From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-885467-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 5BAF313829C
	for <garchives@archives.gentoo.org>; Sat,  4 Jun 2016 18:24:44 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id CA0BA25402B;
	Sat,  4 Jun 2016 18:24:43 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 5A76025402B
	for <gentoo-commits@lists.gentoo.org>; Sat,  4 Jun 2016 18:24:43 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 3EBF8340940
	for <gentoo-commits@lists.gentoo.org>; Sat,  4 Jun 2016 18:24:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id A2E2A970
	for <gentoo-commits@lists.gentoo.org>; Sat,  4 Jun 2016 18:24:40 +0000 (UTC)
From: "Amadeusz Piotr Żołnowski" <aidecoe@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Amadeusz Piotr Żołnowski" <aidecoe@gentoo.org>
Message-ID: <1465064066.7f01cbdf444491306d2b8557973f16b48d93ff69.aidecoe@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/firejail/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/firejail/firejail-0.9.40-r1.ebuild sys-apps/firejail/metadata.xml
X-VCS-Directories: sys-apps/firejail/
X-VCS-Committer: aidecoe
X-VCS-Committer-Name: Amadeusz Piotr Żołnowski
X-VCS-Revision: 7f01cbdf444491306d2b8557973f16b48d93ff69
X-VCS-Branch: master
Date: Sat,  4 Jun 2016 18:24:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: c1b31f8a-8bdb-4478-8ad2-1092beb75fe2
X-Archives-Hash: a4985312ebfa58e82068f2f151d40ec9

commit:     7f01cbdf444491306d2b8557973f16b48d93ff69
Author:     Amadeusz Żołnowski <aidecoe <AT> gentoo <DOT> org>
AuthorDate: Sat Jun  4 18:14:12 2016 +0000
Commit:     Amadeusz Piotr Żołnowski <aidecoe <AT> gentoo <DOT> org>
CommitDate: Sat Jun  4 18:14:26 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f01cbdf

sys-apps/firejail: Allow compile time configuration

Networking features and most Linux kernel security features require root
privileges during configuration. Firejail (as a SUID binary) opens the
access to these features therefore it may be desired to turn off some
of the features on compile time.

Bump EAPI to 6.  Depend on x11-wm/xpra for X11 sandboxing feature.

Package-Manager: portage-2.3.0_rc1

 sys-apps/firejail/firejail-0.9.40-r1.ebuild | 42 +++++++++++++++++++++++++++++
 sys-apps/firejail/metadata.xml              | 14 ++++++++++
 2 files changed, 56 insertions(+)

diff --git a/sys-apps/firejail/firejail-0.9.40-r1.ebuild b/sys-apps/firejail/firejail-0.9.40-r1.ebuild
new file mode 100644
index 0000000..778ced4
--- /dev/null
+++ b/sys-apps/firejail/firejail-0.9.40-r1.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils
+
+DESCRIPTION="Security sandbox for any type of processes"
+HOMEPAGE="https://firejail.wordpress.com/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+bind +chroot +file-transfer +network network-restricted +seccomp
+	+userns x11"
+
+RDEPEND="x11? ( x11-wm/xpra )"
+
+PATCHES=( "${FILESDIR}"/${P}-sysmacros.patch )
+
+src_prepare() {
+	default
+	find -name Makefile.in -exec sed -i -r \
+			-e '/CFLAGS/s: (-O2|-ggdb) : :g' \
+			-e '1iCC=@CC@' {} + || die
+}
+
+src_configure() {
+	local myeconfargs=(
+		$(use_enable bind)
+		$(use_enable chroot)
+		$(use_enable file-transfer)
+		$(use_enable network)
+		$(use_enable seccomp)
+		$(use_enable userns)
+		$(use_enable x11)
+	)
+	use network-restricted && myeconfargs+=( --enable-network=restricted )
+	econf "${myeconfargs[@]}"
+}

diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml
index 0b1ef01..004a53cb 100644
--- a/sys-apps/firejail/metadata.xml
+++ b/sys-apps/firejail/metadata.xml
@@ -16,4 +16,18 @@
 	<upstream>
 		<remote-id type="sourceforge">firejail</remote-id>
 	</upstream>
+	<use>
+		<flag name="bind">Enable custom bind mounts</flag>
+		<flag name="chroot">Enable chrooting to custom directory</flag>
+		<flag name="file-transfer">Enable file transfers between sandboxes and
+			the host system</flag>
+		<flag name="network">Enable networking features</flag>
+		<flag name="network-restricted">Grant access to --interface,
+			--net=ethXXX and --netfilter only to root user; regular users are
+			only allowed --net=none</flag>
+		<flag name="seccomp">Enable system call filtering</flag>
+		<flag name="userns">Enable attaching a new user namespace to a
+			sandbox (--noroot option)</flag>
+		<flag name="x11">Enable X11 sandboxing</flag>
+	</use>
 </pkgmetadata>