* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2015-09-20 8:48 Mike Frysinger
0 siblings, 0 replies; 6+ messages in thread
From: Mike Frysinger @ 2015-09-20 8:48 UTC (permalink / raw
To: gentoo-commits
commit: 822e317acd15429c57cf09cf448b1ce99cf33147
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 20 08:12:48 2015 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Sep 20 08:48:22 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=822e317a
sys-apps/sandbox: version bump
sys-apps/sandbox/Manifest | 1 +
.../sandbox/files/sandbox-2.8-write-ptmx.patch | 34 ++++++
sys-apps/sandbox/sandbox-2.8.ebuild | 124 +++++++++++++++++++++
3 files changed, 159 insertions(+)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 42c825a..e0fd4ea 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -4,3 +4,4 @@ DIST sandbox-2.4.tar.xz 344664 SHA256 450599cb3052296d42f81a04dbbda82d220415fc2d
DIST sandbox-2.5.tar.xz 355680 SHA256 c0e98767fb70750d79591a6d08f81d5c2f13ce783bf94bd90677022e9103878a SHA512 7b870295bb78c1da5550b650a3983d93e503935a8e8452a29a5c6310cc2c2d569a898ea1534e2c670b4a3e5607504fac55f69da6878e0adc9c2c65a5476b4fb0 WHIRLPOOL 887d36638111b09d77674002c07ebad84c24bc4f645d9fb78e180a6c6e7407eb3fb6857877bc152e0cefb676f01df60b20857b8487ce28ff3e4438aef744fe53
DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
DIST sandbox-2.7.tar.xz 390304 SHA256 d6e1230180d84fb64c9788dd372a73a1cd2496ead91cad333a211320d3041149 SHA512 81056460afabe3f9163594f662f5faf87b6dfe8511a001fc4d6ce0171492eb29f3b645a45320032d34475bb2c24bf212d1d05b50878a340f1e2ca580f8f8f38a WHIRLPOOL ad070df6351537e49f939ba195f27ccf5e4566bb8b6e4ba391ab8174771eacf909571284c6fa873d5b55e8540605d2766a3de5d451b6af132c0ff6d96e43f554
+DIST sandbox-2.8.tar.xz 410588 SHA256 f01dcac27a4641d1898c4a19bf3a0572f8ec85c3ba12e6ede8af36f6bc047165 SHA512 73a21e72f5825f43ee887efbe73f4ccd8771c7f45438104077aa83448d0a2727ab65be89a7a1a690d3662594df680ca4dc29908763e5abe2a81594b6f8f6ff2e WHIRLPOOL 6c93a0d8737bab4e710f0f20645514c9a5413a2d357a64c2e8b8428567221b949134881e705f979aa374635a278c0b3c646a6cffaf1015024db8f2aab2ec7c74
diff --git a/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch b/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch
new file mode 100644
index 0000000..d22f53b
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch
@@ -0,0 +1,34 @@
+From 6b9b505f4a7716a50ff9e63c85f2c4882987a732 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 20 Sep 2015 04:40:39 -0400
+Subject: [PATCH] sandbox.conf: allow writing to /dev/ptmx
+
+We implicitly permit write access to this node by not catching functions
+like openpty and posix_openpt, but when projects try to access the node
+directly (due to legacy/fallback logic), the sandbox would reject them.
+Make access to the node explicit since it's generally harmless.
+
+URL: https://bugs.gentoo.org/413327
+URL: https://bugs.gentoo.org/550650
+URL: https://bugs.gentoo.org/550670
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ etc/sandbox.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/sandbox.conf b/etc/sandbox.conf
+index dc460f0..1d7655c 100644
+--- a/etc/sandbox.conf
++++ b/etc/sandbox.conf
+@@ -64,7 +64,7 @@ SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
+ # Console device nodes
+ SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
+ # Device filesystems
+-SANDBOX_WRITE="/dev/pts/:/dev/shm"
++SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
+ # Tempory storage
+ SANDBOX_WRITE="/tmp/:/var/tmp/"
+ # Needed for shells
+--
+2.5.2
+
diff --git a/sys-apps/sandbox/sandbox-2.8.ebuild b/sys-apps/sandbox/sandbox-2.8.ebuild
new file mode 100644
index 0000000..4f3de07
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.8.ebuild
@@ -0,0 +1,124 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+ https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="multilib"
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+EMULTILIB_PKG="true"
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES=-sandbox emerge sandbox"
+}
+
+sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
+
+sb_foreach_abi() {
+ local OABI=${ABI}
+ for ABI in $(sb_get_install_abis) ; do
+ cd "${WORKDIR}/build-${ABI}"
+ einfo "Running $1 for ABI=${ABI}..."
+ "$@"
+ done
+ ABI=${OABI}
+}
+
+src_unpack() {
+ unpacker
+ cd "${S}"
+ epatch "${FILESDIR}"/${P}-write-ptmx.patch #413327
+ epatch_user
+}
+
+sb_configure() {
+ mkdir "${WORKDIR}/build-${ABI}"
+ cd "${WORKDIR}/build-${ABI}"
+
+ use multilib && multilib_toolchain_setup ${ABI}
+
+ einfo "Configuring sandbox for ABI=${ABI}..."
+ ECONF_SOURCE="${S}" \
+ econf ${myconf} || die
+}
+
+sb_compile() {
+ emake || die
+}
+
+src_compile() {
+ filter-lfs-flags #90228
+
+ # Run configures in parallel!
+ multijob_init
+ local OABI=${ABI}
+ for ABI in $(sb_get_install_abis) ; do
+ multijob_child_init sb_configure
+ done
+ ABI=${OABI}
+ multijob_finish
+
+ sb_foreach_abi sb_compile
+}
+
+sb_test() {
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
+}
+
+src_test() {
+ sb_foreach_abi sb_test
+}
+
+sb_install() {
+ emake DESTDIR="${D}" install || die
+ insinto /etc/sandbox.d #333131
+ doins etc/sandbox.d/00default || die
+}
+
+src_install() {
+ sb_foreach_abi sb_install
+
+ doenvd "${FILESDIR}"/09sandbox
+
+ keepdir /var/log/sandbox
+ fowners root:portage /var/log/sandbox
+ fperms 0770 /var/log/sandbox
+
+ cd "${S}"
+ dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+ chown root:portage "${D}"/var/log/sandbox
+ chmod 0770 "${D}"/var/log/sandbox
+
+ local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+ if [[ -n ${old} ]] ; then
+ elog "Removing old sandbox libraries for you:"
+ elog ${old//${ROOT}}
+ find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
+ fi
+}
+
+pkg_postinst() {
+ chmod 0755 "${ROOT}"/etc/sandbox.d #265376
+}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2016-01-19 17:27 Mike Frysinger
0 siblings, 0 replies; 6+ messages in thread
From: Mike Frysinger @ 2016-01-19 17:27 UTC (permalink / raw
To: gentoo-commits
commit: 9afa2eba9ac0db028f58f0eb757ab990f30a7c34
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 19 17:27:22 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Jan 19 17:27:40 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9afa2eba
sys-apps/sandbox: fix building w/out gc-sections
.../sandbox/files/sandbox-2.10-disable-same.patch | 77 ++++++++++++++++++++++
sys-apps/sandbox/sandbox-2.10-r1.ebuild | 1 +
2 files changed, 78 insertions(+)
diff --git a/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch b/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
new file mode 100644
index 0000000..296b322
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
@@ -0,0 +1,77 @@
+From 7a923f646ce10b7dec3c7ae5fe2079c10aa21752 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 20 Dec 2015 16:08:16 -0500
+Subject: [PATCH] libsbutil: gnulib: hand disable same_name usage
+
+We don't provide same_name because the one caller we don't use, but it
+relies on gc-sections to avoid link errors. That flag doesn't work on
+ia64 though, so we need to hand delete the one caller. Ugh.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsbutil/gnulib/hash-triple.c | 9 ---------
+ libsbutil/gnulib/same.h | 25 -------------------------
+ 2 files changed, 34 deletions(-)
+ delete mode 100644 libsbutil/gnulib/same.h
+
+diff --git a/libsbutil/gnulib/hash-triple.c b/libsbutil/gnulib/hash-triple.c
+index c3b6d9f..06cfbdf 100644
+--- a/libsbutil/gnulib/hash-triple.c
++++ b/libsbutil/gnulib/hash-triple.c
+@@ -24,7 +24,6 @@
+ #include <string.h>
+
+ #include "hash-pjw.h"
+-#include "same.h"
+ #include "same-inode.h"
+
+ #define STREQ(a, b) (strcmp (a, b) == 0)
+@@ -52,14 +51,6 @@ triple_hash_no_name (void const *x, size_t table_size)
+
+ /* Compare two F_triple structs. */
+ bool
+-triple_compare (void const *x, void const *y)
+-{
+- struct F_triple const *a = x;
+- struct F_triple const *b = y;
+- return (SAME_INODE (*a, *b) && same_name (a->name, b->name)) ? true : false;
+-}
+-
+-bool
+ triple_compare_ino_str (void const *x, void const *y)
+ {
+ struct F_triple const *a = x;
+diff --git a/libsbutil/gnulib/same.h b/libsbutil/gnulib/same.h
+deleted file mode 100644
+index ee313c5..0000000
+--- a/libsbutil/gnulib/same.h
++++ /dev/null
+@@ -1,25 +0,0 @@
+-/* Determine whether two file names refer to the same file.
+-
+- Copyright (C) 1997-2000, 2003-2004, 2009-2015 Free Software Foundation, Inc.
+-
+- This program is free software: you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published by
+- the Free Software Foundation; either version 3 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
+-
+-#ifndef SAME_H_
+-# define SAME_H_ 1
+-
+-# include <stdbool.h>
+-
+-bool same_name (const char *source, const char *dest);
+-
+-#endif /* SAME_H_ */
+--
+2.6.2
+
diff --git a/sys-apps/sandbox/sandbox-2.10-r1.ebuild b/sys-apps/sandbox/sandbox-2.10-r1.ebuild
index 2270f92..d6c4990 100644
--- a/sys-apps/sandbox/sandbox-2.10-r1.ebuild
+++ b/sys-apps/sandbox/sandbox-2.10-r1.ebuild
@@ -47,6 +47,7 @@ src_unpack() {
unpacker
cd "${S}"
epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
+ epatch "${FILESDIR}"/${P}-disable-same.patch
epatch_user
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2016-03-30 3:46 Mike Frysinger
0 siblings, 0 replies; 6+ messages in thread
From: Mike Frysinger @ 2016-03-30 3:46 UTC (permalink / raw
To: gentoo-commits
commit: cb51c818a0d2b2f1a64e084411ac5717ebb3ef38
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 30 03:44:29 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Mar 30 03:46:35 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb51c818
sys-apps/sandbox: fix crashes w/some ELFs #578524
.../sandbox/files/sandbox-2.11-exec-hash.patch | 96 ++++++++++++++++++++++
...{sandbox-2.11.ebuild => sandbox-2.11-r1.ebuild} | 1 +
2 files changed, 97 insertions(+)
diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch
new file mode 100644
index 0000000..8a4cd9b
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-hash.patch
@@ -0,0 +1,96 @@
+From e11815bb7f0656f39e122073e0e3284ec7f5d021 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Tue, 29 Mar 2016 23:35:44 -0400
+Subject: [PATCH] libsandbox: fix symtab walking with some ELFs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The strtab assumption works if there is no SysV hash table.
+Add logic to handle that scenario.
+
+URL: https://bugs.gentoo.org/578524
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__wrapper_exec.c | 30 +++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c
+index f7f51ab..d372366 100644
+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c
++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c
+@@ -83,10 +83,10 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ ({ \
+ Elf##n##_Ehdr *ehdr = (void *)elf; \
+ Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \
+- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0; \
+- Elf##n##_Off offset, symoff = 0, stroff = 0; \
++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \
++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \
+ Elf##n##_Dyn *dyn; \
+- Elf##n##_Sym *sym; \
++ Elf##n##_Sym *sym, *symend; \
+ uint##n##_t ent_size = 0, str_size = 0; \
+ bool dynamic = false; \
+ size_t i; \
+@@ -106,6 +106,7 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
+ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
+ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
++ case DT_HASH: vhash = dyn->d_un.d_val; break; \
+ } \
+ ++dyn; \
+ } \
+@@ -123,6 +124,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ symoff = offset + (vsym - vaddr); \
+ if (vstr >= vaddr && vstr < vaddr + filesz) \
+ stroff = offset + (vstr - vaddr); \
++ if (vhash >= vaddr && vhash < vaddr + filesz) \
++ hashoff = offset + (vhash - vaddr); \
+ } \
+ \
+ /* Finally walk the symbol table. This should generally be fast as \
+@@ -130,18 +133,20 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ * out there do not export any symbols at all. \
+ */ \
+ if (symoff && stroff) { \
+- sym = (void *)(elf + symoff); \
++ /* Hash entries are always 32-bits. */ \
++ uint32_t *hashes = (void *)(elf + hashoff); \
+ /* Nowhere is the # of symbols recorded, or the size of the symbol \
+- * table. Instead, we do what glibc does: assume that the string \
+- * table always follows the symbol table. This seems like a poor \
+- * assumption to make, but glibc has gotten by this long. We could \
+- * rely on DT_HASH and walking all the buckets to find the largest \
+- * symbol index, but that's also a bit hacky. \
++ * table. Instead, we do what glibc does: use the sysv hash table \
++ * if it exists, else assume that the string table always directly \
++ * follows the symbol table. This seems like a poor assumption to \
++ * make, but glibc has gotten by this long. \
+ * \
+ * We don't sanity check the ranges here as you aren't executing \
+ * corrupt programs in the sandbox. \
+ */ \
+- for (i = 0; i < (vstr - vsym) / ent_size; ++i) { \
++ sym = (void *)(elf + symoff); \
++ symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \
++ while (sym < symend) { \
+ char *symname = (void *)(elf + stroff + sym->st_name); \
+ if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \
+ sym->st_shndx != SHN_UNDEF && sym->st_shndx < SHN_LORESERVE && \
+@@ -149,9 +154,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ /* Minor optimization to avoid strcmp. */ \
+ symname[0] == '_' && symname[1] == '_') { \
+ /* Blacklist internal C library symbols. */ \
+- size_t j; \
+- for (j = 0; j < ARRAY_SIZE(libc_alloc_syms); ++j) \
+- if (!strcmp(symname, libc_alloc_syms[j])) { \
++ for (i = 0; i < ARRAY_SIZE(libc_alloc_syms); ++i) \
++ if (!strcmp(symname, libc_alloc_syms[i])) { \
+ run_in_process = false; \
+ goto use_trace; \
+ } \
+--
+2.7.4
+
diff --git a/sys-apps/sandbox/sandbox-2.11.ebuild b/sys-apps/sandbox/sandbox-2.11-r1.ebuild
similarity index 97%
rename from sys-apps/sandbox/sandbox-2.11.ebuild
rename to sys-apps/sandbox/sandbox-2.11-r1.ebuild
index 0bbf588..8001316 100644
--- a/sys-apps/sandbox/sandbox-2.11.ebuild
+++ b/sys-apps/sandbox/sandbox-2.11-r1.ebuild
@@ -32,6 +32,7 @@ sandbox_death_notice() {
}
src_prepare() {
+ epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
epatch_user
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2016-11-16 22:20 Mike Frysinger
0 siblings, 0 replies; 6+ messages in thread
From: Mike Frysinger @ 2016-11-16 22:20 UTC (permalink / raw
To: gentoo-commits
commit: 8ec3e4da8a051ed983a770b719b10730038474bb
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 16 22:19:27 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Nov 16 22:19:59 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ec3e4da
sys-apps/sandbox: fix crashes when the system is prelinked #599894
.../sandbox/files/sandbox-2.11-exec-prelink.patch | 107 +++++++++++++++++++++
...ndbox-2.11-r2.ebuild => sandbox-2.11-r3.ebuild} | 1 +
2 files changed, 108 insertions(+)
diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch
new file mode 100644
index 00000000..067824f
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch
@@ -0,0 +1,107 @@
+From 5628d830548e91819953d2d14397170e219df7c6 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 16 Nov 2016 15:59:28 -0500
+Subject: [PATCH] libsandbox: fix symtab walking with prelinked ELFs
+
+When prelink runs on an ELF, it moves the string table from right
+after the symbol table to the end, and then replaces the string
+table with its liblist table. This ends up breaking sandbox's
+assumption that the string table always follows the symbol table
+leading to prelinked ELFs crashing.
+
+Update the range check to use the liblist table when available.
+Since the prelink code has this logic hardcoded (swapping the
+string table for the liblist table), this should be OK for now.
+
+URL: https://bugs.gentoo.org/599894
+Reported-by: Anders Larsson <anders.gentoo@larsson.xyz>
+Reported-by: Kenton Groombridge <rustyvega@comcast.net>
+Reported-by: Marien Zwart <marien.zwart@gmail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__wrapper_exec.c | 39 ++++++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c
+index d372366c5478..226c0c0f4407 100644
+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c
++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c
+@@ -83,8 +83,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ ({ \
+ Elf##n##_Ehdr *ehdr = (void *)elf; \
+ Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \
+- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \
+- Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \
++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0, vliblist = 0; \
++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0, liblistoff = 0; \
+ Elf##n##_Dyn *dyn; \
+ Elf##n##_Sym *sym, *symend; \
+ uint##n##_t ent_size = 0, str_size = 0; \
+@@ -102,11 +102,12 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ dyn = (void *)(elf + phdr[i].p_offset); \
+ while (dyn->d_tag != DT_NULL) { \
+ switch (dyn->d_tag) { \
+- case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \
+- case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
+- case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
+- case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
+- case DT_HASH: vhash = dyn->d_un.d_val; break; \
++ case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \
++ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
++ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
++ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
++ case DT_HASH: vhash = dyn->d_un.d_val; break; \
++ case DT_GNU_LIBLIST: vliblist = dyn->d_un.d_val; break; \
+ } \
+ ++dyn; \
+ } \
+@@ -126,6 +127,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ stroff = offset + (vstr - vaddr); \
+ if (vhash >= vaddr && vhash < vaddr + filesz) \
+ hashoff = offset + (vhash - vaddr); \
++ if (vliblist >= vaddr && vliblist < vaddr + filesz) \
++ liblistoff = offset + (vliblist - vaddr); \
+ } \
+ \
+ /* Finally walk the symbol table. This should generally be fast as \
+@@ -133,19 +136,33 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ * out there do not export any symbols at all. \
+ */ \
+ if (symoff && stroff) { \
+- /* Hash entries are always 32-bits. */ \
+- uint32_t *hashes = (void *)(elf + hashoff); \
+ /* Nowhere is the # of symbols recorded, or the size of the symbol \
+ * table. Instead, we do what glibc does: use the sysv hash table \
+ * if it exists, else assume that the string table always directly \
+ * follows the symbol table. This seems like a poor assumption to \
+- * make, but glibc has gotten by this long. \
++ * make, but glibc has gotten by this long. See determine_info in \
++ * glibc's elf/dl-addr.c. \
++ * \
++ * Turns out prelink will violate that assumption. Fortunately it \
++ * will insert its liblist at the same location all the time -- it \
++ * replaces the string table with its liblist table. \
++ * \
++ * Long term, we should behave the same as glibc and walk the gnu \
++ * hash table first before falling back to the raw symbol table. \
+ * \
+ * We don't sanity check the ranges here as you aren't executing \
+ * corrupt programs in the sandbox. \
+ */ \
+ sym = (void *)(elf + symoff); \
+- symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \
++ if (vhash) { \
++ /* Hash entries are always 32-bits. */ \
++ uint32_t *hashes = (void *)(elf + hashoff); \
++ symend = sym + hashes[1]; \
++ } else if (vliblist) \
++ symend = (void *)(elf + liblistoff); \
++ else \
++ symend = (void *)(elf + stroff); \
++ \
+ while (sym < symend) { \
+ char *symname = (void *)(elf + stroff + sym->st_name); \
+ if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \
+--
+2.10.2
+
diff --git a/sys-apps/sandbox/sandbox-2.11-r2.ebuild b/sys-apps/sandbox/sandbox-2.11-r3.ebuild
similarity index 97%
rename from sys-apps/sandbox/sandbox-2.11-r2.ebuild
rename to sys-apps/sandbox/sandbox-2.11-r3.ebuild
index 1319c37..e49dd8c 100644
--- a/sys-apps/sandbox/sandbox-2.11-r2.ebuild
+++ b/sys-apps/sandbox/sandbox-2.11-r3.ebuild
@@ -34,6 +34,7 @@ sandbox_death_notice() {
src_prepare() {
epatch "${FILESDIR}"/${P}-execvpe.patch #578516
epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
+ epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894
epatch_user
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2017-10-03 19:09 Michał Górny
0 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2017-10-03 19:09 UTC (permalink / raw
To: gentoo-commits
commit: 207991fdff291c3ccecf2899ad88a91d351136c6
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 3 19:06:04 2017 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Oct 3 19:09:28 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=207991fd
sys-apps/sandbox: Drop old
sys-apps/sandbox/Manifest | 4 -
.../files/sandbox-2.6-check-empty-paths-at.patch | 201 ---------------------
sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 ---
sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch | 13 --
sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ------
sys-apps/sandbox/files/sandbox-2.6-no-pch.patch | 29 ---
.../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ------
.../files/sandbox-2.6-static-close-fd.patch | 93 ----------
.../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 ---
.../sandbox/files/sandbox-2.8-write-ptmx.patch | 34 ----
sys-apps/sandbox/sandbox-2.6-r1.ebuild | 130 -------------
sys-apps/sandbox/sandbox-2.7.ebuild | 122 -------------
sys-apps/sandbox/sandbox-2.8.ebuild | 123 -------------
sys-apps/sandbox/sandbox-2.9.ebuild | 122 -------------
14 files changed, 1033 deletions(-)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 5ca84948432..b4efad9fa3d 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,6 +1,2 @@
DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192
DIST sandbox-2.12.tar.xz 424252 SHA256 265a490a8c528237c55ad26dfd7f62336fa5727c82358fc9cfbaa2e52c47fc50 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9 WHIRLPOOL 4f3089746a11616c60057165f387122b74e8d2f30a2d77db296405a2b6f401fc625645bca73092436162f5d98a88bfb2a3b42909b0eceb9a59ab810d803441b0
-DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
-DIST sandbox-2.7.tar.xz 390304 SHA256 d6e1230180d84fb64c9788dd372a73a1cd2496ead91cad333a211320d3041149 SHA512 81056460afabe3f9163594f662f5faf87b6dfe8511a001fc4d6ce0171492eb29f3b645a45320032d34475bb2c24bf212d1d05b50878a340f1e2ca580f8f8f38a WHIRLPOOL ad070df6351537e49f939ba195f27ccf5e4566bb8b6e4ba391ab8174771eacf909571284c6fa873d5b55e8540605d2766a3de5d451b6af132c0ff6d96e43f554
-DIST sandbox-2.8.tar.xz 410588 SHA256 f01dcac27a4641d1898c4a19bf3a0572f8ec85c3ba12e6ede8af36f6bc047165 SHA512 73a21e72f5825f43ee887efbe73f4ccd8771c7f45438104077aa83448d0a2727ab65be89a7a1a690d3662594df680ca4dc29908763e5abe2a81594b6f8f6ff2e WHIRLPOOL 6c93a0d8737bab4e710f0f20645514c9a5413a2d357a64c2e8b8428567221b949134881e705f979aa374635a278c0b3c646a6cffaf1015024db8f2aab2ec7c74
-DIST sandbox-2.9.tar.xz 415992 SHA256 ee6e92932c5a30d784548985b69adb357662fadd32d961776f197879ff8230c7 SHA512 9f9b886c160fa14119c7bc389b2eeb1050b150dccd60f64d809db43a23bc703004cb9ccaa454b970adb5e0616b19c9e9e0e6e52fccf6b16608ab89b3c2c3cee7 WHIRLPOOL aeae0387fe618c2af2945747629991649935f344906017f5b00e1a63496c2cc03ee5b7f078ee1d83897fad3f54793e02be86a6f297b7bbd4af2918b2a8157633
diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
deleted file mode 100644
index e4dc5290ed5..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 19:41:49 -0500
-Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before
- checking the dirfd
-
-When it comes to processing errors, an empty path is checked before
-an invalid dirfd. Make sure sandbox matches that behavior for the
-random testsuites out there that look for this.
-
-URL: https://bugs.gentoo.org/346929
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__pre_check.c | 2 ++
- libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------
- libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++-----------
- libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
- libsandbox/wrappers.h | 2 ++
- tests/mkdirat-3.sh | 7 +++++++
- tests/mkdirat.at | 1 +
- tests/openat-2.sh | 9 +++++++++
- tests/openat.at | 1 +
- tests/unlinkat-4.sh | 7 +++++++
- tests/unlinkat.at | 1 +
- 11 files changed, 44 insertions(+), 35 deletions(-)
- create mode 100755 tests/mkdirat-3.sh
- create mode 100755 tests/openat-2.sh
- create mode 100755 tests/unlinkat-4.sh
-
-diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
-index 2d5711f..28ad91f 100644
---- a/libsandbox/wrapper-funcs/__pre_check.c
-+++ b/libsandbox/wrapper-funcs/__pre_check.c
-@@ -20,3 +20,5 @@
- #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
- # include "unlinkat_pre_check.c"
- #endif
-+
-+#include "__pre_at_check.c"
-diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-index 77a65df..0b48d1f 100644
---- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-@@ -1,20 +1,13 @@
- bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
- {
- char canonic[SB_PATH_MAX];
-- char dirfd_path[SB_PATH_MAX];
-
- save_errno();
-
-- /* Expand the dirfd path first */
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ /* Check incoming args against common *at issues */
-+ char dirfd_path[SB_PATH_MAX];
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Then break down any relative/symlink paths */
- if (-1 == canonicalize(pathname, canonic))
-diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
-index 0127708..5fd5eaa 100644
---- a/libsandbox/wrapper-funcs/openat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
-@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
-
- save_errno();
-
-- /* Expand the dirfd path first */
-+ /* Check incoming args against common *at issues */
- char dirfd_path[SB_PATH_MAX];
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Doesn't exist -> skip permission checks */
- struct stat st;
-diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-index 9f5e7d7..c004d15 100644
---- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-@@ -1,20 +1,13 @@
- bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
- {
- char canonic[SB_PATH_MAX];
-- char dirfd_path[SB_PATH_MAX];
-
- save_errno();
-
-- /* Expand the dirfd path first */
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ /* Check incoming args against common *at issues */
-+ char dirfd_path[SB_PATH_MAX];
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Then break down any relative/symlink paths */
- if (-1 == canonicalize(pathname, canonic))
-diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
-index 5b97787..0aa58bb 100644
---- a/libsandbox/wrappers.h
-+++ b/libsandbox/wrappers.h
-@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn
- attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
- attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
- attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
-+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
-+ char *dirfd_path, size_t dirfd_path_len);
-
- #endif
---
-1.8.1.2
-
-From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 19:41:49 -0500
-Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before
- checking the dirfd [missing file]
-
-When it comes to processing errors, an empty path is checked before
-an invalid dirfd. Make sure sandbox matches that behavior for the
-random testsuites out there that look for this.
-
-Forgot to `git add` in the previous commit :/.
-
-URL: https://bugs.gentoo.org/346929
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
- create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c
-
-diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c
-new file mode 100644
-index 0000000..f72c40c
---- /dev/null
-+++ b/libsandbox/wrapper-funcs/__pre_at_check.c
-@@ -0,0 +1,34 @@
-+/*
-+ * common *at() pre-checks.
-+ *
-+ * Copyright 1999-2012 Gentoo Foundation
-+ * Licensed under the GPL-2
-+ */
-+
-+/* We assume the parent has nested use with save/restore errno */
-+bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
-+ char *dirfd_path, size_t dirfd_path_len)
-+{
-+ /* the empty path name should fail with ENOENT before any dirfd
-+ * checks get a chance to run #346929
-+ */
-+ if (*pathname && *pathname[0] == '\0') {
-+ errno = ENOENT;
-+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
-+ func, *pathname, strerror(errno));
-+ return false;
-+ }
-+
-+ /* Expand the dirfd path first */
-+ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) {
-+ case -1:
-+ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-+ func, *pathname, strerror(errno));
-+ return false;
-+ case 0:
-+ *pathname = dirfd_path;
-+ break;
-+ }
-+
-+ return true;
-+}
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
deleted file mode 100644
index fbecb0727f9..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 17 Nov 2012 14:14:26 -0500
-Subject: [PATCH] sandbox.desktop: drop .svg from Icon field
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-URL: http://bugs.gentoo.org/443672
-Reported-by: Petteri Räty <betelgeuse@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- data/sandbox.desktop | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/data/sandbox.desktop b/data/sandbox.desktop
-index 5b5b576..27a887e 100644
---- a/data/sandbox.desktop
-+++ b/data/sandbox.desktop
-@@ -5,6 +5,6 @@ Type=Application
- Comment=launch a sandboxed shell ... useful for debugging ebuilds
- Exec=sandbox
- TryExec=sandbox
--Icon=sandbox.svg
-+Icon=sandbox
- Categories=Development;
- Terminal=true
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch b/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch
deleted file mode 100644
index fd87d6a272a..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-fix building w/gcc-5
-
---- a/libsandbox/Makefile.in
-+++ b/libsandbox/Makefile.in
-@@ -68,7 +68,7 @@ sb_nr.h: symbols.h $(SB_NR_FILE)
-
- TRACE_MAKE_HEADER = \
- $(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \
-- $(COMPILE) -E -include $(top_srcdir)/headers.h - $$f | \
-+ $(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \
- $(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header
- trace_syscalls.h: $(GEN_TRACE_SCRIPT) Makefile
- if SB_SCHIZO
diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
deleted file mode 100644
index bfea9e55e28..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 3 Mar 2013 05:34:09 -0500
-Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values
-
-Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
-with portage. It changed how the sandbox log env var was accessed by
-moving from getenv() to get_sandbox_log(). The latter has path checking
-and will kick out values that contain a slash. That means every time a
-new process starts, a new sandbox log path will be generated, and when a
-program triggers a violation, it'll write to the new file. Meanwhile,
-portage itself watches the original one which never gets updated.
-
-This code has been around forever w/out documentation, and I can't think
-of a reason we need it. So punt it.
-
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsbutil/get_sandbox_log.c | 14 +++++---------
- 1 file changed, 5 insertions(+), 9 deletions(-)
-
-diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
-index a79b399..bdb4278 100644
---- a/libsbutil/get_sandbox_log.c
-+++ b/libsbutil/get_sandbox_log.c
-@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
-
- sandbox_log_env = getenv(env);
-
-- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
-- /* When testing, just use what the env says to */
-+ if (sandbox_log_env) {
-+ /* If the env is viable, roll with it. We aren't really
-+ * about people breaking the security of the sandbox by
-+ * exporting SANDBOX_LOG=/dev/null.
-+ */
- strncpy(path, sandbox_log_env, SB_PATH_MAX);
- } else {
-- /* THIS CHUNK BREAK THINGS BY DOING THIS:
-- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
-- */
-- if ((NULL != sandbox_log_env) &&
-- (NULL != strchr(sandbox_log_env, '/')))
-- sandbox_log_env = NULL;
--
- snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s",
- SANDBOX_LOG_LOCATION, prefix,
- (sandbox_log_env == NULL ? "" : sandbox_log_env),
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch
deleted file mode 100644
index fe2274927f4..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-gcc crashes when trying to use pch under hardened kernels
-
-http://bugs.gentoo.org/425524
-
---- Makefile.in
-+++ Makefile.in
-@@ -300,7 +300,7 @@
- src \
- tests
-
--SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch
-+SANDBOX_PCH =
- BUILT_SOURCES = $(SANDBOX_PCH)
- noinst_LTLIBRARIES = libpch.la
- nodist_libpch_la_SOURCES = $(SANDBOX_PCH)
-@@ -862,10 +862,9 @@
- $(builddir)/headers.h.gch: headers.h
- $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP)
-
--libsbutil: libsbutil/headers.h.gch
--libsandbox: libsbutil libsandbox/headers.h.gch
--src: libsbutil headers.h.gch
--tests: src headers.h.gch
-+libsandbox: libsbutil
-+src: libsbutil
-+tests: src
-
- ChangeLog:
- touch ChangeLog
diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
deleted file mode 100644
index 0101ece2c2b..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 18:46:29 -0500
-Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)
-
-We don't check for O_NOFOLLOW in the open wrappers, so we end up
-returning the wrong error when operating on broken symlinks.
-
-URL: https://bugs.gentoo.org/413441
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__64_post.h | 1 +
- libsandbox/wrapper-funcs/__64_pre.h | 1 +
- libsandbox/wrapper-funcs/openat_pre_check.c | 2 +-
- tests/open-2.sh | 10 ++++++++++
- tests/open.at | 1 +
- 5 files changed, 14 insertions(+), 1 deletion(-)
- create mode 100755 tests/open-2.sh
-
-diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
-index 2fd2182..82d2a16 100644
---- a/libsandbox/wrapper-funcs/__64_post.h
-+++ b/libsandbox/wrapper-funcs/__64_post.h
-@@ -1,3 +1,4 @@
- #undef SB64
- #undef stat
-+#undef lstat
- #undef off_t
-diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
-index 2132110..0b34b25 100644
---- a/libsandbox/wrapper-funcs/__64_pre.h
-+++ b/libsandbox/wrapper-funcs/__64_pre.h
-@@ -1,3 +1,4 @@
- #define SB64
- #define stat stat64
-+#define lstat lstat64
- #define off_t off64_t
-diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
-index c827ee6..0127708 100644
---- a/libsandbox/wrapper-funcs/openat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
-@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
-
- /* Doesn't exist -> skip permission checks */
- struct stat st;
-- if (-1 == stat(pathname, &st)) {
-+ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
- sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
- func, pathname, strerror(errno));
- return false;
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
deleted file mode 100644
index 7fc0972507b..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 23 Jun 2012 11:52:51 -0700
-Subject: [PATCH] libsandbox: clean up open file handles in parent tracing
- process
-
-Currently, if a non-static app sets up a pipe (with cloexec enabled) and
-executes a static app, the handle to that pipe is left open in the parent
-process. This causes trouble when the parent is waiting for that to be
-closed immediately.
-
-Since none of the fds in the forked parent process matter to us, we can
-just go ahead and clean up all fds before we start tracing the child.
-
-URL: http://bugs.gentoo.org/364877
-Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/trace.c | 3 +-
- libsbutil/sb_close.c | 26 +++++++++++-
- libsbutil/sbutil.h | 1 +
- tests/Makefile.am | 2 +
- tests/pipe-fork_static_tst.c | 18 +++++++++
- tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
- tests/script-9.sh | 5 +++
- tests/script.at | 1 +
- 8 files changed, 149 insertions(+), 2 deletions(-)
- create mode 100644 tests/pipe-fork_static_tst.c
- create mode 100644 tests/pipe-fork_tst.c
- create mode 100755 tests/script-9.sh
-
-diff --git a/libsandbox/trace.c b/libsandbox/trace.c
-index 32ad2d6..dfbab18 100644
---- a/libsandbox/trace.c
-+++ b/libsandbox/trace.c
-@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[])
- /* Not all kernel versions support this, so ignore return */
- ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD);
- #endif
-+ sb_close_all_fds();
- trace_loop();
-- return;
-+ sb_ebort("ISE: child should have quit, as should we\n");
- }
-
- sb_debug("child setting up ...");
-diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c
-index 17a4560..5379197 100644
---- a/libsbutil/sb_close.c
-+++ b/libsbutil/sb_close.c
-@@ -29,3 +29,27 @@ int sb_close(int fd)
-
- return res;
- }
-+
-+/* Quickly close all the open fds (good for daemonization) */
-+void sb_close_all_fds(void)
-+{
-+ DIR *dirp;
-+ struct dirent *de;
-+ int dfd, fd;
-+ const char *fd_dir = sb_get_fd_dir();
-+
-+ dirp = opendir(fd_dir);
-+ if (!dirp)
-+ sb_ebort("could not process %s\n", fd_dir);
-+ dfd = dirfd(dirp);
-+
-+ while ((de = readdir(dirp)) != NULL) {
-+ if (de->d_name[0] == '.')
-+ continue;
-+ fd = atoi(de->d_name);
-+ if (fd != dfd)
-+ close(fd);
-+ }
-+
-+ closedir(dirp);
-+}
-diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h
-index 02b88cb..479734b 100644
---- a/libsbutil/sbutil.h
-+++ b/libsbutil/sbutil.h
-@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode);
- size_t sb_read(int fd, void *buf, size_t count);
- size_t sb_write(int fd, const void *buf, size_t count);
- int sb_close(int fd);
-+void sb_close_all_fds(void);
- int sb_copy_file_to_fd(const char *file, int ofd);
-
- /* Reliable output */
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
deleted file mode 100644
index 7e738228657..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Fri, 6 Jul 2012 14:58:16 -0400
-Subject: [PATCH] libsandbox: fix hppa trace code
-
-URL: https://bugs.gentoo.org/425062
-Reported-by: Jeroen Roovers <jer@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/trace/linux/hppa.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c
-index d23b0d1..5414354 100644
---- a/libsandbox/trace/linux/hppa.c
-+++ b/libsandbox/trace/linux/hppa.c
-@@ -1,5 +1,5 @@
--#define trace_reg_sysnum (20 * 4) /* PT_GR20 */
--#define trace_reg_ret (28 * 4) /* PT_GR28 */
-+#define trace_reg_sysnum gr[20]
-+#define trace_reg_ret gr[28]
-
- static unsigned long trace_arg(void *vregs, int num)
- {
---
-1.7.9.7
-
diff --git a/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch b/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch
deleted file mode 100644
index d22f53b0f11..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 6b9b505f4a7716a50ff9e63c85f2c4882987a732 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 20 Sep 2015 04:40:39 -0400
-Subject: [PATCH] sandbox.conf: allow writing to /dev/ptmx
-
-We implicitly permit write access to this node by not catching functions
-like openpty and posix_openpt, but when projects try to access the node
-directly (due to legacy/fallback logic), the sandbox would reject them.
-Make access to the node explicit since it's generally harmless.
-
-URL: https://bugs.gentoo.org/413327
-URL: https://bugs.gentoo.org/550650
-URL: https://bugs.gentoo.org/550670
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- etc/sandbox.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/etc/sandbox.conf b/etc/sandbox.conf
-index dc460f0..1d7655c 100644
---- a/etc/sandbox.conf
-+++ b/etc/sandbox.conf
-@@ -64,7 +64,7 @@ SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
- # Console device nodes
- SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
- # Device filesystems
--SANDBOX_WRITE="/dev/pts/:/dev/shm"
-+SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
- # Tempory storage
- SANDBOX_WRITE="/tmp/:/var/tmp/"
- # Needed for shells
---
-2.5.2
-
diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild
deleted file mode 100644
index 5fedb39c104..00000000000
--- a/sys-apps/sandbox/sandbox-2.6-r1.ebuild
+++ /dev/null
@@ -1,130 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062
- epatch "${FILESDIR}"/${P}-log-var.patch
- epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877
- epatch "${FILESDIR}"/${P}-desktop.patch #443672
- epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441
- epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929
- epatch "${FILESDIR}"/${P}-no-pch.patch #425524
- epatch "${FILESDIR}"/${P}-gcc-5.patch
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="../${P}/" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-}
diff --git a/sys-apps/sandbox/sandbox-2.7.ebuild b/sys-apps/sandbox/sandbox-2.7.ebuild
deleted file mode 100644
index e2c6358e731..00000000000
--- a/sys-apps/sandbox/sandbox-2.7.ebuild
+++ /dev/null
@@ -1,122 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="${S}" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-}
diff --git a/sys-apps/sandbox/sandbox-2.8.ebuild b/sys-apps/sandbox/sandbox-2.8.ebuild
deleted file mode 100644
index cd56a63a9a8..00000000000
--- a/sys-apps/sandbox/sandbox-2.8.ebuild
+++ /dev/null
@@ -1,123 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch "${FILESDIR}"/${P}-write-ptmx.patch #413327
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="${S}" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-}
diff --git a/sys-apps/sandbox/sandbox-2.9.ebuild b/sys-apps/sandbox/sandbox-2.9.ebuild
deleted file mode 100644
index e2c6358e731..00000000000
--- a/sys-apps/sandbox/sandbox-2.9.ebuild
+++ /dev/null
@@ -1,122 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="${S}" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2018-03-24 8:28 Michał Górny
0 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2018-03-24 8:28 UTC (permalink / raw
To: gentoo-commits
commit: b83a18ad65d0de328f173700d4625abc0c27ef34
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Sat Mar 24 08:24:49 2018 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sat Mar 24 08:28:35 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b83a18ad
sys-apps/sandbox: Clean old up
sys-apps/sandbox/Manifest | 1 -
.../sandbox/files/sandbox-2.10-disable-same.patch | 77 -------------
.../sandbox/files/sandbox-2.10-fix-opendir.patch | 79 -------------
.../files/sandbox-2.10-memory-corruption.patch | 42 -------
.../files/sandbox-2.11-symlinkat-renameat.patch | 124 ---------------------
sys-apps/sandbox/sandbox-2.10-r3.ebuild | 84 --------------
sys-apps/sandbox/sandbox-2.10-r4.ebuild | 85 --------------
7 files changed, 492 deletions(-)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index fb01669ce96..ef5db1c5aa7 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,3 +1,2 @@
-DIST sandbox-2.10.tar.xz 417068 BLAKE2B 78bb5b29b520d41c582e7f7cb444ce580f9f8f05ce80795986ff8e1f84f9320e21fda0c5ae092cce8e5a3dc1c0efa48e1ce69c21107e541d2c569e6369ccb5b0 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305
DIST sandbox-2.12.tar.xz 424252 BLAKE2B 55eb06cbc15ad9ff8b0c272b8d071591ce3533a6ff807719df79131e6c966d60c3b37d9d8e4e1d466df0992836c4594bf6927b496ecb343a71d7b0656219a6d7 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9
DIST sandbox-2.13.tar.xz 424968 BLAKE2B efcbf527853e8cfe8b3fec026041f55f51cba78029f92195ec76a45e84cb2b6cc129267c6e50608584607de72a86b2e7836e77f20677de9b94bb5c40999e4712 SHA512 46ad79335e51a1ec0aaa34ab5eeabe9d007818c518682409c5aaf97d49ec23021ece8fa53264ce5332cdd04ef6b3fd9beff0dc0a3cb5dfe2f9b6a6e359f8c1cf
diff --git a/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch b/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
deleted file mode 100644
index 296b322b0c5..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 7a923f646ce10b7dec3c7ae5fe2079c10aa21752 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 20 Dec 2015 16:08:16 -0500
-Subject: [PATCH] libsbutil: gnulib: hand disable same_name usage
-
-We don't provide same_name because the one caller we don't use, but it
-relies on gc-sections to avoid link errors. That flag doesn't work on
-ia64 though, so we need to hand delete the one caller. Ugh.
-
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsbutil/gnulib/hash-triple.c | 9 ---------
- libsbutil/gnulib/same.h | 25 -------------------------
- 2 files changed, 34 deletions(-)
- delete mode 100644 libsbutil/gnulib/same.h
-
-diff --git a/libsbutil/gnulib/hash-triple.c b/libsbutil/gnulib/hash-triple.c
-index c3b6d9f..06cfbdf 100644
---- a/libsbutil/gnulib/hash-triple.c
-+++ b/libsbutil/gnulib/hash-triple.c
-@@ -24,7 +24,6 @@
- #include <string.h>
-
- #include "hash-pjw.h"
--#include "same.h"
- #include "same-inode.h"
-
- #define STREQ(a, b) (strcmp (a, b) == 0)
-@@ -52,14 +51,6 @@ triple_hash_no_name (void const *x, size_t table_size)
-
- /* Compare two F_triple structs. */
- bool
--triple_compare (void const *x, void const *y)
--{
-- struct F_triple const *a = x;
-- struct F_triple const *b = y;
-- return (SAME_INODE (*a, *b) && same_name (a->name, b->name)) ? true : false;
--}
--
--bool
- triple_compare_ino_str (void const *x, void const *y)
- {
- struct F_triple const *a = x;
-diff --git a/libsbutil/gnulib/same.h b/libsbutil/gnulib/same.h
-deleted file mode 100644
-index ee313c5..0000000
---- a/libsbutil/gnulib/same.h
-+++ /dev/null
-@@ -1,25 +0,0 @@
--/* Determine whether two file names refer to the same file.
--
-- Copyright (C) 1997-2000, 2003-2004, 2009-2015 Free Software Foundation, Inc.
--
-- This program is free software: you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 3 of the License, or
-- (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program. If not, see <http://www.gnu.org/licenses/>. */
--
--#ifndef SAME_H_
--# define SAME_H_ 1
--
--# include <stdbool.h>
--
--bool same_name (const char *source, const char *dest);
--
--#endif /* SAME_H_ */
---
-2.6.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch b/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
deleted file mode 100644
index 2ff89bcdfcb..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 3f668dc6ba1910085e61b3a24167ab1352c60d92 Mon Sep 17 00:00:00 2001
-From: Mart Raudsepp <leio@gentoo.org>
-Date: Fri, 11 Nov 2016 12:34:48 +0200
-Subject: [PATCH] libsandbox: do not abort with a long name to opendir
-
-Add a pre-check for opendir that catches too long name arguments
-given to opendir, as it would get messed up and abort before it
-even gets to the open*() syscall (which would handle it correctly),
-due to opendir going through before_syscall/check_syscall, even
-though it isn't a true syscall and it getting cut to SB_PATH_MAX
-inbetween and getting confused somewhere.
-
-URL: https://bugs.gentoo.org/553092
-Signed-off-by: Mart Raudsepp <leio@gentoo.org>
----
- libsandbox/wrapper-funcs/opendir.c | 2 ++
- libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++
- libsandbox/wrappers.h | 1 +
- 3 files changed, 29 insertions(+)
- create mode 100644 libsandbox/wrapper-funcs/opendir_pre_check.c
-
-diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
-index 7670775..70c2692 100644
---- a/libsandbox/wrapper-funcs/opendir.c
-+++ b/libsandbox/wrapper-funcs/opendir.c
-@@ -10,4 +10,6 @@
- #define WRAPPER_SAFE() SB_SAFE(name)
- #define WRAPPER_RET_TYPE DIR *
- #define WRAPPER_RET_DEFAULT NULL
-+#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name)
-+
- #include "__wrapper_simple.c"
-diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c
-new file mode 100644
-index 0000000..60c869f
---- /dev/null
-+++ b/libsandbox/wrapper-funcs/opendir_pre_check.c
-@@ -0,0 +1,26 @@
-+/*
-+ * opendir() pre-check.
-+ *
-+ * Copyright 1999-2016 Gentoo Foundation
-+ * Licensed under the GPL-2
-+ */
-+
-+bool sb_opendir_pre_check(const char *func, const char *name)
-+{
-+ /* If length of name is larger than PATH_MAX, we would mess it up
-+ * before it reaches the open syscall, which would cleanly error out
-+ * via sandbox as well (actually with much smaller lengths than even
-+ * PATH_MAX).
-+ * So error out early in this case, in order to avoid an abort in
-+ * check_syscall later on, which gets ran for opendir, despite it not
-+ * being a syscall.
-+ */
-+ if (strnlen(name, PATH_MAX) == PATH_MAX) {
-+ errno = ENAMETOOLONG;
-+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
-+ func, name, strerror(errno));
-+ return false;
-+ }
-+
-+ return true;
-+}
-diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
-index 0aa58bb..bf5bf64 100644
---- a/libsandbox/wrappers.h
-+++ b/libsandbox/wrappers.h
-@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check (const char *func, const char *pathn
- attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathname, int dirfd);
- attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
- attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
-+attribute_hidden bool sb_opendir_pre_check (const char *func, const char *name);
- attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
- attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
- char *dirfd_path, size_t dirfd_path_len);
---
-2.9.0
-
diff --git a/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch b/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
deleted file mode 100644
index 7dd27c9d224..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 529a388ebb1b4e9d6ad8a1bb61dd8211833a5976 Mon Sep 17 00:00:00 2001
-From: Denis Lisov <dennis.lissov@gmail.com>
-Date: Sat, 19 Dec 2015 19:13:58 +0300
-Subject: [PATCH] libsandbox: fix old_malloc_size check on realloc
-
-Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
-while it is really the mmap size, which is greater. Thus it may fail
-to reallocate even if required.
-
-URL: https://bugs.gentoo.org/568714
-Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/memory.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libsandbox/memory.c b/libsandbox/memory.c
-index 8581128..a2d69a2 100644
---- a/libsandbox/memory.c
-+++ b/libsandbox/memory.c
-@@ -40,7 +40,8 @@ static int sb_munmap(void *addr, size_t length)
-
- #define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
- #define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
--#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
-+#define SB_MALLOC_TO_MMAP_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
-+#define SB_MALLOC_TO_SIZE(ptr) (SB_MALLOC_TO_MMAP_SIZE(ptr) - MIN_ALIGN)
-
- void *malloc(size_t size)
- {
-@@ -57,7 +58,7 @@ void free(void *ptr)
- {
- if (ptr == NULL)
- return;
-- if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_SIZE(ptr)))
-+ if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_MMAP_SIZE(ptr)))
- sb_ebort("sandbox memory corruption with free(%p): %s\n",
- ptr, strerror(errno));
- }
---
-2.6.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
deleted file mode 100644
index e33011f7495..00000000000
--- a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Fri, 10 Mar 2017 10:15:50 -0800
-Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
-
-These funcs don't deref their path args, so flag them as such.
-
-URL: https://bugs.gentoo.org/612202
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/libsandbox.c | 4 +++-
- tests/renameat-2.sh | 12 ++++++++++++
- tests/renameat-3.sh | 11 +++++++++++
- tests/renameat.at | 2 ++
- tests/symlinkat-2.sh | 10 ++++++++++
- tests/symlinkat-3.sh | 9 +++++++++
- tests/symlinkat.at | 2 ++
- 7 files changed, 49 insertions(+), 1 deletion(-)
- create mode 100755 tests/renameat-2.sh
- create mode 100755 tests/renameat-3.sh
- create mode 100755 tests/symlinkat-2.sh
- create mode 100755 tests/symlinkat-3.sh
-
-diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
-index e809308d717d..de48bd79ba53 100644
---- a/libsandbox/libsandbox.c
-+++ b/libsandbox/libsandbox.c
-@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
- sb_nr == SB_NR_LCHOWN ||
- sb_nr == SB_NR_REMOVE ||
- sb_nr == SB_NR_RENAME ||
-+ sb_nr == SB_NR_RENAMEAT ||
- sb_nr == SB_NR_RMDIR ||
-- sb_nr == SB_NR_SYMLINK))
-+ sb_nr == SB_NR_SYMLINK ||
-+ sb_nr == SB_NR_SYMLINKAT))
- {
- /* These funcs sometimes operate on symlinks */
- if (!((sb_nr == SB_NR_FCHOWNAT ||
-diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
-new file mode 100755
-index 000000000000..d0fbe8ae4574
---- /dev/null
-+++ b/tests/renameat-2.sh
-@@ -0,0 +1,12 @@
-+#!/bin/sh
-+# make sure we can clobber symlinks #612202
-+
-+addwrite $PWD
-+
-+ln -s /asdf sym || exit 1
-+touch file
-+renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
-+[ ! -e file ]
-+[ ! -L sym ]
-+[ -e sym ]
-+test ! -s "${SANDBOX_LOG}"
-diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
-new file mode 100755
-index 000000000000..9ae5c9a6511a
---- /dev/null
-+++ b/tests/renameat-3.sh
-@@ -0,0 +1,11 @@
-+#!/bin/sh
-+# make sure we reject bad renames #612202
-+
-+addwrite $PWD
-+mkdir deny
-+adddeny $PWD/deny
-+
-+touch file
-+renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
-+[ -e file ]
-+test -s "${SANDBOX_LOG}"
-diff --git a/tests/renameat.at b/tests/renameat.at
-index 081d7d20277e..eec4638deeaa 100644
---- a/tests/renameat.at
-+++ b/tests/renameat.at
-@@ -1 +1,3 @@
- SB_CHECK(1)
-+SB_CHECK(2)
-+SB_CHECK(3)
-diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
-new file mode 100755
-index 000000000000..168362e8806f
---- /dev/null
-+++ b/tests/symlinkat-2.sh
-@@ -0,0 +1,10 @@
-+#!/bin/sh
-+# make sure we can clobber symlinks #612202
-+
-+addwrite $PWD
-+
-+symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
-+[ -L sym ]
-+symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
-+[ -L sym ]
-+test ! -s "${SANDBOX_LOG}"
-diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
-new file mode 100755
-index 000000000000..a01c750dd2b6
---- /dev/null
-+++ b/tests/symlinkat-3.sh
-@@ -0,0 +1,9 @@
-+#!/bin/sh
-+# make sure we reject bad symlinks #612202
-+
-+addwrite $PWD
-+mkdir deny
-+adddeny $PWD/deny
-+
-+symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
-+test -s "${SANDBOX_LOG}"
-diff --git a/tests/symlinkat.at b/tests/symlinkat.at
-index 081d7d20277e..eec4638deeaa 100644
---- a/tests/symlinkat.at
-+++ b/tests/symlinkat.at
-@@ -1 +1,3 @@
- SB_CHECK(1)
-+SB_CHECK(2)
-+SB_CHECK(3)
---
-2.12.0
-
diff --git a/sys-apps/sandbox/sandbox-2.10-r3.ebuild b/sys-apps/sandbox/sandbox-2.10-r3.ebuild
deleted file mode 100644
index 49e172c3c52..00000000000
--- a/sys-apps/sandbox/sandbox-2.10-r3.ebuild
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-EAPI="5"
-
-inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
-IUSE=""
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-src_prepare() {
- epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
- epatch "${FILESDIR}"/${P}-disable-same.patch
- epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
- epatch_user
-}
-
-multilib_src_configure() {
- filter-lfs-flags #90228
-
- local myconf=()
- host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
-
- ECONF_SOURCE="${S}" \
- econf "${myconf[@]}"
-}
-
-multilib_src_test() {
- # Default sandbox build will run with --jobs set to # cpus.
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
-}
-
-multilib_src_install_all() {
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${ED}"/var/log/sandbox
- chmod 0770 "${ED}"/var/log/sandbox
-
- if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
- local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
- fi
- fi
-}
-
-pkg_postinst() {
- if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
- chmod 0755 "${EROOT}"/etc/sandbox.d #265376
- fi
-}
diff --git a/sys-apps/sandbox/sandbox-2.10-r4.ebuild b/sys-apps/sandbox/sandbox-2.10-r4.ebuild
deleted file mode 100644
index 29827378c0c..00000000000
--- a/sys-apps/sandbox/sandbox-2.10-r4.ebuild
+++ /dev/null
@@ -1,85 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-EAPI="5"
-
-inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
-IUSE=""
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-src_prepare() {
- epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
- epatch "${FILESDIR}"/${P}-disable-same.patch
- epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
- epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202
- epatch_user
-}
-
-multilib_src_configure() {
- filter-lfs-flags #90228
-
- local myconf=()
- host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
-
- ECONF_SOURCE="${S}" \
- econf "${myconf[@]}"
-}
-
-multilib_src_test() {
- # Default sandbox build will run with --jobs set to # cpus.
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
-}
-
-multilib_src_install_all() {
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${ED}"/var/log/sandbox
- chmod 0770 "${ED}"/var/log/sandbox
-
- if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
- local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
- fi
- fi
-}
-
-pkg_postinst() {
- if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
- chmod 0755 "${EROOT}"/etc/sandbox.d #265376
- fi
-}
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-03-24 8:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-30 3:46 [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/ Mike Frysinger
-- strict thread matches above, loose matches on Subject: below --
2018-03-24 8:28 Michał Górny
2017-10-03 19:09 Michał Górny
2016-11-16 22:20 Mike Frysinger
2016-01-19 17:27 Mike Frysinger
2015-09-20 8:48 Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox