1 |
commit: 7675026aa7867fd9d5bf678e3206c3261a473205 |
2 |
Author: Mike Frysinger <vapier <AT> chromium <DOT> org> |
3 |
AuthorDate: Tue Jan 2 11:37:58 2018 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jan 2 11:38:36 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7675026a |
7 |
|
8 |
sys-apps/mawk: add support for -W sandbox mode |
9 |
|
10 |
.../mawk/files/mawk-1.3.4-sandbox-default.patch | 91 +++++++++++++ |
11 |
sys-apps/mawk/files/mawk-1.3.4-sandbox.patch | 141 +++++++++++++++++++++ |
12 |
sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild | 49 +++++++ |
13 |
sys-apps/mawk/metadata.xml | 3 + |
14 |
4 files changed, 284 insertions(+) |
15 |
|
16 |
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch |
17 |
new file mode 100644 |
18 |
index 00000000000..c3b0fc1c892 |
19 |
--- /dev/null |
20 |
+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch |
21 |
@@ -0,0 +1,91 @@ |
22 |
+https://github.com/ThomasDickey/original-mawk/issues/49 |
23 |
+ |
24 |
+Note: We hand modify the configure file here because the version of autotools |
25 |
+used by upstream is very old/finicky, and it's a simple enough change. |
26 |
+ |
27 |
+From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001 |
28 |
+From: Mike Frysinger <vapier@××××××××.org> |
29 |
+Date: Tue, 7 Nov 2017 01:07:47 -0500 |
30 |
+Subject: [PATCH 2/2] add a configure flag to lock sandbox by default |
31 |
+ |
32 |
+This lets us deploy systems with the sandbox always enabled. |
33 |
+--- |
34 |
+ configure | 23 +++++++++++++++++++++++ |
35 |
+ configure.in | 11 +++++++++++ |
36 |
+ init.c | 4 ++++ |
37 |
+ 3 files changed, 38 insertions(+) |
38 |
+ |
39 |
+diff --git a/configure.in b/configure.in |
40 |
+index 8b795fbd264b..770092005386 100644 |
41 |
+--- a/configure.in |
42 |
++++ b/configure.in |
43 |
+@@ -112,6 +112,17 @@ fi |
44 |
+ AC_MSG_RESULT($with_init_srand) |
45 |
+ |
46 |
+ ############################################################################### |
47 |
++AC_MSG_CHECKING(if you want mawk to always run in sandbox mode) |
48 |
++CF_ARG_ENABLE([forced-sandbox], |
49 |
++[ --enable-forced-sandbox always run in sandbox mode], |
50 |
++ [with_forced_sandbox=yes], |
51 |
++ [with_forced_sandbox=no]) |
52 |
++if test "x${with_forced_sandbox}" != xno; then |
53 |
++ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX" |
54 |
++fi |
55 |
++AC_MSG_RESULT($with_forced_sandbox) |
56 |
++ |
57 |
++############################################################################### |
58 |
+ |
59 |
+ AC_PROG_YACC |
60 |
+ CF_PROG_LINT |
61 |
+diff --git a/init.c b/init.c |
62 |
+index f7babb337e04..e035d6ea2fc0 100644 |
63 |
+--- a/init.c |
64 |
++++ b/init.c |
65 |
+@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv) |
66 |
+ |
67 |
+ no_more_opts: |
68 |
+ |
69 |
++#ifdef FORCED_SANDBOX |
70 |
++ sandbox_flag = 1; |
71 |
++#endif |
72 |
++ |
73 |
+ tail->link = (PFILE *) 0; |
74 |
+ pfile_list = dummy.link; |
75 |
+ |
76 |
+diff --git a/configure b/configure |
77 |
+index a3bf42fe9245..442875b8e58a 100755 |
78 |
+--- a/configure |
79 |
++++ b/configure |
80 |
+@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5 |
81 |
+ echo "${ECHO_T}$with_init_srand" >&6 |
82 |
+ |
83 |
+ ############################################################################### |
84 |
++echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5 |
85 |
++echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6 |
86 |
++ |
87 |
++if test "${enable_forced_sandbox+set}" = set; then |
88 |
++ enableval="$enable_forced_sandbox" |
89 |
++ test "$enableval" != yes && enableval=no |
90 |
++ if test "$enableval" != "no" ; then |
91 |
++ with_forced_sandbox=yes |
92 |
++ else |
93 |
++ with_forced_sandbox=no |
94 |
++ fi |
95 |
++else |
96 |
++ enableval=no |
97 |
++ with_forced_sandbox=no |
98 |
++ |
99 |
++fi; |
100 |
++if test "x${with_forced_sandbox}" != xno; then |
101 |
++ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX" |
102 |
++fi |
103 |
++echo "$as_me:4131: result: $with_forced_sandbox" >&5 |
104 |
++echo "${ECHO_T}$with_forced_sandbox" >&6 |
105 |
++ |
106 |
++############################################################################### |
107 |
+ |
108 |
+ for ac_prog in 'bison -y' byacc |
109 |
+ do |
110 |
+-- |
111 |
+2.13.5 |
112 |
+ |
113 |
|
114 |
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch |
115 |
new file mode 100644 |
116 |
index 00000000000..ae2ccbd50ec |
117 |
--- /dev/null |
118 |
+++ b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch |
119 |
@@ -0,0 +1,141 @@ |
120 |
+https://github.com/ThomasDickey/original-mawk/issues/49 |
121 |
+ |
122 |
+From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001 |
123 |
+From: Mike Frysinger <vapier@××××××××.org> |
124 |
+Date: Tue, 7 Nov 2017 00:41:36 -0500 |
125 |
+Subject: [PATCH 1/2] add a -W sandbox mode |
126 |
+ |
127 |
+This is like gawk's sandbox mode where arbitrary code execution and |
128 |
+file redirection are locked down. This way awk can be a more secure |
129 |
+input/output mode. |
130 |
+--- |
131 |
+ bi_funct.c | 3 +++ |
132 |
+ init.c | 8 ++++++++ |
133 |
+ man/mawk.1 | 4 ++++ |
134 |
+ mawk.h | 2 +- |
135 |
+ scan.c | 6 ++++++ |
136 |
+ 5 files changed, 22 insertions(+), 1 deletion(-) |
137 |
+ |
138 |
+diff --git a/bi_funct.c b/bi_funct.c |
139 |
+index 7742308c72a5..b524ac8dac8b 100644 |
140 |
+--- a/bi_funct.c |
141 |
++++ b/bi_funct.c |
142 |
+@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED) |
143 |
+ #ifdef HAVE_REAL_PIPES |
144 |
+ int ret_val; |
145 |
+ |
146 |
++ if (sandbox_flag) |
147 |
++ rt_error("'system' function not allowed in sandbox mode"); |
148 |
++ |
149 |
+ TRACE_FUNC("bi_system", sp); |
150 |
+ |
151 |
+ if (sp->type < C_STRING) |
152 |
+diff --git a/init.c b/init.c |
153 |
+index 0ab17b003f20..f7babb337e04 100644 |
154 |
+--- a/init.c |
155 |
++++ b/init.c |
156 |
+@@ -40,6 +40,7 @@ typedef enum { |
157 |
+ W_RANDOM, |
158 |
+ W_SPRINTF, |
159 |
+ W_POSIX_SPACE, |
160 |
++ W_SANDBOX, |
161 |
+ W_USAGE |
162 |
+ } W_OPTIONS; |
163 |
+ |
164 |
+@@ -96,6 +97,7 @@ initialize(int argc, char **argv) |
165 |
+ |
166 |
+ int dump_code_flag; /* if on dump internal code */ |
167 |
+ short posix_space_flag; |
168 |
++short sandbox_flag; |
169 |
+ |
170 |
+ #ifdef DEBUG |
171 |
+ int dump_RE = 1; /* if on dump compiled REs */ |
172 |
+@@ -153,6 +155,7 @@ usage(void) |
173 |
+ " -W random=number set initial random seed.", |
174 |
+ " -W sprintf=number adjust size of sprintf buffer.", |
175 |
+ " -W posix_space do not consider \"\\n\" a space.", |
176 |
++ " -W sandbox disable system() and I/O redirection.", |
177 |
+ " -W usage show this message and exit.", |
178 |
+ }; |
179 |
+ size_t n; |
180 |
+@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next) |
181 |
+ DATA(RANDOM), |
182 |
+ DATA(SPRINTF), |
183 |
+ DATA(POSIX_SPACE), |
184 |
++ DATA(SANDBOX), |
185 |
+ DATA(USAGE) |
186 |
+ }; |
187 |
+ #undef DATA |
188 |
+@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv) |
189 |
+ posix_space_flag = 1; |
190 |
+ break; |
191 |
+ |
192 |
++ case W_SANDBOX: |
193 |
++ sandbox_flag = 1; |
194 |
++ break; |
195 |
++ |
196 |
+ case W_RANDOM: |
197 |
+ if (haveValue(optNext)) { |
198 |
+ int x = atoi(optNext + 1); |
199 |
+diff --git a/man/mawk.1 b/man/mawk.1 |
200 |
+index a3c794167dc9..0915d9d7ed5d 100644 |
201 |
+--- a/man/mawk.1 |
202 |
++++ b/man/mawk.1 |
203 |
+@@ -150,6 +150,10 @@ forces |
204 |
+ \fB\*n\fP |
205 |
+ not to consider '\en' to be space. |
206 |
+ .TP |
207 |
++\-\fBW \fRsandbox |
208 |
++runs in a restricted mode where system(), input redirection (e.g. getline), |
209 |
++output redirection (e.g. print and printf), and pipelines are disabled. |
210 |
++.TP |
211 |
+ \-\fBW \fRrandom=\fInum\fR |
212 |
+ calls \fBsrand\fP with the given parameter |
213 |
+ (and overrides the auto-seeding behavior). |
214 |
+diff --git a/mawk.h b/mawk.h |
215 |
+index 2d04be1adb34..a6ccc0071ecc 100644 |
216 |
+--- a/mawk.h |
217 |
++++ b/mawk.h |
218 |
+@@ -63,7 +63,7 @@ extern int dump_RE; |
219 |
+ #define USE_BINMODE 0 |
220 |
+ #endif |
221 |
+ |
222 |
+-extern short posix_space_flag, interactive_flag; |
223 |
++extern short posix_space_flag, interactive_flag, sandbox_flag; |
224 |
+ |
225 |
+ /*---------------- |
226 |
+ * GLOBAL VARIABLES |
227 |
+diff --git a/scan.c b/scan.c |
228 |
+index 3a8fc9181ab8..c1833b8b7315 100644 |
229 |
+--- a/scan.c |
230 |
++++ b/scan.c |
231 |
+@@ -455,6 +455,8 @@ yylex(void) |
232 |
+ un_next(); |
233 |
+ |
234 |
+ if (getline_flag) { |
235 |
++ if (sandbox_flag) |
236 |
++ rt_error("redirection not allowed in sandbox mode"); |
237 |
+ getline_flag = 0; |
238 |
+ ct_ret(IO_IN); |
239 |
+ } else |
240 |
+@@ -462,6 +464,8 @@ yylex(void) |
241 |
+ |
242 |
+ case SC_GT: /* '>' */ |
243 |
+ if (print_flag && paren_cnt == 0) { |
244 |
++ if (sandbox_flag) |
245 |
++ rt_error("redirection not allowed in sandbox mode"); |
246 |
+ print_flag = 0; |
247 |
+ /* there are 3 types of IO_OUT |
248 |
+ -- build the error string in string_buff */ |
249 |
+@@ -488,6 +492,8 @@ yylex(void) |
250 |
+ un_next(); |
251 |
+ |
252 |
+ if (print_flag && paren_cnt == 0) { |
253 |
++ if (sandbox_flag) |
254 |
++ rt_error("pipe execution not allowed in sandbox mode"); |
255 |
+ print_flag = 0; |
256 |
+ yylval.ival = PIPE_OUT; |
257 |
+ string_buff[0] = '|'; |
258 |
+-- |
259 |
+2.13.5 |
260 |
+ |
261 |
|
262 |
diff --git a/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild |
263 |
new file mode 100644 |
264 |
index 00000000000..e50d8aa1277 |
265 |
--- /dev/null |
266 |
+++ b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild |
267 |
@@ -0,0 +1,49 @@ |
268 |
+# Copyright 1999-2018 Gentoo Foundation |
269 |
+# Distributed under the terms of the GNU General Public License v2 |
270 |
+ |
271 |
+EAPI=6 |
272 |
+ |
273 |
+inherit toolchain-funcs |
274 |
+ |
275 |
+MY_P=${P/_p/-} |
276 |
+DESCRIPTION="an (often faster than gawk) awk-interpreter" |
277 |
+HOMEPAGE="https://invisible-island.net/mawk/mawk.html" |
278 |
+SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz" |
279 |
+ |
280 |
+LICENSE="GPL-2" |
281 |
+SLOT="0" |
282 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" |
283 |
+IUSE="forced-sandbox" |
284 |
+ |
285 |
+RDEPEND="app-eselect/eselect-awk" |
286 |
+DEPEND="${RDEPEND}" |
287 |
+ |
288 |
+S=${WORKDIR}/${MY_P} |
289 |
+ |
290 |
+DOCS=( ACKNOWLEDGMENT CHANGES README ) |
291 |
+ |
292 |
+PATCHES=( |
293 |
+ "${FILESDIR}"/${PN}-1.3.4-sandbox.patch |
294 |
+ "${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch |
295 |
+) |
296 |
+ |
297 |
+src_configure() { |
298 |
+ tc-export BUILD_CC |
299 |
+ econf $(use_enable forced-sandbox) |
300 |
+} |
301 |
+ |
302 |
+src_install() { |
303 |
+ default |
304 |
+ |
305 |
+ exeinto /usr/share/doc/${PF}/examples |
306 |
+ doexe examples/* |
307 |
+ docompress -x /usr/share/doc/${PF}/examples |
308 |
+} |
309 |
+ |
310 |
+pkg_postinst() { |
311 |
+ eselect awk update ifunset |
312 |
+} |
313 |
+ |
314 |
+pkg_postrm() { |
315 |
+ eselect awk update ifunset |
316 |
+} |
317 |
|
318 |
diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml |
319 |
index 56c12441305..fb5ddc9df93 100644 |
320 |
--- a/sys-apps/mawk/metadata.xml |
321 |
+++ b/sys-apps/mawk/metadata.xml |
322 |
@@ -5,4 +5,7 @@ |
323 |
<email>base-system@g.o</email> |
324 |
<name>Gentoo Base System</name> |
325 |
</maintainer> |
326 |
+<use> |
327 |
+ <flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag> |
328 |
+</use> |
329 |
</pkgmetadata> |