1 |
commit: e490601874fe785c7632e6571a3a1d8f43404622 |
2 |
Author: Mike Frysinger <vapier <AT> chromium <DOT> org> |
3 |
AuthorDate: Mon Sep 17 23:19:15 2018 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 17 23:23:35 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4906018 |
7 |
|
8 |
sys-devel/bc: add support for --sandbox & USE=forced-sandbox |
9 |
|
10 |
The dc tool has an ! command which allows for arbitrary system() calls |
11 |
which is not ideal for processing arbitrary user scripts. First add |
12 |
support for a --sandbox flag at runtime (like sed/gawk gnu tools), |
13 |
then add a USE=forced-sandbox option so people can lock it down. |
14 |
|
15 |
The patches have been sent to upstream, but considering how slow the |
16 |
bc project tends to move, and their lack of a project site/git repo, |
17 |
going to merge this now and just wait for upstream feedback. |
18 |
|
19 |
sys-devel/bc/bc-1.07.1-r2.ebuild | 65 ++++++++++++++++ |
20 |
sys-devel/bc/files/bc-1.07.1-sandbox.patch | 121 +++++++++++++++++++++++++++++ |
21 |
sys-devel/bc/metadata.xml | 3 + |
22 |
3 files changed, 189 insertions(+) |
23 |
|
24 |
diff --git a/sys-devel/bc/bc-1.07.1-r2.ebuild b/sys-devel/bc/bc-1.07.1-r2.ebuild |
25 |
new file mode 100644 |
26 |
index 00000000000..78cc0f0805f |
27 |
--- /dev/null |
28 |
+++ b/sys-devel/bc/bc-1.07.1-r2.ebuild |
29 |
@@ -0,0 +1,65 @@ |
30 |
+# Copyright 1999-2018 Gentoo Foundation |
31 |
+# Distributed under the terms of the GNU General Public License v2 |
32 |
+ |
33 |
+EAPI="6" |
34 |
+ |
35 |
+inherit flag-o-matic toolchain-funcs |
36 |
+ |
37 |
+DESCRIPTION="Handy console-based calculator utility" |
38 |
+HOMEPAGE="https://www.gnu.org/software/bc/bc.html" |
39 |
+SRC_URI="mirror://gnu/bc/${P}.tar.gz" |
40 |
+ |
41 |
+LICENSE="GPL-2 LGPL-2.1" |
42 |
+SLOT="0" |
43 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
44 |
+IUSE="forced-sandbox libedit readline static" |
45 |
+ |
46 |
+RDEPEND=" |
47 |
+ !readline? ( libedit? ( dev-libs/libedit:= ) ) |
48 |
+ readline? ( |
49 |
+ >=sys-libs/readline-4.1:0= |
50 |
+ >=sys-libs/ncurses-5.2:= |
51 |
+ ) |
52 |
+" |
53 |
+DEPEND=" |
54 |
+ ${RDEPEND} |
55 |
+ sys-apps/ed |
56 |
+ sys-devel/flex |
57 |
+ virtual/yacc |
58 |
+" |
59 |
+ |
60 |
+PATCHES=( |
61 |
+ "${FILESDIR}/${PN}-1.07.1-sandbox.patch" |
62 |
+) |
63 |
+ |
64 |
+src_prepare() { |
65 |
+ default |
66 |
+ |
67 |
+ # A patch to make this into a configure option has been sent upstream, |
68 |
+ # but lets avoid regenerating all the autotools just for this. |
69 |
+ if use forced-sandbox ; then |
70 |
+ sed -i '/dc_sandbox_enabled = 0/s:0:1:' dc/dc.c || die |
71 |
+ fi |
72 |
+} |
73 |
+ |
74 |
+src_configure() { |
75 |
+ local myconf=( |
76 |
+ $(use_with readline) |
77 |
+ ) |
78 |
+ if use readline ; then |
79 |
+ myconf+=( --without-libedit ) |
80 |
+ else |
81 |
+ myconf+=( $(use_with libedit) ) |
82 |
+ fi |
83 |
+ use static && append-ldflags -static |
84 |
+ |
85 |
+ econf "${myconf[@]}" |
86 |
+ |
87 |
+ # Do not regen docs -- configure produces a small fragment that includes |
88 |
+ # the version info which causes all pages to regen (newer file). #554774 |
89 |
+ touch -r doc doc/* |
90 |
+} |
91 |
+ |
92 |
+src_compile() { |
93 |
+ emake AR="$(tc-getAR)" |
94 |
+} |
95 |
|
96 |
diff --git a/sys-devel/bc/files/bc-1.07.1-sandbox.patch b/sys-devel/bc/files/bc-1.07.1-sandbox.patch |
97 |
new file mode 100644 |
98 |
index 00000000000..ec5c406645b |
99 |
--- /dev/null |
100 |
+++ b/sys-devel/bc/files/bc-1.07.1-sandbox.patch |
101 |
@@ -0,0 +1,121 @@ |
102 |
+this has been sent upstream, but they don't have a mailing list or project site |
103 |
+to link to. oh well. |
104 |
+ |
105 |
+From e641584767c3c7cc1ff544805acc2562fc56cda9 Mon Sep 17 00:00:00 2001 |
106 |
+From: Mike Frysinger <vapier@××××××××.org> |
107 |
+Date: Mon, 17 Sep 2018 18:57:57 -0400 |
108 |
+Subject: [PATCH 1/2] dc: add a --sandbox option |
109 |
+ |
110 |
+Other GNU projects (like sed & gawk) have a --sandbox flag whereby |
111 |
+access to files and system() are disabled. This allows people to |
112 |
+run arbitrary scripts without worrying about them "escaping" and |
113 |
+executing arbitrary commands on the system. |
114 |
+--- |
115 |
+ dc/dc.c | 9 ++++++++- |
116 |
+ dc/dc.h | 3 +++ |
117 |
+ dc/misc.c | 6 ++++++ |
118 |
+ doc/dc.1 | 5 +++++ |
119 |
+ doc/dc.texi | 4 ++++ |
120 |
+ 5 files changed, 26 insertions(+), 1 deletion(-) |
121 |
+ |
122 |
+diff --git a/dc/dc.c b/dc/dc.c |
123 |
+index 6a2bb2639235..592a76be71da 100644 |
124 |
+--- a/dc/dc.c |
125 |
++++ b/dc/dc.c |
126 |
+@@ -54,6 +54,7 @@ |
127 |
+ #endif |
128 |
+ |
129 |
+ const char *progname; /* basename of program invocation */ |
130 |
++int dc_sandbox_enabled; /* whether sandbox mode is enabled */ |
131 |
+ |
132 |
+ static void |
133 |
+ bug_report_info DC_DECLVOID() |
134 |
+@@ -80,6 +81,7 @@ usage DC_DECLARG((f)) |
135 |
+ Usage: %s [OPTION] [file ...]\n\ |
136 |
+ -e, --expression=EXPR evaluate expression\n\ |
137 |
+ -f, --file=FILE evaluate contents of file\n\ |
138 |
++ -S, --sandbox disable the ! (system) command\n\ |
139 |
+ -h, --help display this help and exit\n\ |
140 |
+ -V, --version output version information and exit\n\ |
141 |
+ \n\ |
142 |
+@@ -252,6 +254,7 @@ main DC_DECLARG((argc, argv)) |
143 |
+ static struct option const long_opts[] = { |
144 |
+ {"expression", required_argument, NULL, 'e'}, |
145 |
+ {"file", required_argument, NULL, 'f'}, |
146 |
++ {"sandbox", no_argument, NULL, 'S'}, |
147 |
+ {"help", no_argument, NULL, 'h'}, |
148 |
+ {"version", no_argument, NULL, 'V'}, |
149 |
+ {NULL, 0, NULL, 0} |
150 |
+@@ -260,12 +263,13 @@ main DC_DECLARG((argc, argv)) |
151 |
+ int c; |
152 |
+ |
153 |
+ progname = r1bindex(*argv, '/'); |
154 |
++ dc_sandbox_enabled = 0; |
155 |
+ dc_math_init(); |
156 |
+ dc_string_init(); |
157 |
+ dc_register_init(); |
158 |
+ dc_array_init(); |
159 |
+ |
160 |
+- while ((c = getopt_long(argc, argv, "hVe:f:", long_opts, (int *)0)) != EOF) { |
161 |
++ while ((c = getopt_long(argc, argv, "hVe:f:S", long_opts, (int *)0)) != EOF) { |
162 |
+ switch (c) { |
163 |
+ case 'e': |
164 |
+ { dc_data string = dc_makestring(optarg, strlen(optarg)); |
165 |
+@@ -279,6 +283,9 @@ main DC_DECLARG((argc, argv)) |
166 |
+ try_file(optarg); |
167 |
+ did_eval = 1; |
168 |
+ break; |
169 |
++ case 'S': |
170 |
++ dc_sandbox_enabled = 1; |
171 |
++ break; |
172 |
+ case 'h': |
173 |
+ usage(stdout); |
174 |
+ return flush_okay(); |
175 |
+diff --git a/dc/dc.h b/dc/dc.h |
176 |
+index 6a871ad612a5..a148df467a92 100644 |
177 |
+--- a/dc/dc.h |
178 |
++++ b/dc/dc.h |
179 |
+@@ -76,4 +76,7 @@ typedef struct { |
180 |
+ /* This is dc's only global variable: */ |
181 |
+ extern const char *progname; /* basename of program invocation */ |
182 |
+ |
183 |
++/* Whether to run in sandbox mode. */ |
184 |
++extern int dc_sandbox_enabled; |
185 |
++ |
186 |
+ #endif /* not DC_DEFS_H */ |
187 |
+diff --git a/dc/misc.c b/dc/misc.c |
188 |
+index cd23602fce32..115be90b03bf 100644 |
189 |
+--- a/dc/misc.c |
190 |
++++ b/dc/misc.c |
191 |
+@@ -131,6 +131,12 @@ dc_system DC_DECLARG((s)) |
192 |
+ char *tmpstr; |
193 |
+ size_t len; |
194 |
+ |
195 |
++ if (dc_sandbox_enabled) { |
196 |
++ fprintf(stderr, "%s: ! command disabled in sandbox mode\n", |
197 |
++ progname); |
198 |
++ exit(EXIT_FAILURE); |
199 |
++ } |
200 |
++ |
201 |
+ p = strchr(s, '\n'); |
202 |
+ if (p != NULL) { |
203 |
+ len = (size_t) (p - s); |
204 |
+diff --git a/doc/dc.1 b/doc/dc.1 |
205 |
+index 1c666493e00a..7c4b6fffd616 100644 |
206 |
+--- a/doc/dc.1 |
207 |
++++ b/doc/dc.1 |
208 |
+@@ -84,6 +84,11 @@ to the set of commands to be run while processing the input. |
209 |
+ Add the commands contained in the file |
210 |
+ .I script-file |
211 |
+ to the set of commands to be run while processing the input. |
212 |
++.TP |
213 |
++.B -S |
214 |
++.TP |
215 |
++.B --sandbox |
216 |
++Run in sandbox mode where access to \fB!\fR for the system function. |
217 |
+ .PP |
218 |
+ If any command-line parameters remain after processing the above, |
219 |
+ these parameters are interpreted as the names of input files to |
220 |
+-- |
221 |
+2.17.1 |
222 |
+ |
223 |
|
224 |
diff --git a/sys-devel/bc/metadata.xml b/sys-devel/bc/metadata.xml |
225 |
index 56c12441305..5bdfef6846f 100644 |
226 |
--- a/sys-devel/bc/metadata.xml |
227 |
+++ b/sys-devel/bc/metadata.xml |
228 |
@@ -5,4 +5,7 @@ |
229 |
<email>base-system@g.o</email> |
230 |
<name>Gentoo Base System</name> |
231 |
</maintainer> |
232 |
+<use> |
233 |
+ <flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables the ! command in dc)</flag> |
234 |
+</use> |
235 |
</pkgmetadata> |