[gentoo-commits] repo/gentoo:master commit in: sys-apps/mawk/files/, sys-apps/mawk/ - gentoo-commits

From:	Mike Frysinger <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/mawk/files/, sys-apps/mawk/
Date:	Tue, 02 Jan 2018 11:39:12
Message-Id:	`1514893116.7675026aa7867fd9d5bf678e3206c3261a473205.vapier@gentoo`

1

commit:     7675026aa7867fd9d5bf678e3206c3261a473205

2

Author:     Mike Frysinger <vapier <AT> chromium <DOT> org>

3

AuthorDate: Tue Jan  2 11:37:58 2018 +0000

4

Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>

5

CommitDate: Tue Jan  2 11:38:36 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7675026a

7

8

sys-apps/mawk: add support for -W sandbox mode

9

10

 .../mawk/files/mawk-1.3.4-sandbox-default.patch    |  91 +++++++++++++

11

 sys-apps/mawk/files/mawk-1.3.4-sandbox.patch       | 141 +++++++++++++++++++++

12

 sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild       |  49 +++++++

13

 sys-apps/mawk/metadata.xml                         |   3 +

14

 4 files changed, 284 insertions(+)

15

16

diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch

17

new file mode 100644

18

index 00000000000..c3b0fc1c892

19

--- /dev/null

20

+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch

21

@@ -0,0 +1,91 @@

22

+https://github.com/ThomasDickey/original-mawk/issues/49

23

+

24

+Note: We hand modify the configure file here because the version of autotools

25

+used by upstream is very old/finicky, and it's a simple enough change.

26

+

27

+From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001

28

+From: Mike Frysinger <vapier@××××××××.org>

29

+Date: Tue, 7 Nov 2017 01:07:47 -0500

30

+Subject: [PATCH 2/2] add a configure flag to lock sandbox by default

31

+

32

+This lets us deploy systems with the sandbox always enabled.

33

+---

34

+ configure    | 23 +++++++++++++++++++++++

35

+ configure.in | 11 +++++++++++

36

+ init.c       |  4 ++++

37

+ 3 files changed, 38 insertions(+)

38

+

39

+diff --git a/configure.in b/configure.in

40

+index 8b795fbd264b..770092005386 100644

41

+--- a/configure.in

42

++++ b/configure.in

43

+@@ -112,6 +112,17 @@ fi

44

+ AC_MSG_RESULT($with_init_srand)

45

+

46

+ ###############################################################################

47

++AC_MSG_CHECKING(if you want mawk to always run in sandbox mode)

48

++CF_ARG_ENABLE([forced-sandbox],

49

++[  --enable-forced-sandbox always run in sandbox mode],

50

++	[with_forced_sandbox=yes],

51

++	[with_forced_sandbox=no])

52

++if test "x${with_forced_sandbox}" != xno; then

53

++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"

54

++fi

55

++AC_MSG_RESULT($with_forced_sandbox)

56

++

57

++###############################################################################

58

+

59

+ AC_PROG_YACC

60

+ CF_PROG_LINT

61

+diff --git a/init.c b/init.c

62

+index f7babb337e04..e035d6ea2fc0 100644

63

+--- a/init.c

64

++++ b/init.c

65

+@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv)

66

+

67

+   no_more_opts:

68

+

69

++#ifdef FORCED_SANDBOX

70

++    sandbox_flag = 1;

71

++#endif

72

++

73

+     tail->link = (PFILE *) 0;

74

+     pfile_list = dummy.link;

75

+

76

+diff --git a/configure b/configure

77

+index a3bf42fe9245..442875b8e58a 100755

78

+--- a/configure

79

++++ b/configure

80

+@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5

81

+ echo "${ECHO_T}$with_init_srand" >&6

82

+

83

+ ###############################################################################

84

++echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5

85

++echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6

86

++

87

++if test "${enable_forced_sandbox+set}" = set; then

88

++  enableval="$enable_forced_sandbox"

89

++  test "$enableval" != yes && enableval=no

90

++	if test "$enableval" != "no" ; then

91

++    with_forced_sandbox=yes

92

++	else

93

++		with_forced_sandbox=no

94

++	fi

95

++else

96

++  enableval=no

97

++	with_forced_sandbox=no

98

++

99

++fi;

100

++if test "x${with_forced_sandbox}" != xno; then

101

++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"

102

++fi

103

++echo "$as_me:4131: result: $with_forced_sandbox" >&5

104

++echo "${ECHO_T}$with_forced_sandbox" >&6

105

++

106

++###############################################################################

107

+

108

+ for ac_prog in 'bison -y' byacc

109

+ do

110

+--

111

+2.13.5

112

+

113

114

diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch

115

new file mode 100644

116

index 00000000000..ae2ccbd50ec

117

--- /dev/null

118

+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch

119

@@ -0,0 +1,141 @@

120

+https://github.com/ThomasDickey/original-mawk/issues/49

121

+

122

+From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001

123

+From: Mike Frysinger <vapier@××××××××.org>

124

+Date: Tue, 7 Nov 2017 00:41:36 -0500

125

+Subject: [PATCH 1/2] add a -W sandbox mode

126

+

127

+This is like gawk's sandbox mode where arbitrary code execution and

128

+file redirection are locked down.  This way awk can be a more secure

129

+input/output mode.

130

+---

131

+ bi_funct.c | 3 +++

132

+ init.c     | 8 ++++++++

133

+ man/mawk.1 | 4 ++++

134

+ mawk.h     | 2 +-

135

+ scan.c     | 6 ++++++

136

+ 5 files changed, 22 insertions(+), 1 deletion(-)

137

+

138

+diff --git a/bi_funct.c b/bi_funct.c

139

+index 7742308c72a5..b524ac8dac8b 100644

140

+--- a/bi_funct.c

141

++++ b/bi_funct.c

142

+@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED)

143

+ #ifdef HAVE_REAL_PIPES

144

+     int ret_val;

145

+

146

++    if (sandbox_flag)

147

++	rt_error("'system' function not allowed in sandbox mode");

148

++

149

+     TRACE_FUNC("bi_system", sp);

150

+

151

+     if (sp->type < C_STRING)

152

+diff --git a/init.c b/init.c

153

+index 0ab17b003f20..f7babb337e04 100644

154

+--- a/init.c

155

++++ b/init.c

156

+@@ -40,6 +40,7 @@ typedef enum {

157

+     W_RANDOM,

158

+     W_SPRINTF,

159

+     W_POSIX_SPACE,

160

++    W_SANDBOX,

161

+     W_USAGE

162

+ } W_OPTIONS;

163

+

164

+@@ -96,6 +97,7 @@ initialize(int argc, char **argv)

165

+

166

+ int dump_code_flag;		/* if on dump internal code */

167

+ short posix_space_flag;

168

++short sandbox_flag;

169

+

170

+ #ifdef	 DEBUG

171

+ int dump_RE = 1;		/* if on dump compiled REs  */

172

+@@ -153,6 +155,7 @@ usage(void)

173

+ 	"    -W random=number set initial random seed.",

174

+ 	"    -W sprintf=number adjust size of sprintf buffer.",

175

+ 	"    -W posix_space   do not consider \"\\n\" a space.",

176

++	"    -W sandbox       disable system() and I/O redirection.",

177

+ 	"    -W usage         show this message and exit.",

178

+     };

179

+     size_t n;

180

+@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next)

181

+ 	    DATA(RANDOM),

182

+ 	    DATA(SPRINTF),

183

+ 	    DATA(POSIX_SPACE),

184

++	    DATA(SANDBOX),

185

+ 	    DATA(USAGE)

186

+     };

187

+ #undef DATA

188

+@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv)

189

+ 		    posix_space_flag = 1;

190

+ 		    break;

191

+

192

++		case W_SANDBOX:

193

++		    sandbox_flag = 1;

194

++		    break;

195

++

196

+ 		case W_RANDOM:

197

+ 		    if (haveValue(optNext)) {

198

+ 			int x = atoi(optNext + 1);

199

+diff --git a/man/mawk.1 b/man/mawk.1

200

+index a3c794167dc9..0915d9d7ed5d 100644

201

+--- a/man/mawk.1

202

++++ b/man/mawk.1

203

+@@ -150,6 +150,10 @@ forces

204

+ \fB\*n\fP

205

+ not to consider '\en' to be space.

206

+ .TP

207

++\-\fBW \fRsandbox

208

++runs in a restricted mode where system(), input redirection (e.g. getline),

209

++output redirection (e.g. print and printf), and pipelines are disabled.

210

++.TP

211

+ \-\fBW \fRrandom=\fInum\fR

212

+ calls \fBsrand\fP with the given parameter

213

+ (and overrides the auto-seeding behavior).

214

+diff --git a/mawk.h b/mawk.h

215

+index 2d04be1adb34..a6ccc0071ecc 100644

216

+--- a/mawk.h

217

++++ b/mawk.h

218

+@@ -63,7 +63,7 @@ extern int dump_RE;

219

+ #define USE_BINMODE 0

220

+ #endif

221

+

222

+-extern short posix_space_flag, interactive_flag;

223

++extern short posix_space_flag, interactive_flag, sandbox_flag;

224

+

225

+ /*----------------

226

+  *  GLOBAL VARIABLES

227

+diff --git a/scan.c b/scan.c

228

+index 3a8fc9181ab8..c1833b8b7315 100644

229

+--- a/scan.c

230

++++ b/scan.c

231

+@@ -455,6 +455,8 @@ yylex(void)

232

+ 	    un_next();

233

+

234

+ 	if (getline_flag) {

235

++	    if (sandbox_flag)

236

++		rt_error("redirection not allowed in sandbox mode");

237

+ 	    getline_flag = 0;

238

+ 	    ct_ret(IO_IN);

239

+ 	} else

240

+@@ -462,6 +464,8 @@ yylex(void)

241

+

242

+     case SC_GT:		/* '>' */

243

+ 	if (print_flag && paren_cnt == 0) {

244

++	    if (sandbox_flag)

245

++		rt_error("redirection not allowed in sandbox mode");

246

+ 	    print_flag = 0;

247

+ 	    /* there are 3 types of IO_OUT

248

+ 	       -- build the error string in string_buff */

249

+@@ -488,6 +492,8 @@ yylex(void)

250

+ 	    un_next();

251

+

252

+ 	    if (print_flag && paren_cnt == 0) {

253

++		if (sandbox_flag)

254

++		    rt_error("pipe execution not allowed in sandbox mode");

255

+ 		print_flag = 0;

256

+ 		yylval.ival = PIPE_OUT;

257

+ 		string_buff[0] = '|';

258

+--

259

+2.13.5

260

+

261

262

diff --git a/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild

263

new file mode 100644

264

index 00000000000..e50d8aa1277

265

--- /dev/null

266

+++ b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild

267

@@ -0,0 +1,49 @@

268

+# Copyright 1999-2018 Gentoo Foundation

269

+# Distributed under the terms of the GNU General Public License v2

270

+

271

+EAPI=6

272

+

273

+inherit toolchain-funcs

274

+

275

+MY_P=${P/_p/-}

276

+DESCRIPTION="an (often faster than gawk) awk-interpreter"

277

+HOMEPAGE="https://invisible-island.net/mawk/mawk.html"

278

+SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz"

279

+

280

+LICENSE="GPL-2"

281

+SLOT="0"

282

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"

283

+IUSE="forced-sandbox"

284

+

285

+RDEPEND="app-eselect/eselect-awk"

286

+DEPEND="${RDEPEND}"

287

+

288

+S=${WORKDIR}/${MY_P}

289

+

290

+DOCS=( ACKNOWLEDGMENT CHANGES README )

291

+

292

+PATCHES=(

293

+	"${FILESDIR}"/${PN}-1.3.4-sandbox.patch

294

+	"${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch

295

+)

296

+

297

+src_configure() {

298

+	tc-export BUILD_CC

299

+	econf $(use_enable forced-sandbox)

300

+}

301

+

302

+src_install() {

303

+	default

304

+

305

+	exeinto /usr/share/doc/${PF}/examples

306

+	doexe examples/*

307

+	docompress -x /usr/share/doc/${PF}/examples

308

+}

309

+

310

+pkg_postinst() {

311

+	eselect awk update ifunset

312

+}

313

+

314

+pkg_postrm() {

315

+	eselect awk update ifunset

316

+}

317

318

diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml

319

index 56c12441305..fb5ddc9df93 100644

320

--- a/sys-apps/mawk/metadata.xml

321

+++ b/sys-apps/mawk/metadata.xml

322

@@ -5,4 +5,7 @@

323

 	<email>base-system@g.o</email>

324

 	<name>Gentoo Base System</name>

325

 </maintainer>

326

+<use>

327

+	<flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag>

328

+</use>

329

 </pkgmetadata>

1	commit: 7675026aa7867fd9d5bf678e3206c3261a473205
2	Author: Mike Frysinger <vapier <AT> chromium <DOT> org>
3	AuthorDate: Tue Jan 2 11:37:58 2018 +0000
4	Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5	CommitDate: Tue Jan 2 11:38:36 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7675026a
7
8	sys-apps/mawk: add support for -W sandbox mode
9
10	.../mawk/files/mawk-1.3.4-sandbox-default.patch \| 91 +++++++++++++
11	sys-apps/mawk/files/mawk-1.3.4-sandbox.patch \| 141 +++++++++++++++++++++
12	sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild \| 49 +++++++
13	sys-apps/mawk/metadata.xml \| 3 +
14	4 files changed, 284 insertions(+)
15
16	diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
17	new file mode 100644
18	index 00000000000..c3b0fc1c892
19	--- /dev/null
20	+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
21	@@ -0,0 +1,91 @@
22	+https://github.com/ThomasDickey/original-mawk/issues/49
23	+
24	+Note: We hand modify the configure file here because the version of autotools
25	+used by upstream is very old/finicky, and it's a simple enough change.
26	+
27	+From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001
28	+From: Mike Frysinger <vapier@××××××××.org>
29	+Date: Tue, 7 Nov 2017 01:07:47 -0500
30	+Subject: [PATCH 2/2] add a configure flag to lock sandbox by default
31	+
32	+This lets us deploy systems with the sandbox always enabled.
33	+---
34	+ configure \| 23 +++++++++++++++++++++++
35	+ configure.in \| 11 +++++++++++
36	+ init.c \| 4 ++++
37	+ 3 files changed, 38 insertions(+)
38	+
39	+diff --git a/configure.in b/configure.in
40	+index 8b795fbd264b..770092005386 100644
41	+--- a/configure.in
42	++++ b/configure.in
43	+@@ -112,6 +112,17 @@ fi
44	+ AC_MSG_RESULT($with_init_srand)
45	+
46	+ ###############################################################################
47	++AC_MSG_CHECKING(if you want mawk to always run in sandbox mode)
48	++CF_ARG_ENABLE([forced-sandbox],
49	++[ --enable-forced-sandbox always run in sandbox mode],
50	++ [with_forced_sandbox=yes],
51	++ [with_forced_sandbox=no])
52	++if test "x${with_forced_sandbox}" != xno; then
53	++ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
54	++fi
55	++AC_MSG_RESULT($with_forced_sandbox)
56	++
57	++###############################################################################
58	+
59	+ AC_PROG_YACC
60	+ CF_PROG_LINT
61	+diff --git a/init.c b/init.c
62	+index f7babb337e04..e035d6ea2fc0 100644
63	+--- a/init.c
64	++++ b/init.c
65	+@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv)
66	+
67	+ no_more_opts:
68	+
69	++#ifdef FORCED_SANDBOX
70	++ sandbox_flag = 1;
71	++#endif
72	++
73	+ tail->link = (PFILE *) 0;
74	+ pfile_list = dummy.link;
75	+
76	+diff --git a/configure b/configure
77	+index a3bf42fe9245..442875b8e58a 100755
78	+--- a/configure
79	++++ b/configure
80	+@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5
81	+ echo "${ECHO_T}$with_init_srand" >&6
82	+
83	+ ###############################################################################
84	++echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5
85	++echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6
86	++
87	++if test "${enable_forced_sandbox+set}" = set; then
88	++ enableval="$enable_forced_sandbox"
89	++ test "$enableval" != yes && enableval=no
90	++ if test "$enableval" != "no" ; then
91	++ with_forced_sandbox=yes
92	++ else
93	++ with_forced_sandbox=no
94	++ fi
95	++else
96	++ enableval=no
97	++ with_forced_sandbox=no
98	++
99	++fi;
100	++if test "x${with_forced_sandbox}" != xno; then
101	++ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
102	++fi
103	++echo "$as_me:4131: result: $with_forced_sandbox" >&5
104	++echo "${ECHO_T}$with_forced_sandbox" >&6
105	++
106	++###############################################################################
107	+
108	+ for ac_prog in 'bison -y' byacc
109	+ do
110	+--
111	+2.13.5
112	+
113
114	diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
115	new file mode 100644
116	index 00000000000..ae2ccbd50ec
117	--- /dev/null
118	+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
119	@@ -0,0 +1,141 @@
120	+https://github.com/ThomasDickey/original-mawk/issues/49
121	+
122	+From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001
123	+From: Mike Frysinger <vapier@××××××××.org>
124	+Date: Tue, 7 Nov 2017 00:41:36 -0500
125	+Subject: [PATCH 1/2] add a -W sandbox mode
126	+
127	+This is like gawk's sandbox mode where arbitrary code execution and
128	+file redirection are locked down. This way awk can be a more secure
129	+input/output mode.
130	+---
131	+ bi_funct.c \| 3 +++
132	+ init.c \| 8 ++++++++
133	+ man/mawk.1 \| 4 ++++
134	+ mawk.h \| 2 +-
135	+ scan.c \| 6 ++++++
136	+ 5 files changed, 22 insertions(+), 1 deletion(-)
137	+
138	+diff --git a/bi_funct.c b/bi_funct.c
139	+index 7742308c72a5..b524ac8dac8b 100644
140	+--- a/bi_funct.c
141	++++ b/bi_funct.c
142	+@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED)
143	+ #ifdef HAVE_REAL_PIPES
144	+ int ret_val;
145	+
146	++ if (sandbox_flag)
147	++ rt_error("'system' function not allowed in sandbox mode");
148	++
149	+ TRACE_FUNC("bi_system", sp);
150	+
151	+ if (sp->type < C_STRING)
152	+diff --git a/init.c b/init.c
153	+index 0ab17b003f20..f7babb337e04 100644
154	+--- a/init.c
155	++++ b/init.c
156	+@@ -40,6 +40,7 @@ typedef enum {
157	+ W_RANDOM,
158	+ W_SPRINTF,
159	+ W_POSIX_SPACE,
160	++ W_SANDBOX,
161	+ W_USAGE
162	+ } W_OPTIONS;
163	+
164	+@@ -96,6 +97,7 @@ initialize(int argc, char **argv)
165	+
166	+ int dump_code_flag; /* if on dump internal code */
167	+ short posix_space_flag;
168	++short sandbox_flag;
169	+
170	+ #ifdef DEBUG
171	+ int dump_RE = 1; /* if on dump compiled REs */
172	+@@ -153,6 +155,7 @@ usage(void)
173	+ " -W random=number set initial random seed.",
174	+ " -W sprintf=number adjust size of sprintf buffer.",
175	+ " -W posix_space do not consider \"\\n\" a space.",
176	++ " -W sandbox disable system() and I/O redirection.",
177	+ " -W usage show this message and exit.",
178	+ };
179	+ size_t n;
180	+@@ -255,6 +258,7 @@ parse_w_opt(char source, char *next)
181	+ DATA(RANDOM),
182	+ DATA(SPRINTF),
183	+ DATA(POSIX_SPACE),
184	++ DATA(SANDBOX),
185	+ DATA(USAGE)
186	+ };
187	+ #undef DATA
188	+@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv)
189	+ posix_space_flag = 1;
190	+ break;
191	+
192	++ case W_SANDBOX:
193	++ sandbox_flag = 1;
194	++ break;
195	++
196	+ case W_RANDOM:
197	+ if (haveValue(optNext)) {
198	+ int x = atoi(optNext + 1);
199	+diff --git a/man/mawk.1 b/man/mawk.1
200	+index a3c794167dc9..0915d9d7ed5d 100644
201	+--- a/man/mawk.1
202	++++ b/man/mawk.1
203	+@@ -150,6 +150,10 @@ forces
204	+ \fB\*n\fP
205	+ not to consider '\en' to be space.
206	+ .TP
207	++\-\fBW \fRsandbox
208	++runs in a restricted mode where system(), input redirection (e.g. getline),
209	++output redirection (e.g. print and printf), and pipelines are disabled.
210	++.TP
211	+ \-\fBW \fRrandom=\fInum\fR
212	+ calls \fBsrand\fP with the given parameter
213	+ (and overrides the auto-seeding behavior).
214	+diff --git a/mawk.h b/mawk.h
215	+index 2d04be1adb34..a6ccc0071ecc 100644
216	+--- a/mawk.h
217	++++ b/mawk.h
218	+@@ -63,7 +63,7 @@ extern int dump_RE;
219	+ #define USE_BINMODE 0
220	+ #endif
221	+
222	+-extern short posix_space_flag, interactive_flag;
223	++extern short posix_space_flag, interactive_flag, sandbox_flag;
224	+
225	+ /*----------------
226	+ * GLOBAL VARIABLES
227	+diff --git a/scan.c b/scan.c
228	+index 3a8fc9181ab8..c1833b8b7315 100644
229	+--- a/scan.c
230	++++ b/scan.c
231	+@@ -455,6 +455,8 @@ yylex(void)
232	+ un_next();
233	+
234	+ if (getline_flag) {
235	++ if (sandbox_flag)
236	++ rt_error("redirection not allowed in sandbox mode");
237	+ getline_flag = 0;
238	+ ct_ret(IO_IN);
239	+ } else
240	+@@ -462,6 +464,8 @@ yylex(void)
241	+
242	+ case SC_GT: /* '>' */
243	+ if (print_flag && paren_cnt == 0) {
244	++ if (sandbox_flag)
245	++ rt_error("redirection not allowed in sandbox mode");
246	+ print_flag = 0;
247	+ /* there are 3 types of IO_OUT
248	+ -- build the error string in string_buff */
249	+@@ -488,6 +492,8 @@ yylex(void)
250	+ un_next();
251	+
252	+ if (print_flag && paren_cnt == 0) {
253	++ if (sandbox_flag)
254	++ rt_error("pipe execution not allowed in sandbox mode");
255	+ print_flag = 0;
256	+ yylval.ival = PIPE_OUT;
257	+ string_buff[0] = '\|';
258	+--
259	+2.13.5
260	+
261
262	diff --git a/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild
263	new file mode 100644
264	index 00000000000..e50d8aa1277
265	--- /dev/null
266	+++ b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild
267	@@ -0,0 +1,49 @@
268	+# Copyright 1999-2018 Gentoo Foundation
269	+# Distributed under the terms of the GNU General Public License v2
270	+
271	+EAPI=6
272	+
273	+inherit toolchain-funcs
274	+
275	+MY_P=${P/_p/-}
276	+DESCRIPTION="an (often faster than gawk) awk-interpreter"
277	+HOMEPAGE="https://invisible-island.net/mawk/mawk.html"
278	+SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz"
279	+
280	+LICENSE="GPL-2"
281	+SLOT="0"
282	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
283	+IUSE="forced-sandbox"
284	+
285	+RDEPEND="app-eselect/eselect-awk"
286	+DEPEND="${RDEPEND}"
287	+
288	+S=${WORKDIR}/${MY_P}
289	+
290	+DOCS=( ACKNOWLEDGMENT CHANGES README )
291	+
292	+PATCHES=(
293	+ "${FILESDIR}"/${PN}-1.3.4-sandbox.patch
294	+ "${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch
295	+)
296	+
297	+src_configure() {
298	+ tc-export BUILD_CC
299	+ econf $(use_enable forced-sandbox)
300	+}
301	+
302	+src_install() {
303	+ default
304	+
305	+ exeinto /usr/share/doc/${PF}/examples
306	+ doexe examples/*
307	+ docompress -x /usr/share/doc/${PF}/examples
308	+}
309	+
310	+pkg_postinst() {
311	+ eselect awk update ifunset
312	+}
313	+
314	+pkg_postrm() {
315	+ eselect awk update ifunset
316	+}
317
318	diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml
319	index 56c12441305..fb5ddc9df93 100644
320	--- a/sys-apps/mawk/metadata.xml
321	+++ b/sys-apps/mawk/metadata.xml
322	@@ -5,4 +5,7 @@
323	<email>base-system@g.o</email>
324	<name>Gentoo Base System</name>
325	</maintainer>
326	+<use>
327	+ <flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag>
328	+</use>
329	</pkgmetadata>

Gentoo Archives: gentoo-commits