Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jory Pratt <anarchy@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] dev/anarchy:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
Date: Sat, 29 Aug 2015 03:49:57
Message-Id: 1440820170.543a9a0f3a27d387dbba0a92c2ac85e2dd71a73f.anarchy@gentoo
1 commit: 543a9a0f3a27d387dbba0a92c2ac85e2dd71a73f
2 Author: Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
3 AuthorDate: Sat Aug 29 03:49:30 2015 +0000
4 Commit: Jory Pratt <anarchy <AT> gentoo <DOT> org>
5 CommitDate: Sat Aug 29 03:49:30 2015 +0000
6 URL: https://gitweb.gentoo.org/dev/anarchy.git/commit/?id=543a9a0f
7
8 remove sandbox hacks
9
10 sys-apps/sandbox/Manifest | 10 -
11 sys-apps/sandbox/files/09sandbox | 1 -
12 .../files/sandbox-2.6-check-empty-paths-at.patch | 201 ---------------------
13 sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 ---
14 .../sandbox/files/sandbox-2.6-hardened-pch.patch | 88 ---------
15 sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ------
16 .../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ------
17 .../files/sandbox-2.6-static-close-fd.patch | 93 ----------
18 .../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 ---
19 sys-apps/sandbox/sandbox-2.6-r1.ebuild | 132 --------------
20 10 files changed, 687 deletions(-)
21
22 diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
23 deleted file mode 100644
24 index 33c0d48..0000000
25 --- a/sys-apps/sandbox/Manifest
26 +++ /dev/null
27 @@ -1,10 +0,0 @@
28 -AUX 09sandbox 37 SHA256 73e9e9d12ba54f1c649813ec86107924050528852c890a8ba1e2853796781bbe SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a WHIRLPOOL 80d55a34d3faf3314f2b9de2200d4b46a800128514be9e30eb59e5f03fb7a0a5197a9e5b5ab33d6b68d35bf83c86a1bd7ba734a33ccd382fe0af3b2c2a11d0bd
29 -AUX sandbox-2.6-check-empty-paths-at.patch 7454 SHA256 a48759a4d3e9a70713473b6fad59bdd750b5cd37e7d632c786205ff20004ae2c SHA512 5eba7915dedf57f44c37881e9c6b48db8733d1493779a33127d08bb9ea77056d788ec9ace72c13eb101f42f01c95309c7cebca6c76212a8c99a8655372c0b7d7 WHIRLPOOL 46eb3a8ef8f22030cd793f3b16adc190b5750019c0df83e161c6918f08555a8ad890c1425b03cbf7e53ebcd34a07a9dd9b594d0c0fe31834656ffce3d58fa284
30 -AUX sandbox-2.6-desktop.patch 875 SHA256 2eecf67790aeac210f9aa899a86f7664776ed65d9b55159e1b359162dfb9ff74 SHA512 b72ec7f414d19bf513dfb1aea10523fa5dc07a1375d8f08f664d204b64b23c891a79ca14987528c595936f441e1f595b366aabbc57313667c7639d73d089ed9a WHIRLPOOL 7f787b8be9b5712eb2b2a0cd2ff825df1045ebf1cc4e73a50f610e620d30752045690a5c28835465d0ab0c3c4a9eaf8b92a5c123cd741ad69dfedb31aa457fa0
31 -AUX sandbox-2.6-hardened-pch.patch 2615 SHA256 b24500876b595dcaee46e23dffedc50729ce7af1c7fbfce9cead2cd7a8566ff3 SHA512 439f78d0261996a648053f3b34a9fa34eb0d145862136769a3d448f5314be76046d02a0bcce8fd9cfb59d82fdafe79653c182d104f98c4b51be2c08ce835c8bd WHIRLPOOL 8221650ad746161af71a1b1f5f041a5696b4168d2c1fd3fb1997ba0464ef14de50592d9dd4ecc6981f812ae50e4d2c18c138a40bcdcce1b7f6d5b84f711211a6
32 -AUX sandbox-2.6-log-var.patch 2039 SHA256 f464a29cdd9de0c510277310f4febc8f96515ff2ff03fc92df1c75b9cbd75619 SHA512 cf6f900b4078eff5870b63b2bc7c81c5b00488e030d7e9ce3007693e9d1339ac6201ddacfaff552c6c9b99b6d32383229133c80190404b7e4fde06ad376b2050 WHIRLPOOL db99737a6567788194f7b37b12b92fcfb4c263df40f40aef9e0a3ef2b6a1523331313b791fffa2b26775b646795364ab1db1711eb4329cda3337df27aebfeffa
33 -AUX sandbox-2.6-open-nofollow.patch 2027 SHA256 c8816ae4e1991f9941abd43ec4bfdbf4e99cf36ee90694f77ab88754c53785ce SHA512 dd5222f32a40def38c9719363a24c48d5b112e3560b44c5f32afc3daa0614fe9bc5cb68ca8ac69032cc8d6299f09b25d4d7c72e16892188b42768ffb28c19f07 WHIRLPOOL 03cb5fb9df04a8d7f92855c292a6c431d01d330fecae198f2c4b95d824454f10ce1ad66db1a9d54d1bef5f74989cf6debb2d98de28ee0c2c6a09c1a0752b5519
34 -AUX sandbox-2.6-static-close-fd.patch 2945 SHA256 807eb4dc1ba6543c94a90a9a53bb89f42079ea20ed7c196f82d65f280e5de96a SHA512 e2f57c4d80816241f3ba4828c2b27c67d1d604b14b2d575888a978e5c4e8e47e60e3a609d81e59c615bc5b7cee6194cc362e255ae8508f632862a35180c30de8 WHIRLPOOL e08f60227fe954894d3a3a01297e9988f4d7722ea75ffbd2b0f3971d38c8ce00af230fcaecb1f53243a868d54f48bb680e2d547bbeb2ee3e5a11f8942d2084fd
35 -AUX sandbox-2.6-trace-hppa.patch 850 SHA256 20688b2f33162f95af4af5e3c7d3700f2e7776e454b785ac1398f0870f84efa9 SHA512 fb7bf2202f960e952edc1e52fe4b6b085042158223d96b9baa899e871abcdef711ede3122c971120f55f71cc1aad71496a6079222dbaaa6c14b0c6f7ea182454 WHIRLPOOL 80f7fb529b912d19d81b9d71ee4a648db7b217583f2e8f2054cc666839030ea7d0112d69d52a2bf35c4d3549ffbd81dbd0cd39d5993bfabbb43bcb6a4455ade4
36 -DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
37 -EBUILD sandbox-2.6-r1.ebuild 3161 SHA256 964556ee3f429cedbd54d4ea9c8c9a468b886199f390b909864e5c35a454bfa4 SHA512 25492535b1a623482c3bec466a3cfc8277ef5f82e3548085dc35a0ac24c5ab5cbedd32ad99c9da07dccd9c116b1c5a532908c5a3023aea6cdfb4dd94ec380c04 WHIRLPOOL 6fb8b8d1426bc8f6e0496bf6afe693bf544fdabacbdefdb310261e0d5dc0ba7548c26a8d26d4c29e8885805ebccc5e9852c3a2573cd6815960aa8f9ee2d21973
38
39 diff --git a/sys-apps/sandbox/files/09sandbox b/sys-apps/sandbox/files/09sandbox
40 deleted file mode 100644
41 index 9181eb0..0000000
42 --- a/sys-apps/sandbox/files/09sandbox
43 +++ /dev/null
44 @@ -1 +0,0 @@
45 -CONFIG_PROTECT_MASK="/etc/sandbox.d"
46
47 diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
48 deleted file mode 100644
49 index e4dc529..0000000
50 --- a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
51 +++ /dev/null
52 @@ -1,201 +0,0 @@
53 -From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001
54 -From: Mike Frysinger <vapier@g.o>
55 -Date: Mon, 24 Dec 2012 19:41:49 -0500
56 -Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before
57 - checking the dirfd
58 -
59 -When it comes to processing errors, an empty path is checked before
60 -an invalid dirfd. Make sure sandbox matches that behavior for the
61 -random testsuites out there that look for this.
62 -
63 -URL: https://bugs.gentoo.org/346929
64 -Reported-by: Marien Zwart <marienz@g.o>
65 -Signed-off-by: Mike Frysinger <vapier@g.o>
66 ----
67 - libsandbox/wrapper-funcs/__pre_check.c | 2 ++
68 - libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------
69 - libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++-----------
70 - libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
71 - libsandbox/wrappers.h | 2 ++
72 - tests/mkdirat-3.sh | 7 +++++++
73 - tests/mkdirat.at | 1 +
74 - tests/openat-2.sh | 9 +++++++++
75 - tests/openat.at | 1 +
76 - tests/unlinkat-4.sh | 7 +++++++
77 - tests/unlinkat.at | 1 +
78 - 11 files changed, 44 insertions(+), 35 deletions(-)
79 - create mode 100755 tests/mkdirat-3.sh
80 - create mode 100755 tests/openat-2.sh
81 - create mode 100755 tests/unlinkat-4.sh
82 -
83 -diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
84 -index 2d5711f..28ad91f 100644
85 ---- a/libsandbox/wrapper-funcs/__pre_check.c
86 -+++ b/libsandbox/wrapper-funcs/__pre_check.c
87 -@@ -20,3 +20,5 @@
88 - #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
89 - # include "unlinkat_pre_check.c"
90 - #endif
91 -+
92 -+#include "__pre_at_check.c"
93 -diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
94 -index 77a65df..0b48d1f 100644
95 ---- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
96 -+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
97 -@@ -1,20 +1,13 @@
98 - bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
99 - {
100 - char canonic[SB_PATH_MAX];
101 -- char dirfd_path[SB_PATH_MAX];
102 -
103 - save_errno();
104 -
105 -- /* Expand the dirfd path first */
106 -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
107 -- case -1:
108 -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
109 -- func, pathname, strerror(errno));
110 -- return false;
111 -- case 0:
112 -- pathname = dirfd_path;
113 -- break;
114 -- }
115 -+ /* Check incoming args against common *at issues */
116 -+ char dirfd_path[SB_PATH_MAX];
117 -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
118 -+ return false;
119 -
120 - /* Then break down any relative/symlink paths */
121 - if (-1 == canonicalize(pathname, canonic))
122 -diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
123 -index 0127708..5fd5eaa 100644
124 ---- a/libsandbox/wrapper-funcs/openat_pre_check.c
125 -+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
126 -@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
127 -
128 - save_errno();
129 -
130 -- /* Expand the dirfd path first */
131 -+ /* Check incoming args against common *at issues */
132 - char dirfd_path[SB_PATH_MAX];
133 -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
134 -- case -1:
135 -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
136 -- func, pathname, strerror(errno));
137 -- return false;
138 -- case 0:
139 -- pathname = dirfd_path;
140 -- break;
141 -- }
142 -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
143 -+ return false;
144 -
145 - /* Doesn't exist -> skip permission checks */
146 - struct stat st;
147 -diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
148 -index 9f5e7d7..c004d15 100644
149 ---- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
150 -+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
151 -@@ -1,20 +1,13 @@
152 - bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
153 - {
154 - char canonic[SB_PATH_MAX];
155 -- char dirfd_path[SB_PATH_MAX];
156 -
157 - save_errno();
158 -
159 -- /* Expand the dirfd path first */
160 -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
161 -- case -1:
162 -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
163 -- func, pathname, strerror(errno));
164 -- return false;
165 -- case 0:
166 -- pathname = dirfd_path;
167 -- break;
168 -- }
169 -+ /* Check incoming args against common *at issues */
170 -+ char dirfd_path[SB_PATH_MAX];
171 -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
172 -+ return false;
173 -
174 - /* Then break down any relative/symlink paths */
175 - if (-1 == canonicalize(pathname, canonic))
176 -diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
177 -index 5b97787..0aa58bb 100644
178 ---- a/libsandbox/wrappers.h
179 -+++ b/libsandbox/wrappers.h
180 -@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn
181 - attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
182 - attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
183 - attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
184 -+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
185 -+ char *dirfd_path, size_t dirfd_path_len);
186 -
187 - #endif
188 ---
189 -1.8.1.2
190 -
191 -From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001
192 -From: Mike Frysinger <vapier@g.o>
193 -Date: Mon, 24 Dec 2012 19:41:49 -0500
194 -Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before
195 - checking the dirfd [missing file]
196 -
197 -When it comes to processing errors, an empty path is checked before
198 -an invalid dirfd. Make sure sandbox matches that behavior for the
199 -random testsuites out there that look for this.
200 -
201 -Forgot to `git add` in the previous commit :/.
202 -
203 -URL: https://bugs.gentoo.org/346929
204 -Reported-by: Marien Zwart <marienz@g.o>
205 -Signed-off-by: Mike Frysinger <vapier@g.o>
206 ----
207 - libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++
208 - 1 file changed, 34 insertions(+)
209 - create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c
210 -
211 -diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c
212 -new file mode 100644
213 -index 0000000..f72c40c
214 ---- /dev/null
215 -+++ b/libsandbox/wrapper-funcs/__pre_at_check.c
216 -@@ -0,0 +1,34 @@
217 -+/*
218 -+ * common *at() pre-checks.
219 -+ *
220 -+ * Copyright 1999-2012 Gentoo Foundation
221 -+ * Licensed under the GPL-2
222 -+ */
223 -+
224 -+/* We assume the parent has nested use with save/restore errno */
225 -+bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
226 -+ char *dirfd_path, size_t dirfd_path_len)
227 -+{
228 -+ /* the empty path name should fail with ENOENT before any dirfd
229 -+ * checks get a chance to run #346929
230 -+ */
231 -+ if (*pathname && *pathname[0] == '\0') {
232 -+ errno = ENOENT;
233 -+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
234 -+ func, *pathname, strerror(errno));
235 -+ return false;
236 -+ }
237 -+
238 -+ /* Expand the dirfd path first */
239 -+ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) {
240 -+ case -1:
241 -+ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
242 -+ func, *pathname, strerror(errno));
243 -+ return false;
244 -+ case 0:
245 -+ *pathname = dirfd_path;
246 -+ break;
247 -+ }
248 -+
249 -+ return true;
250 -+}
251 ---
252 -1.8.1.2
253 -
254
255 diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
256 deleted file mode 100644
257 index fbecb07..0000000
258 --- a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
259 +++ /dev/null
260 @@ -1,30 +0,0 @@
261 -From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001
262 -From: Mike Frysinger <vapier@g.o>
263 -Date: Sat, 17 Nov 2012 14:14:26 -0500
264 -Subject: [PATCH] sandbox.desktop: drop .svg from Icon field
265 -MIME-Version: 1.0
266 -Content-Type: text/plain; charset=UTF-8
267 -Content-Transfer-Encoding: 8bit
268 -
269 -URL: http://bugs.gentoo.org/443672
270 -Reported-by: Petteri Räty <betelgeuse@g.o>
271 -Signed-off-by: Mike Frysinger <vapier@g.o>
272 ----
273 - data/sandbox.desktop | 2 +-
274 - 1 file changed, 1 insertion(+), 1 deletion(-)
275 -
276 -diff --git a/data/sandbox.desktop b/data/sandbox.desktop
277 -index 5b5b576..27a887e 100644
278 ---- a/data/sandbox.desktop
279 -+++ b/data/sandbox.desktop
280 -@@ -5,6 +5,6 @@ Type=Application
281 - Comment=launch a sandboxed shell ... useful for debugging ebuilds
282 - Exec=sandbox
283 - TryExec=sandbox
284 --Icon=sandbox.svg
285 -+Icon=sandbox
286 - Categories=Development;
287 - Terminal=true
288 ---
289 -1.8.1.2
290 -
291
292 diff --git a/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch
293 deleted file mode 100644
294 index 611122a..0000000
295 --- a/sys-apps/sandbox/files/sandbox-2.6-hardened-pch.patch
296 +++ /dev/null
297 @@ -1,88 +0,0 @@
298 -From: Mike Frysinger <vapier@g.o>
299 -Date: Tue, 28 Aug 2012 16:19:56 +0000 (-0400)
300 -Subject: add a configure option to control pch usage
301 -X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fsandbox.git;a=commitdiff_plain;h=f2500f5954611d110ac18e9990f42d5a915f8101
302 -
303 -add a configure option to control pch usage
304 -
305 -Mostly for testing purposes. This also tweaks the dependency to fix a
306 -warning when generating the headers.h.pch in subdirs when the toplevel
307 -headers.h.pch already exists.
308 -
309 -URL: http://bugs.gentoo.org/425524
310 -Signed-off-by: Mike Frysinger <vapier@g.o>
311 ----
312 -
313 -diff --git a/Makefile.am b/Makefile.am
314 -index 475c8c0..eb54f42 100644
315 ---- a/Makefile.am
316 -+++ b/Makefile.am
317 -@@ -11,9 +11,9 @@ SUBDIRS = \
318 - src \
319 - tests
320 -
321 -+noinst_LTLIBRARIES =
322 -+
323 - SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch
324 --BUILT_SOURCES = $(SANDBOX_PCH)
325 --noinst_LTLIBRARIES = libpch.la
326 - nodist_libpch_la_SOURCES = $(SANDBOX_PCH)
327 - GCH_CP = ( \
328 - src=`dirname $@`/.libs/`basename $@`.o; \
329 -@@ -30,10 +30,23 @@ $(builddir)/libsandbox/headers.h.gch: headers.h
330 - $(builddir)/headers.h.gch: headers.h
331 - $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP)
332 -
333 --libsbutil: libsbutil/headers.h.gch
334 --libsandbox: libsbutil libsandbox/headers.h.gch
335 --src: libsbutil headers.h.gch
336 --tests: src headers.h.gch
337 -+if SB_BUILD_PCH
338 -+BUILT_SOURCES = $(SANDBOX_PCH)
339 -+noinst_LTLIBRARIES += libpch.la
340 -+
341 -+LIBSBUTIL_PCH = libsbutil/headers.h.gch
342 -+LIBSANDBOX_PCH = libsandbox/headers.h.gch
343 -+TOP_PCH = headers.h.gch
344 -+
345 -+# Make sure we build the subdirs before the top so they don't
346 -+# try to use the top level headers.h.pch.
347 -+$(TOP_PCH): $(LIBSBUTIL_PCH) $(LIBSANDBOX_PCH)
348 -+endif
349 -+
350 -+libsbutil: $(LIBSBUTIL_PCH)
351 -+libsandbox: libsbutil $(LIBSANDBOX_PCH)
352 -+src: libsbutil $(TOP_PCH)
353 -+tests: src $(TOP_PCH)
354 -
355 - EXTRA_DIST = headers.h localdecls.h ChangeLog.0
356 -
357 -diff --git a/configure.ac b/configure.ac
358 -index 661b494..ca0d3ac 100644
359 ---- a/configure.ac
360 -+++ b/configure.ac
361 -@@ -26,7 +26,7 @@ AC_ISC_POSIX
362 - AC_USE_SYSTEM_EXTENSIONS
363 -
364 - dnl Checks for programs.
365 --AM_PROG_AR
366 -+#AM_PROG_AR
367 - AC_PROG_INSTALL
368 - AC_PROG_MAKE_SET
369 - AC_PROG_AWK
370 -@@ -38,6 +38,14 @@ LT_INIT([disable-static])
371 -
372 - AC_PREFIX_DEFAULT([/usr])
373 -
374 -+dnl allow pch to be controlled
375 -+AC_MSG_CHECKING([whether to use pre-compiled sandbox headers])
376 -+AC_ARG_ENABLE([pch],
377 -+ [AS_HELP_STRING([--disable-pch],[Disable pre-compiled headers])],
378 -+ [],[enable_pch="yes"])
379 -+AM_CONDITIONAL([SB_BUILD_PCH], test "$enable_pch" = "yes")
380 -+AC_MSG_RESULT($enable_pch)
381 -+
382 - dnl multiple personality support (x86 & x86_64: multilib)
383 - AC_MSG_CHECKING([for multiple personalities])
384 - AC_ARG_ENABLE([schizo],
385 -
386
387 diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
388 deleted file mode 100644
389 index bfea9e5..0000000
390 --- a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
391 +++ /dev/null
392 @@ -1,51 +0,0 @@
393 -From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001
394 -From: Mike Frysinger <vapier@g.o>
395 -Date: Sun, 3 Mar 2013 05:34:09 -0500
396 -Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values
397 -
398 -Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
399 -with portage. It changed how the sandbox log env var was accessed by
400 -moving from getenv() to get_sandbox_log(). The latter has path checking
401 -and will kick out values that contain a slash. That means every time a
402 -new process starts, a new sandbox log path will be generated, and when a
403 -program triggers a violation, it'll write to the new file. Meanwhile,
404 -portage itself watches the original one which never gets updated.
405 -
406 -This code has been around forever w/out documentation, and I can't think
407 -of a reason we need it. So punt it.
408 -
409 -Signed-off-by: Mike Frysinger <vapier@g.o>
410 ----
411 - libsbutil/get_sandbox_log.c | 14 +++++---------
412 - 1 file changed, 5 insertions(+), 9 deletions(-)
413 -
414 -diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
415 -index a79b399..bdb4278 100644
416 ---- a/libsbutil/get_sandbox_log.c
417 -+++ b/libsbutil/get_sandbox_log.c
418 -@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
419 -
420 - sandbox_log_env = getenv(env);
421 -
422 -- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
423 -- /* When testing, just use what the env says to */
424 -+ if (sandbox_log_env) {
425 -+ /* If the env is viable, roll with it. We aren't really
426 -+ * about people breaking the security of the sandbox by
427 -+ * exporting SANDBOX_LOG=/dev/null.
428 -+ */
429 - strncpy(path, sandbox_log_env, SB_PATH_MAX);
430 - } else {
431 -- /* THIS CHUNK BREAK THINGS BY DOING THIS:
432 -- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
433 -- */
434 -- if ((NULL != sandbox_log_env) &&
435 -- (NULL != strchr(sandbox_log_env, '/')))
436 -- sandbox_log_env = NULL;
437 --
438 - snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s",
439 - SANDBOX_LOG_LOCATION, prefix,
440 - (sandbox_log_env == NULL ? "" : sandbox_log_env),
441 ---
442 -1.8.1.2
443 -
444
445 diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
446 deleted file mode 100644
447 index 0101ece..0000000
448 --- a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
449 +++ /dev/null
450 @@ -1,54 +0,0 @@
451 -From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
452 -From: Mike Frysinger <vapier@g.o>
453 -Date: Mon, 24 Dec 2012 18:46:29 -0500
454 -Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)
455 -
456 -We don't check for O_NOFOLLOW in the open wrappers, so we end up
457 -returning the wrong error when operating on broken symlinks.
458 -
459 -URL: https://bugs.gentoo.org/413441
460 -Reported-by: Marien Zwart <marienz@g.o>
461 -Signed-off-by: Mike Frysinger <vapier@g.o>
462 ----
463 - libsandbox/wrapper-funcs/__64_post.h | 1 +
464 - libsandbox/wrapper-funcs/__64_pre.h | 1 +
465 - libsandbox/wrapper-funcs/openat_pre_check.c | 2 +-
466 - tests/open-2.sh | 10 ++++++++++
467 - tests/open.at | 1 +
468 - 5 files changed, 14 insertions(+), 1 deletion(-)
469 - create mode 100755 tests/open-2.sh
470 -
471 -diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
472 -index 2fd2182..82d2a16 100644
473 ---- a/libsandbox/wrapper-funcs/__64_post.h
474 -+++ b/libsandbox/wrapper-funcs/__64_post.h
475 -@@ -1,3 +1,4 @@
476 - #undef SB64
477 - #undef stat
478 -+#undef lstat
479 - #undef off_t
480 -diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
481 -index 2132110..0b34b25 100644
482 ---- a/libsandbox/wrapper-funcs/__64_pre.h
483 -+++ b/libsandbox/wrapper-funcs/__64_pre.h
484 -@@ -1,3 +1,4 @@
485 - #define SB64
486 - #define stat stat64
487 -+#define lstat lstat64
488 - #define off_t off64_t
489 -diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
490 -index c827ee6..0127708 100644
491 ---- a/libsandbox/wrapper-funcs/openat_pre_check.c
492 -+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
493 -@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
494 -
495 - /* Doesn't exist -> skip permission checks */
496 - struct stat st;
497 -- if (-1 == stat(pathname, &st)) {
498 -+ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
499 - sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
500 - func, pathname, strerror(errno));
501 - return false;
502 ---
503 -1.8.1.2
504 -
505
506 diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
507 deleted file mode 100644
508 index 7fc0972..0000000
509 --- a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
510 +++ /dev/null
511 @@ -1,93 +0,0 @@
512 -From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001
513 -From: Mike Frysinger <vapier@g.o>
514 -Date: Sat, 23 Jun 2012 11:52:51 -0700
515 -Subject: [PATCH] libsandbox: clean up open file handles in parent tracing
516 - process
517 -
518 -Currently, if a non-static app sets up a pipe (with cloexec enabled) and
519 -executes a static app, the handle to that pipe is left open in the parent
520 -process. This causes trouble when the parent is waiting for that to be
521 -closed immediately.
522 -
523 -Since none of the fds in the forked parent process matter to us, we can
524 -just go ahead and clean up all fds before we start tracing the child.
525 -
526 -URL: http://bugs.gentoo.org/364877
527 -Reported-by: Victor Stinner <victor.stinner@×××××××××.com>
528 -Signed-off-by: Mike Frysinger <vapier@g.o>
529 ----
530 - libsandbox/trace.c | 3 +-
531 - libsbutil/sb_close.c | 26 +++++++++++-
532 - libsbutil/sbutil.h | 1 +
533 - tests/Makefile.am | 2 +
534 - tests/pipe-fork_static_tst.c | 18 +++++++++
535 - tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
536 - tests/script-9.sh | 5 +++
537 - tests/script.at | 1 +
538 - 8 files changed, 149 insertions(+), 2 deletions(-)
539 - create mode 100644 tests/pipe-fork_static_tst.c
540 - create mode 100644 tests/pipe-fork_tst.c
541 - create mode 100755 tests/script-9.sh
542 -
543 -diff --git a/libsandbox/trace.c b/libsandbox/trace.c
544 -index 32ad2d6..dfbab18 100644
545 ---- a/libsandbox/trace.c
546 -+++ b/libsandbox/trace.c
547 -@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[])
548 - /* Not all kernel versions support this, so ignore return */
549 - ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD);
550 - #endif
551 -+ sb_close_all_fds();
552 - trace_loop();
553 -- return;
554 -+ sb_ebort("ISE: child should have quit, as should we\n");
555 - }
556 -
557 - sb_debug("child setting up ...");
558 -diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c
559 -index 17a4560..5379197 100644
560 ---- a/libsbutil/sb_close.c
561 -+++ b/libsbutil/sb_close.c
562 -@@ -29,3 +29,27 @@ int sb_close(int fd)
563 -
564 - return res;
565 - }
566 -+
567 -+/* Quickly close all the open fds (good for daemonization) */
568 -+void sb_close_all_fds(void)
569 -+{
570 -+ DIR *dirp;
571 -+ struct dirent *de;
572 -+ int dfd, fd;
573 -+ const char *fd_dir = sb_get_fd_dir();
574 -+
575 -+ dirp = opendir(fd_dir);
576 -+ if (!dirp)
577 -+ sb_ebort("could not process %s\n", fd_dir);
578 -+ dfd = dirfd(dirp);
579 -+
580 -+ while ((de = readdir(dirp)) != NULL) {
581 -+ if (de->d_name[0] == '.')
582 -+ continue;
583 -+ fd = atoi(de->d_name);
584 -+ if (fd != dfd)
585 -+ close(fd);
586 -+ }
587 -+
588 -+ closedir(dirp);
589 -+}
590 -diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h
591 -index 02b88cb..479734b 100644
592 ---- a/libsbutil/sbutil.h
593 -+++ b/libsbutil/sbutil.h
594 -@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode);
595 - size_t sb_read(int fd, void *buf, size_t count);
596 - size_t sb_write(int fd, const void *buf, size_t count);
597 - int sb_close(int fd);
598 -+void sb_close_all_fds(void);
599 - int sb_copy_file_to_fd(const char *file, int ofd);
600 -
601 - /* Reliable output */
602 ---
603 -1.8.1.2
604 -
605
606 diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
607 deleted file mode 100644
608 index 7e73822..0000000
609 --- a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
610 +++ /dev/null
611 @@ -1,27 +0,0 @@
612 -From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001
613 -From: Mike Frysinger <vapier@g.o>
614 -Date: Fri, 6 Jul 2012 14:58:16 -0400
615 -Subject: [PATCH] libsandbox: fix hppa trace code
616 -
617 -URL: https://bugs.gentoo.org/425062
618 -Reported-by: Jeroen Roovers <jer@g.o>
619 -Signed-off-by: Mike Frysinger <vapier@g.o>
620 ----
621 - libsandbox/trace/linux/hppa.c | 4 ++--
622 - 1 file changed, 2 insertions(+), 2 deletions(-)
623 -
624 -diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c
625 -index d23b0d1..5414354 100644
626 ---- a/libsandbox/trace/linux/hppa.c
627 -+++ b/libsandbox/trace/linux/hppa.c
628 -@@ -1,5 +1,5 @@
629 --#define trace_reg_sysnum (20 * 4) /* PT_GR20 */
630 --#define trace_reg_ret (28 * 4) /* PT_GR28 */
631 -+#define trace_reg_sysnum gr[20]
632 -+#define trace_reg_ret gr[28]
633 -
634 - static unsigned long trace_arg(void *vregs, int num)
635 - {
636 ---
637 -1.7.9.7
638 -
639
640 diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild
641 deleted file mode 100644
642 index 25130d2..0000000
643 --- a/sys-apps/sandbox/sandbox-2.6-r1.ebuild
644 +++ /dev/null
645 @@ -1,132 +0,0 @@
646 -# Copyright 1999-2013 Gentoo Foundation
647 -# Distributed under the terms of the GNU General Public License v2
648 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/sandbox-2.6-r1.ebuild,v 1.12 2013/07/02 07:43:42 ago Exp $
649 -
650 -#
651 -# don't monkey with this ebuild unless contacting portage devs.
652 -# period.
653 -#
654 -
655 -inherit autotools eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
656 -
657 -DESCRIPTION="sandbox'd LD_PRELOAD hack"
658 -HOMEPAGE="http://www.gentoo.org/"
659 -SRC_URI="mirror://gentoo/${P}.tar.xz
660 - http://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
661 -
662 -LICENSE="GPL-2"
663 -SLOT="0"
664 -KEYWORDS="alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd"
665 -IUSE="multilib pch"
666 -
667 -DEPEND="app-arch/xz-utils
668 - >=app-misc/pax-utils-0.1.19" #265376
669 -RDEPEND=""
670 -
671 -EMULTILIB_PKG="true"
672 -has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
673 -
674 -sandbox_death_notice() {
675 - ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
676 - ewarn "FEATURES=-sandbox emerge sandbox"
677 -}
678 -
679 -sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
680 -
681 -sb_foreach_abi() {
682 - local OABI=${ABI}
683 - for ABI in $(sb_get_install_abis) ; do
684 - cd "${WORKDIR}/build-${ABI}"
685 - einfo "Running $1 for ABI=${ABI}..."
686 - "$@"
687 - done
688 - ABI=${OABI}
689 -}
690 -
691 -src_unpack() {
692 - unpacker
693 - cd "${S}"
694 - epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062
695 - epatch "${FILESDIR}"/${P}-log-var.patch
696 - epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877
697 - epatch "${FILESDIR}"/${P}-desktop.patch #443672
698 - epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441
699 - epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929
700 - epatch "${FILESDIR}"/${P}-hardened-pch.patch #425524
701 - epatch_user
702 -
703 - eautoreconf
704 -}
705 -
706 -sb_configure() {
707 - mkdir "${WORKDIR}/build-${ABI}"
708 - cd "${WORKDIR}/build-${ABI}"
709 -
710 - use multilib && multilib_toolchain_setup ${ABI}
711 -
712 - einfo "Configuring sandbox for ABI=${ABI}..."
713 - ECONF_SOURCE="../${P}/" \
714 - econf $(use_enable pch) ${myconf} || die
715 -}
716 -
717 -sb_compile() {
718 - emake || die
719 -}
720 -
721 -src_compile() {
722 - filter-lfs-flags #90228
723 -
724 - # Run configures in parallel!
725 - multijob_init
726 - local OABI=${ABI}
727 - for ABI in $(sb_get_install_abis) ; do
728 - multijob_child_init sb_configure
729 - done
730 - ABI=${OABI}
731 - multijob_finish
732 -
733 - sb_foreach_abi sb_compile
734 -}
735 -
736 -sb_test() {
737 - emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
738 -}
739 -
740 -src_test() {
741 - sb_foreach_abi sb_test
742 -}
743 -
744 -sb_install() {
745 - emake DESTDIR="${D}" install || die
746 - insinto /etc/sandbox.d #333131
747 - doins etc/sandbox.d/00default || die
748 -}
749 -
750 -src_install() {
751 - sb_foreach_abi sb_install
752 -
753 - doenvd "${FILESDIR}"/09sandbox
754 -
755 - keepdir /var/log/sandbox
756 - fowners root:portage /var/log/sandbox
757 - fperms 0770 /var/log/sandbox
758 -
759 - cd "${S}"
760 - dodoc AUTHORS ChangeLog* NEWS README
761 -}
762 -
763 -pkg_preinst() {
764 - chown root:portage "${D}"/var/log/sandbox
765 - chmod 0770 "${D}"/var/log/sandbox
766 -
767 - local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
768 - if [[ -n ${old} ]] ; then
769 - elog "Removing old sandbox libraries for you:"
770 - elog ${old//${ROOT}}
771 - find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
772 - fi
773 -}
774 -
775 -pkg_postinst() {
776 - chmod 0755 "${ROOT}"/etc/sandbox.d #265376
777 -}
Report Message
Find on MARC Find on Google Groups