
330	+- cmd = pipecmd_new_args (MANCONV, "-f", sources,
331	+- "-t", codes->to, NULL);
332	+- free (sources);
333	+-
334	+- if (quiet >= 2)
335	+- pipecmd_arg (cmd, "-q");
336	+-
337	+- pipecmd_exec (cmd);
338	+- /* never returns */
339	+- }
340	+-#endif /* MAN_OWNER */
341	+-
342	+ p = decompress_fdopen (dup (STDIN_FILENO));
343	+ pipeline_start (p);
344	+ manconv (p, codes->from, codes->to);
345	+@@ -98,6 +63,17 @@ static void manconv_stdin (void *data)
346	+ pipeline_free (p);
347	+ }
348	+
349	++#ifdef MAN_OWNER
350	++static void manconv_pre_exec (void *data)
351	++{
352	++ /* We must drop privileges before loading the sandbox, since our
353	++ * seccomp filter doesn't allow setresuid and friends.
354	++ */
355	++ drop_privs (NULL);
356	++ sandbox_load (data);
357	++}
358	++#endif /* MAN_OWNER */
359	++
360	+ static void free_manconv_codes (void *data)
361	+ {
362	+ struct manconv_codes *codes = data;
363	+@@ -139,6 +115,40 @@ void add_manconv (pipeline p, const char source, const char *target)
364	+ name = appendstr (name, " -t ", codes->to, NULL);
365	+ if (quiet >= 2)
366	+ name = appendstr (name, " -q", NULL);
367	++
368	++#ifdef MAN_OWNER
369	++ /* iconv_open may not work correctly in setuid processes; in GNU
370	++ * libc, gconv modules may be linked against other gconv modules and
371	++ * rely on RPATH $ORIGIN to load those modules from the correct
372	++ * path, but $ORIGIN is disabled in setuid processes. It is
373	++ * impossible to reset libc's idea of setuidness without creating a
374	++ * whole new process image. Therefore, if the calling process is
375	++ * setuid, we must drop privileges and execute manconv.
376	++ */
377	++ if (running_setuid ()) {
378	++ char **from_code;
379	++ char *sources = NULL;
380	++
381	++ cmd = pipecmd_new_args (MANCONV, "-f", NULL);
382	++ for (from_code = codes->from; *from_code; ++from_code) {
383	++ sources = appendstr (sources, *from_code, NULL);
384	++ if (*(from_code + 1))
385	++ sources = appendstr (sources, ":", NULL);
386	++ }
387	++ pipecmd_arg (cmd, sources);
388	++ free (sources);
389	++ pipecmd_args (cmd, "-t", codes->to, NULL);
390	++ if (quiet >= 2)
391	++ pipecmd_arg (cmd, "-q");
392	++ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free,
393	++ sandbox);
394	++ free (name);
395	++ free_manconv_codes (codes);
396	++ pipeline_command (p, cmd);
397	++ return;
398	++ }
399	++#endif /* MAN_OWNER */
400	++
401	+ cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes,
402	+ codes);
403	+ free (name);
404	+--
405	+2.16.1
406	+
407
408	diff --git a/sys-apps/man-db/man-db-2.8.0.ebuild b/sys-apps/man-db/man-db-2.8.0-r1.ebuild
409	similarity index 87%
410	rename from sys-apps/man-db/man-db-2.8.0.ebuild
411	rename to sys-apps/man-db/man-db-2.8.0-r1.ebuild
412	index 10c1e80763d..1ff3ca11d5c 100644
413	--- a/sys-apps/man-db/man-db-2.8.0.ebuild
414	+++ b/sys-apps/man-db/man-db-2.8.0-r1.ebuild
415	@@ -3,7 +3,7 @@
416
417	EAPI=6
418
419	-inherit autotools ltprune user versionator
420	+inherit ltprune user versionator
421
422	DESCRIPTION="a man replacement that utilizes berkdb instead of flat files"
423	HOMEPAGE="http://www.nongnu.org/man-db/"
424	@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz"
425	LICENSE="GPL-3"
426	SLOT="0"
427	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux"
428	-IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib"
429	+IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib"
430
431	CDEPEND="
432	!sys-apps/man
433	@@ -21,6 +21,7 @@ CDEPEND="
434	berkdb? ( sys-libs/db:= )
435	gdbm? ( sys-libs/gdbm:= )
436	!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) )
437	+ seccomp? ( sys-libs/libseccomp )
438	zlib? ( sys-libs/zlib )
439	"
440	DEPEND="
441	@@ -39,7 +40,9 @@ RDEPEND="
442	PDEPEND="manpager? ( app-text/manpager )"
443
444	PATCHES=(
445	- "${FILESDIR}/${PN}-2.8.0-libseccomp_automagic.patch"
446	+ "${FILESDIR}/${P}-refactor_drop_privs.patch"
447	+ "${FILESDIR}/${P}-seccomp_suid.patch"
448	+ "${FILESDIR}/${P}-libseccomp_automagic.patch"
449	)
450
451	pkg_setup() {
452	@@ -52,11 +55,6 @@ pkg_setup() {
453	fi
454	}
455
456	-src_prepare() {
457	- default
458	- eautoreconf
459	-}
460	-
461	src_configure() {
462	export ac_cv_lib_z_gzopen=$(usex zlib)
463	local myeconfargs=(
464	@@ -67,10 +65,7 @@ src_configure() {
465	--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x"
466	$(use_enable nls)
467	$(use_enable static-libs static)
468	- # fails to show any man page with this error message:
469	- # man: /usr/libexec/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE: Bad system call
470	- # This will be made optional or hard enabled once the issue has been resolved.
471	- --without-libseccomp
472	+ $(use_with seccomp libseccomp)
473	--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm))
474	)
475	econf "${myeconfargs[@]}"

Gentoo Archives: gentoo-commits