* [gentoo-commits] proj/musl:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2016-01-21 22:56 Anthony G. Basile
0 siblings, 0 replies; 4+ messages in thread
From: Anthony G. Basile @ 2016-01-21 22:56 UTC (permalink / raw
To: gentoo-commits
commit: 90225ea32c41056dc22f7a9c5d038d4f773b98ab
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 21 23:04:39 2016 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Jan 21 23:04:39 2016 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=90225ea3
sys-apps/sandbox: bumpt to 2.10
Package-Manager: portage-2.2.26
RepoMan-Options: --force
sys-apps/sandbox/Manifest | 4 +
.../sandbox/files/sandbox-2.10-disable-same.patch | 77 ++++++++++++
.../files/sandbox-2.10-memory-corruption.patch | 42 +++++++
sys-apps/sandbox/sandbox-2.10-r99.ebuild | 129 +++++++++++++++++++++
4 files changed, 252 insertions(+)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index ee7e77a..4c3a3bd 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,4 +1,6 @@
AUX 09sandbox 37 SHA256 73e9e9d12ba54f1c649813ec86107924050528852c890a8ba1e2853796781bbe SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a WHIRLPOOL 80d55a34d3faf3314f2b9de2200d4b46a800128514be9e30eb59e5f03fb7a0a5197a9e5b5ab33d6b68d35bf83c86a1bd7ba734a33ccd382fe0af3b2c2a11d0bd
+AUX sandbox-2.10-disable-same.patch 2547 SHA256 09a11cf077ae69684080d1f0fd8fe83683fdf5f061e0a7a5261ca03463fd554a SHA512 bf005fbde7b6ba88df36bb75064658764e488dd2f3c96a6f92c69ad3f2e8d2db12ba2c7bafa9656326b7fde73301c330f68bd064efa0fce2a7eb28fff6ce0a1e WHIRLPOOL 27f0df961dcedc70819ecd1d0f105fb7176ecd77127ab187025d9aa52df9faa43941314c71a998dd72658105dfec4c5c6d3341dbae18e18b409af7dc6d9c31d6
+AUX sandbox-2.10-memory-corruption.patch 1515 SHA256 4876cc9962d56d3c5fc5418fe12ef1a399e34ff0272f12640c4a5c5b775e8888 SHA512 1eb650824cc7a876fabef382cafb451a507326a8422fb7bb5014699046b64ea8f4cf2bba9efcb75d7a2eac4eff493d06153422f85c119f49635ac0840071660c WHIRLPOOL db2c834119c7887ed746154e73e88cc09bf2a31184b3cda2732b70cb43dd8bc7f59f1072a4cc56ebcf593ba67330b9888832dc186ee55e009428d607f62293ab
AUX sandbox-2.6-check-empty-paths-at.patch 7454 SHA256 a48759a4d3e9a70713473b6fad59bdd750b5cd37e7d632c786205ff20004ae2c SHA512 5eba7915dedf57f44c37881e9c6b48db8733d1493779a33127d08bb9ea77056d788ec9ace72c13eb101f42f01c95309c7cebca6c76212a8c99a8655372c0b7d7 WHIRLPOOL 46eb3a8ef8f22030cd793f3b16adc190b5750019c0df83e161c6918f08555a8ad890c1425b03cbf7e53ebcd34a07a9dd9b594d0c0fe31834656ffce3d58fa284
AUX sandbox-2.6-desktop.patch 875 SHA256 2eecf67790aeac210f9aa899a86f7664776ed65d9b55159e1b359162dfb9ff74 SHA512 b72ec7f414d19bf513dfb1aea10523fa5dc07a1375d8f08f664d204b64b23c891a79ca14987528c595936f441e1f595b366aabbc57313667c7639d73d089ed9a WHIRLPOOL 7f787b8be9b5712eb2b2a0cd2ff825df1045ebf1cc4e73a50f610e620d30752045690a5c28835465d0ab0c3c4a9eaf8b92a5c123cd741ad69dfedb31aa457fa0
AUX sandbox-2.6-include-PROTECTED-symbols.patch 569 SHA256 6edd24b329fd9908005e8566002f213d2799375ad4fced483be4707ddf0570ed SHA512 d96644fc48ec70f992bef55ccae03c0034bfb669586b8257a2c74f1cf0b78f2fbfebc2417ac62cd15841cc5e973272962252b88ca066224cf118eecf060e0d80 WHIRLPOOL f377d71928a6fb84b1e413ae2f4335fe6753d6cc056cb21fe758c8b5559330473a88098c85863c3157b0b5bec8f5530f233f1a2a659eee553c3bb07ae3633399
@@ -8,6 +10,8 @@ AUX sandbox-2.6-no-pch.patch 702 SHA256 d95a65ffe23c6c81f6b1e695f27cffc1cb617ebf
AUX sandbox-2.6-open-nofollow.patch 2027 SHA256 c8816ae4e1991f9941abd43ec4bfdbf4e99cf36ee90694f77ab88754c53785ce SHA512 dd5222f32a40def38c9719363a24c48d5b112e3560b44c5f32afc3daa0614fe9bc5cb68ca8ac69032cc8d6299f09b25d4d7c72e16892188b42768ffb28c19f07 WHIRLPOOL 03cb5fb9df04a8d7f92855c292a6c431d01d330fecae198f2c4b95d824454f10ce1ad66db1a9d54d1bef5f74989cf6debb2d98de28ee0c2c6a09c1a0752b5519
AUX sandbox-2.6-static-close-fd.patch 2945 SHA256 807eb4dc1ba6543c94a90a9a53bb89f42079ea20ed7c196f82d65f280e5de96a SHA512 e2f57c4d80816241f3ba4828c2b27c67d1d604b14b2d575888a978e5c4e8e47e60e3a609d81e59c615bc5b7cee6194cc362e255ae8508f632862a35180c30de8 WHIRLPOOL e08f60227fe954894d3a3a01297e9988f4d7722ea75ffbd2b0f3971d38c8ce00af230fcaecb1f53243a868d54f48bb680e2d547bbeb2ee3e5a11f8942d2084fd
AUX sandbox-2.6-trace-hppa.patch 850 SHA256 20688b2f33162f95af4af5e3c7d3700f2e7776e454b785ac1398f0870f84efa9 SHA512 fb7bf2202f960e952edc1e52fe4b6b085042158223d96b9baa899e871abcdef711ede3122c971120f55f71cc1aad71496a6079222dbaaa6c14b0c6f7ea182454 WHIRLPOOL 80f7fb529b912d19d81b9d71ee4a648db7b217583f2e8f2054cc666839030ea7d0112d69d52a2bf35c4d3549ffbd81dbd0cd39d5993bfabbb43bcb6a4455ade4
+DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192
DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
+EBUILD sandbox-2.10-r99.ebuild 2840 SHA256 338358721cd45193b40b8d9338b57e579dbcee412091dd2e2ed6652dc0d214ff SHA512 88f8e227c670c96f3c9bda50d6c92bd08821112b77d05274e4a96e8aa11007b5dffd4564d89b27b6f68b2afa8937e78a4a71ee9eec2d7320cc07a88e8a2b2986 WHIRLPOOL bf0ed5ba0a94d2cffb73b8b8a799dee99543b36c89ff643d7fc9dab6cb4c7638df879419987a78e60b6e812d2e5e986e02b1278b23e9e8c40272cf0755f66c2f
EBUILD sandbox-2.6-r999.ebuild 3391 SHA256 c4756c9265bc272f82bb6ad7221e15c3d28c9987ec5fb53e9957f02b44dcbf8b SHA512 a7b34f6fab52348f6024d2b719e01067d88c7b30fff4d73b361a5d24042c401e2b65ad3039256dd0c033ee2e3528e39d5988b0a40ec523eadb4a5da679b72503 WHIRLPOOL c80cc5e94914c56e528492cdb042bf79c8cc33d664a19aa38e981d8e453245412b5b4439e4374f1d7d023b0ec050abd641f675a718172012017f0b065e9112b5
MISC metadata.xml 316 SHA256 488f8a1ba1e1d07a159d22ac198aefee5dfa9ded04de2969019f177161abef1b SHA512 2b4ddea0bb5a40cac834a09b89624049b8561a4a4f648b4d5072c413d4eca78b5cc24859664fa746be36c8b60188e88f2ae38c2c5af30d91dc6273c0f85de278 WHIRLPOOL 64ed27fc7abb1b3b82621f6bb91f03d0070933d0423f9d323ac803354fc6acf2182df1dd85a083fa047d63561a5e92d44287ef4935a11a733244d4393edf8f6f
diff --git a/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch b/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
new file mode 100644
index 0000000..296b322
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
@@ -0,0 +1,77 @@
+From 7a923f646ce10b7dec3c7ae5fe2079c10aa21752 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sun, 20 Dec 2015 16:08:16 -0500
+Subject: [PATCH] libsbutil: gnulib: hand disable same_name usage
+
+We don't provide same_name because the one caller we don't use, but it
+relies on gc-sections to avoid link errors. That flag doesn't work on
+ia64 though, so we need to hand delete the one caller. Ugh.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsbutil/gnulib/hash-triple.c | 9 ---------
+ libsbutil/gnulib/same.h | 25 -------------------------
+ 2 files changed, 34 deletions(-)
+ delete mode 100644 libsbutil/gnulib/same.h
+
+diff --git a/libsbutil/gnulib/hash-triple.c b/libsbutil/gnulib/hash-triple.c
+index c3b6d9f..06cfbdf 100644
+--- a/libsbutil/gnulib/hash-triple.c
++++ b/libsbutil/gnulib/hash-triple.c
+@@ -24,7 +24,6 @@
+ #include <string.h>
+
+ #include "hash-pjw.h"
+-#include "same.h"
+ #include "same-inode.h"
+
+ #define STREQ(a, b) (strcmp (a, b) == 0)
+@@ -52,14 +51,6 @@ triple_hash_no_name (void const *x, size_t table_size)
+
+ /* Compare two F_triple structs. */
+ bool
+-triple_compare (void const *x, void const *y)
+-{
+- struct F_triple const *a = x;
+- struct F_triple const *b = y;
+- return (SAME_INODE (*a, *b) && same_name (a->name, b->name)) ? true : false;
+-}
+-
+-bool
+ triple_compare_ino_str (void const *x, void const *y)
+ {
+ struct F_triple const *a = x;
+diff --git a/libsbutil/gnulib/same.h b/libsbutil/gnulib/same.h
+deleted file mode 100644
+index ee313c5..0000000
+--- a/libsbutil/gnulib/same.h
++++ /dev/null
+@@ -1,25 +0,0 @@
+-/* Determine whether two file names refer to the same file.
+-
+- Copyright (C) 1997-2000, 2003-2004, 2009-2015 Free Software Foundation, Inc.
+-
+- This program is free software: you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published by
+- the Free Software Foundation; either version 3 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>. */
+-
+-#ifndef SAME_H_
+-# define SAME_H_ 1
+-
+-# include <stdbool.h>
+-
+-bool same_name (const char *source, const char *dest);
+-
+-#endif /* SAME_H_ */
+--
+2.6.2
+
diff --git a/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch b/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
new file mode 100644
index 0000000..7dd27c9
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
@@ -0,0 +1,42 @@
+From 529a388ebb1b4e9d6ad8a1bb61dd8211833a5976 Mon Sep 17 00:00:00 2001
+From: Denis Lisov <dennis.lissov@gmail.com>
+Date: Sat, 19 Dec 2015 19:13:58 +0300
+Subject: [PATCH] libsandbox: fix old_malloc_size check on realloc
+
+Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
+while it is really the mmap size, which is greater. Thus it may fail
+to reallocate even if required.
+
+URL: https://bugs.gentoo.org/568714
+Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/memory.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libsandbox/memory.c b/libsandbox/memory.c
+index 8581128..a2d69a2 100644
+--- a/libsandbox/memory.c
++++ b/libsandbox/memory.c
+@@ -40,7 +40,8 @@ static int sb_munmap(void *addr, size_t length)
+
+ #define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
+ #define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
+-#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
++#define SB_MALLOC_TO_MMAP_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
++#define SB_MALLOC_TO_SIZE(ptr) (SB_MALLOC_TO_MMAP_SIZE(ptr) - MIN_ALIGN)
+
+ void *malloc(size_t size)
+ {
+@@ -57,7 +58,7 @@ void free(void *ptr)
+ {
+ if (ptr == NULL)
+ return;
+- if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_SIZE(ptr)))
++ if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_MMAP_SIZE(ptr)))
+ sb_ebort("sandbox memory corruption with free(%p): %s\n",
+ ptr, strerror(errno));
+ }
+--
+2.6.2
+
diff --git a/sys-apps/sandbox/sandbox-2.10-r99.ebuild b/sys-apps/sandbox/sandbox-2.10-r99.ebuild
new file mode 100644
index 0000000..71c40e7
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.10-r99.ebuild
@@ -0,0 +1,129 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+ https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc x86"
+IUSE="multilib"
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+EMULTILIB_PKG="true"
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES=-sandbox emerge sandbox"
+}
+
+sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
+
+sb_foreach_abi() {
+ local OABI=${ABI}
+ for ABI in $(sb_get_install_abis) ; do
+ cd "${WORKDIR}/build-${ABI}"
+ einfo "Running $1 for ABI=${ABI}..."
+ "$@"
+ done
+ ABI=${OABI}
+}
+
+src_unpack() {
+ unpacker
+ cd "${S}"
+ epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
+ epatch "${FILESDIR}"/${P}-disable-same.patch
+ epatch "${FILESDIR}"/${PN}-2.6-musl.patch
+ epatch_user
+}
+
+sb_configure() {
+ mkdir "${WORKDIR}/build-${ABI}"
+ cd "${WORKDIR}/build-${ABI}"
+
+ use multilib && multilib_toolchain_setup ${ABI}
+
+ local myconf=()
+ host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+ einfo "Configuring sandbox for ABI=${ABI}..."
+ ECONF_SOURCE="${S}" \
+ econf ${myconf} || die
+}
+
+sb_compile() {
+ emake || die
+}
+
+src_compile() {
+ filter-lfs-flags #90228
+
+ # Run configures in parallel!
+ multijob_init
+ local OABI=${ABI}
+ for ABI in $(sb_get_install_abis) ; do
+ multijob_child_init sb_configure
+ done
+ ABI=${OABI}
+ multijob_finish
+
+ sb_foreach_abi sb_compile
+}
+
+sb_test() {
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
+}
+
+src_test() {
+ sb_foreach_abi sb_test
+}
+
+sb_install() {
+ emake DESTDIR="${D}" install || die
+ insinto /etc/sandbox.d #333131
+ doins etc/sandbox.d/00default || die
+}
+
+src_install() {
+ sb_foreach_abi sb_install
+
+ doenvd "${FILESDIR}"/09sandbox
+
+ keepdir /var/log/sandbox
+ fowners root:portage /var/log/sandbox
+ fperms 0770 /var/log/sandbox
+
+ cd "${S}"
+ dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+ chown root:portage "${D}"/var/log/sandbox
+ chmod 0770 "${D}"/var/log/sandbox
+
+ local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+ if [[ -n ${old} ]] ; then
+ elog "Removing old sandbox libraries for you:"
+ elog ${old//${ROOT}}
+ find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
+ fi
+}
+
+pkg_postinst() {
+ chmod 0755 "${ROOT}"/etc/sandbox.d #265376
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/musl:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2016-11-17 21:44 Aric Belsito
0 siblings, 0 replies; 4+ messages in thread
From: Aric Belsito @ 2016-11-17 21:44 UTC (permalink / raw
To: gentoo-commits
commit: 4f0abbb2c7f8caf10202fb15310a02079d6296db
Author: Aric Belsito <lluixhi <AT> gmail <DOT> com>
AuthorDate: Thu Nov 17 21:43:18 2016 +0000
Commit: Aric Belsito <lluixhi <AT> gmail <DOT> com>
CommitDate: Thu Nov 17 21:43:18 2016 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=4f0abbb2
sys-apps/sandbox: Update to 2.11-r3
Drop 2.6-r999 (all of the architectures we support are also stable in 2.10-r1)
Drop r99 prefix.
sys-apps/sandbox/Manifest | 16 +-
.../sandbox/files/sandbox-2.11-exec-prelink.patch | 107 +++++++++++
sys-apps/sandbox/files/sandbox-2.11-musl.patch | 48 +++++
.../files/sandbox-2.6-check-empty-paths-at.patch | 201 ---------------------
sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 ---
.../sandbox-2.6-include-PROTECTED-symbols.patch | 12 --
sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ------
sys-apps/sandbox/files/sandbox-2.6-no-pch.patch | 29 ---
.../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ------
.../files/sandbox-2.6-static-close-fd.patch | 93 ----------
.../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 ---
...dbox-2.10-r99.ebuild => sandbox-2.10-r1.ebuild} | 6 +-
sys-apps/sandbox/sandbox-2.11-r3.ebuild | 89 +++++++++
sys-apps/sandbox/sandbox-2.6-r999.ebuild | 138 --------------
14 files changed, 252 insertions(+), 649 deletions(-)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 606c12d..4a8977c 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -2,17 +2,11 @@ AUX 09sandbox 37 SHA256 73e9e9d12ba54f1c649813ec86107924050528852c890a8ba1e28537
AUX sandbox-2.10-disable-same.patch 2547 SHA256 09a11cf077ae69684080d1f0fd8fe83683fdf5f061e0a7a5261ca03463fd554a SHA512 bf005fbde7b6ba88df36bb75064658764e488dd2f3c96a6f92c69ad3f2e8d2db12ba2c7bafa9656326b7fde73301c330f68bd064efa0fce2a7eb28fff6ce0a1e WHIRLPOOL 27f0df961dcedc70819ecd1d0f105fb7176ecd77127ab187025d9aa52df9faa43941314c71a998dd72658105dfec4c5c6d3341dbae18e18b409af7dc6d9c31d6
AUX sandbox-2.10-fix-visibility-musl.patch 573 SHA256 67f70fa39867eeeee45b343db78c73fdb6e63b8a1b52d3dc288894402239dd12 SHA512 a740e0b1a68c0609dc3080e88ab8ab87885fe05f5e0864d10ed76e8e7000f7879cb206342c38d4097c691a7c85d1936e98802b206084eb2af9f78bd43158d759 WHIRLPOOL 0c226daa4b6d36c2df001d3d67b9e4023944c5b010d1bc311d731c121dd94b533546479a7b1b77bcb8be608ecf70508fb7dd65b22bafdb2d13a2860c9c0659da
AUX sandbox-2.10-memory-corruption.patch 1515 SHA256 4876cc9962d56d3c5fc5418fe12ef1a399e34ff0272f12640c4a5c5b775e8888 SHA512 1eb650824cc7a876fabef382cafb451a507326a8422fb7bb5014699046b64ea8f4cf2bba9efcb75d7a2eac4eff493d06153422f85c119f49635ac0840071660c WHIRLPOOL db2c834119c7887ed746154e73e88cc09bf2a31184b3cda2732b70cb43dd8bc7f59f1072a4cc56ebcf593ba67330b9888832dc186ee55e009428d607f62293ab
-AUX sandbox-2.6-check-empty-paths-at.patch 7454 SHA256 a48759a4d3e9a70713473b6fad59bdd750b5cd37e7d632c786205ff20004ae2c SHA512 5eba7915dedf57f44c37881e9c6b48db8733d1493779a33127d08bb9ea77056d788ec9ace72c13eb101f42f01c95309c7cebca6c76212a8c99a8655372c0b7d7 WHIRLPOOL 46eb3a8ef8f22030cd793f3b16adc190b5750019c0df83e161c6918f08555a8ad890c1425b03cbf7e53ebcd34a07a9dd9b594d0c0fe31834656ffce3d58fa284
-AUX sandbox-2.6-desktop.patch 875 SHA256 2eecf67790aeac210f9aa899a86f7664776ed65d9b55159e1b359162dfb9ff74 SHA512 b72ec7f414d19bf513dfb1aea10523fa5dc07a1375d8f08f664d204b64b23c891a79ca14987528c595936f441e1f595b366aabbc57313667c7639d73d089ed9a WHIRLPOOL 7f787b8be9b5712eb2b2a0cd2ff825df1045ebf1cc4e73a50f610e620d30752045690a5c28835465d0ab0c3c4a9eaf8b92a5c123cd741ad69dfedb31aa457fa0
-AUX sandbox-2.6-include-PROTECTED-symbols.patch 569 SHA256 6edd24b329fd9908005e8566002f213d2799375ad4fced483be4707ddf0570ed SHA512 d96644fc48ec70f992bef55ccae03c0034bfb669586b8257a2c74f1cf0b78f2fbfebc2417ac62cd15841cc5e973272962252b88ca066224cf118eecf060e0d80 WHIRLPOOL f377d71928a6fb84b1e413ae2f4335fe6753d6cc056cb21fe758c8b5559330473a88098c85863c3157b0b5bec8f5530f233f1a2a659eee553c3bb07ae3633399
-AUX sandbox-2.6-log-var.patch 2039 SHA256 f464a29cdd9de0c510277310f4febc8f96515ff2ff03fc92df1c75b9cbd75619 SHA512 cf6f900b4078eff5870b63b2bc7c81c5b00488e030d7e9ce3007693e9d1339ac6201ddacfaff552c6c9b99b6d32383229133c80190404b7e4fde06ad376b2050 WHIRLPOOL db99737a6567788194f7b37b12b92fcfb4c263df40f40aef9e0a3ef2b6a1523331313b791fffa2b26775b646795364ab1db1711eb4329cda3337df27aebfeffa
+AUX sandbox-2.11-exec-prelink.patch 4960 SHA256 a8dda45a024a42b7b6fbc2ee49a461879eb866ab915c268079704e1698dd0cef SHA512 9bccda3a940aa95d7542c23e3eeb3b58326bc81920fdcfa6dd3e3c40de5ca9c47948f93afe9e58753b6cf3af10342bf581116f038b29c9fa5c25fd0027c5551c WHIRLPOOL 0e99a04fe636287570ad31998c93b9be8eceeb7a6619f18089d7f4a2df4b9c400874ea132a6e8a3855fbee439607d7e7e583fcad3ef4a0fee0cc46b0b5943bf5
+AUX sandbox-2.11-musl.patch 1851 SHA256 1f2586e81a06daf7b69642d9c5fbf53563832a4ccd769ec696d9c2baabd2874c SHA512 2800191fbf312d9b8858ef29975355ae51a4aff05ccc7c425f5168fe2db24562e4cf164e8ee35ecc77e0777be9d37cc52d66fdd4bf3eaeb0fc4c68c240a0cb61 WHIRLPOOL 9c2abfcd5f68391c4890beeaf99020a9160635c888de7b45238174e7ac51ffac393150698feb0061fd3104e71a6825f9be98e5495a415ede8d2493a77f3e35e8
AUX sandbox-2.6-musl.patch 1821 SHA256 df08faebffbfade91a2620ff8b56c2087e4a34506fbff3dcf9bc35c2d5bd467c SHA512 69d11e80c97a844c0d84404e802950c876edda8eb7909c90f6f5d4b3fe8a33b5bc884ecc3741c10c8bd7e0871db2db1853cfac969a153d162423b3f3c94039c9 WHIRLPOOL 7120eaf3062cb18c3b13a61fe2b6f839a5f267650d9aa809fafc6d25e8faaadd7af3d5fb41cce66ecf71668555847d264ea977442f03f4dfe7b88b98cf86f78e
-AUX sandbox-2.6-no-pch.patch 702 SHA256 d95a65ffe23c6c81f6b1e695f27cffc1cb617ebf62ca467c8eae5e4c3771089b SHA512 2269b806c2b04c0891644c694d2e0cb87b3ad9236457add50df58d3af62ca5daf17e8b599d0190b4efcae7e84ba99308ea4b0f4a1482d08314d4f3b64bdaf884 WHIRLPOOL 343b62bcf88b0491d69b507eb2feb02b21e9e66cb9006c2043fcaee87f461b3228d37e9053f092e32fff4eb73b14db32a262b79c7430cddf0ddde6f90958e21b
-AUX sandbox-2.6-open-nofollow.patch 2027 SHA256 c8816ae4e1991f9941abd43ec4bfdbf4e99cf36ee90694f77ab88754c53785ce SHA512 dd5222f32a40def38c9719363a24c48d5b112e3560b44c5f32afc3daa0614fe9bc5cb68ca8ac69032cc8d6299f09b25d4d7c72e16892188b42768ffb28c19f07 WHIRLPOOL 03cb5fb9df04a8d7f92855c292a6c431d01d330fecae198f2c4b95d824454f10ce1ad66db1a9d54d1bef5f74989cf6debb2d98de28ee0c2c6a09c1a0752b5519
-AUX sandbox-2.6-static-close-fd.patch 2945 SHA256 807eb4dc1ba6543c94a90a9a53bb89f42079ea20ed7c196f82d65f280e5de96a SHA512 e2f57c4d80816241f3ba4828c2b27c67d1d604b14b2d575888a978e5c4e8e47e60e3a609d81e59c615bc5b7cee6194cc362e255ae8508f632862a35180c30de8 WHIRLPOOL e08f60227fe954894d3a3a01297e9988f4d7722ea75ffbd2b0f3971d38c8ce00af230fcaecb1f53243a868d54f48bb680e2d547bbeb2ee3e5a11f8942d2084fd
-AUX sandbox-2.6-trace-hppa.patch 850 SHA256 20688b2f33162f95af4af5e3c7d3700f2e7776e454b785ac1398f0870f84efa9 SHA512 fb7bf2202f960e952edc1e52fe4b6b085042158223d96b9baa899e871abcdef711ede3122c971120f55f71cc1aad71496a6079222dbaaa6c14b0c6f7ea182454 WHIRLPOOL 80f7fb529b912d19d81b9d71ee4a648db7b217583f2e8f2054cc666839030ea7d0112d69d52a2bf35c4d3549ffbd81dbd0cd39d5993bfabbb43bcb6a4455ade4
DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192
-DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03
-EBUILD sandbox-2.10-r99.ebuild 2893 SHA256 f712e1579b98cd446eeb6d0bd64f6e6520d75b320461443c88c3b607e25b622b SHA512 ca0012cbcf7d30e4904f98637c634cff54daeb6738794cb45eb4ac6503e59ef030170bf4e8e81cb22698062bfe7f34ffb5b31d6313600598fd9371b2088fbab7 WHIRLPOOL 725300847146e0bafbb6ac29d8083bc711e3acdd584f24b38ed4c5bb1bf5b1539cc627c2707217118c7f5edd148289c6dfadf036fc66039ef43af15952093d7b
-EBUILD sandbox-2.6-r999.ebuild 3284 SHA256 e80a83d97cf2f224060f4510f434692bf6d504a22f70d29a3dc79d28309cd94d SHA512 9d3b2d8fe30d3f06c01c609e1a104c6f72514ff3354b438dd611746151aae540ef4fdf9e500f75c3f84c68fa25cc852bf73b7ada71507bd71c903302bda18f84 WHIRLPOOL 77b9c54e8bc545589afe047b0c074a36c991f8a8651a6116ff2847e59efcaf2f319dbd00d235712d5c7f03c310bff66a1cacf67296b3e321797bdc2dd1cf32c0
+DIST sandbox-2.11.tar.xz 423492 SHA256 a1cb203f95057176ca0c5b53b8b9dafd41d1b64a6cf5039a9e1fb4a51b17f237 SHA512 0aa6c773c109749180442d1a46d1b957dea0c30f893e4be1ac0b410e1aad48fdd2972ec591aa2da3a0c74b32d2b7bd51b7c2263bd7b26f8a34bb762d8a48ea0b WHIRLPOOL a2222cc778f2181473cf23b46a62257e5f3857edebb457dcf230f02da0d153e38a28f78a20dee67c9e564c10239d8bd6982a6e894de666f6eff4550f7ad8cdee
+EBUILD sandbox-2.10-r1.ebuild 2977 SHA256 2b308bd2634a1a30e8438d41e141aee5119d0ae23b493bbb092f76c471af0d81 SHA512 15e3f29bf3397201410f7f364346efaa6d3d75350ab1ff2dabdb246dde71ee8c5ceeef1e9e4c3913d64808eb8783aceead74a92c2f182f793b57d90c1b183e6f WHIRLPOOL 8f95e1726ddd28343850da33f4ca98216ea1e03f574c9d808903015ea9f82023b2b6e655106e17786dac8c0b74c3e33346c28638644dc71fdaacf5f6481414c1
+EBUILD sandbox-2.11-r3.ebuild 2292 SHA256 bc3aa5961068eeb5ee95b19a508d0777fbfd8563f0abc722076e1a73a961d8ae SHA512 2fb4116f9f5d4bae5238c0a47625919cbb9e4637cf7f850913a1ac8ca11116ec99b72ab1e4f1091f44609185ee5ff4becae5432610fe4a7de8524893373fcf7e WHIRLPOOL 98fbe03a94a7de9f180f82b63b72f2ecb3bae35d2971e500e0de417994ae8f7052adc9a9b47e5c248bed7f0cfadbf140d4e53588e8da74dddec2d88104fb3e8e
MISC metadata.xml 331 SHA256 593acb3cb5d82507c93a39cc745aebf1aa453683a039ff7d7f9d12ad9ed042a4 SHA512 f112b562f8b2a1022c0f4eac7a0e55369046d1d7d6052ab1514d841c968fc8cb33e9c337326db23a5944f3f43a676d4743dec4413ddd6e7f5c6cf63c82969675 WHIRLPOOL 0e306bda54e820ed6883b47ea0e305c5a361a88047b8f6ccd1ba621e1ef7bec08809019e638949e05e892e3d3eeffe48568b6e31e1db8071ca9932b0ea2d9f2e
diff --git a/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch
new file mode 100644
index 0000000..067824f
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-exec-prelink.patch
@@ -0,0 +1,107 @@
+From 5628d830548e91819953d2d14397170e219df7c6 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 16 Nov 2016 15:59:28 -0500
+Subject: [PATCH] libsandbox: fix symtab walking with prelinked ELFs
+
+When prelink runs on an ELF, it moves the string table from right
+after the symbol table to the end, and then replaces the string
+table with its liblist table. This ends up breaking sandbox's
+assumption that the string table always follows the symbol table
+leading to prelinked ELFs crashing.
+
+Update the range check to use the liblist table when available.
+Since the prelink code has this logic hardcoded (swapping the
+string table for the liblist table), this should be OK for now.
+
+URL: https://bugs.gentoo.org/599894
+Reported-by: Anders Larsson <anders.gentoo@larsson.xyz>
+Reported-by: Kenton Groombridge <rustyvega@comcast.net>
+Reported-by: Marien Zwart <marien.zwart@gmail.com>
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/wrapper-funcs/__wrapper_exec.c | 39 ++++++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/libsandbox/wrapper-funcs/__wrapper_exec.c b/libsandbox/wrapper-funcs/__wrapper_exec.c
+index d372366c5478..226c0c0f4407 100644
+--- a/libsandbox/wrapper-funcs/__wrapper_exec.c
++++ b/libsandbox/wrapper-funcs/__wrapper_exec.c
+@@ -83,8 +83,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ ({ \
+ Elf##n##_Ehdr *ehdr = (void *)elf; \
+ Elf##n##_Phdr *phdr = (void *)(elf + ehdr->e_phoff); \
+- Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0; \
+- Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0; \
++ Elf##n##_Addr vaddr, filesz, vsym = 0, vstr = 0, vhash = 0, vliblist = 0; \
++ Elf##n##_Off offset, symoff = 0, stroff = 0, hashoff = 0, liblistoff = 0; \
+ Elf##n##_Dyn *dyn; \
+ Elf##n##_Sym *sym, *symend; \
+ uint##n##_t ent_size = 0, str_size = 0; \
+@@ -102,11 +102,12 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ dyn = (void *)(elf + phdr[i].p_offset); \
+ while (dyn->d_tag != DT_NULL) { \
+ switch (dyn->d_tag) { \
+- case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \
+- case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
+- case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
+- case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
+- case DT_HASH: vhash = dyn->d_un.d_val; break; \
++ case DT_SYMTAB: vsym = dyn->d_un.d_val; break; \
++ case DT_SYMENT: ent_size = dyn->d_un.d_val; break; \
++ case DT_STRTAB: vstr = dyn->d_un.d_val; break; \
++ case DT_STRSZ: str_size = dyn->d_un.d_val; break; \
++ case DT_HASH: vhash = dyn->d_un.d_val; break; \
++ case DT_GNU_LIBLIST: vliblist = dyn->d_un.d_val; break; \
+ } \
+ ++dyn; \
+ } \
+@@ -126,6 +127,8 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ stroff = offset + (vstr - vaddr); \
+ if (vhash >= vaddr && vhash < vaddr + filesz) \
+ hashoff = offset + (vhash - vaddr); \
++ if (vliblist >= vaddr && vliblist < vaddr + filesz) \
++ liblistoff = offset + (vliblist - vaddr); \
+ } \
+ \
+ /* Finally walk the symbol table. This should generally be fast as \
+@@ -133,19 +136,33 @@ static bool sb_check_exec(const char *filename, char *const argv[])
+ * out there do not export any symbols at all. \
+ */ \
+ if (symoff && stroff) { \
+- /* Hash entries are always 32-bits. */ \
+- uint32_t *hashes = (void *)(elf + hashoff); \
+ /* Nowhere is the # of symbols recorded, or the size of the symbol \
+ * table. Instead, we do what glibc does: use the sysv hash table \
+ * if it exists, else assume that the string table always directly \
+ * follows the symbol table. This seems like a poor assumption to \
+- * make, but glibc has gotten by this long. \
++ * make, but glibc has gotten by this long. See determine_info in \
++ * glibc's elf/dl-addr.c. \
++ * \
++ * Turns out prelink will violate that assumption. Fortunately it \
++ * will insert its liblist at the same location all the time -- it \
++ * replaces the string table with its liblist table. \
++ * \
++ * Long term, we should behave the same as glibc and walk the gnu \
++ * hash table first before falling back to the raw symbol table. \
+ * \
+ * We don't sanity check the ranges here as you aren't executing \
+ * corrupt programs in the sandbox. \
+ */ \
+ sym = (void *)(elf + symoff); \
+- symend = vhash ? (sym + hashes[1]) : (void *)(elf + stroff); \
++ if (vhash) { \
++ /* Hash entries are always 32-bits. */ \
++ uint32_t *hashes = (void *)(elf + hashoff); \
++ symend = sym + hashes[1]; \
++ } else if (vliblist) \
++ symend = (void *)(elf + liblistoff); \
++ else \
++ symend = (void *)(elf + stroff); \
++ \
+ while (sym < symend) { \
+ char *symname = (void *)(elf + stroff + sym->st_name); \
+ if (ELF##n##_ST_VISIBILITY(sym->st_other) == STV_DEFAULT && \
+--
+2.10.2
+
diff --git a/sys-apps/sandbox/files/sandbox-2.11-musl.patch b/sys-apps/sandbox/files/sandbox-2.11-musl.patch
new file mode 100644
index 0000000..a99dd9a
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-musl.patch
@@ -0,0 +1,48 @@
+diff -Naur sandbox-2.11.orig/headers.h sandbox-2.11/headers.h
+--- sandbox-2.11.orig/headers.h 2015-09-26 23:20:27.000000000 -0700
++++ sandbox-2.11/headers.h 2016-03-29 10:35:14.716185990 -0700
+@@ -151,9 +151,11 @@
+ #ifdef HAVE_ASM_PTRACE_H
+ # include <asm/ptrace.h>
+ #endif
++/*
+ #ifdef HAVE_LINUX_PTRACE_H
+ # include <linux/ptrace.h>
+ #endif
++*/
+ #undef FU_ia64_fpreg
+ #undef FU_pt_all_user_regs
+
+diff -Naur sandbox-2.11.orig/libsandbox/trace.c sandbox-2.11/libsandbox/trace.c
+--- sandbox-2.11.orig/libsandbox/trace.c 2016-03-29 03:01:35.000000000 -0700
++++ sandbox-2.11/libsandbox/trace.c 2016-03-29 10:32:19.581906031 -0700
+@@ -10,7 +10,7 @@
+ #include "sb_nr.h"
+
+ static long do_peekdata(long offset);
+-static long _do_ptrace(enum __ptrace_request request, const char *srequest, void *addr, void *data);
++static long _do_ptrace(int request, const char *srequest, void *addr, void *data);
+ #define do_ptrace(request, addr, data) _do_ptrace(request, #request, addr, data)
+ #define _trace_possible(data) true
+
+@@ -44,7 +44,7 @@
+ _exit(status);
+ }
+
+-static long _do_ptrace(enum __ptrace_request request, const char *srequest, void *addr, void *data)
++static long _do_ptrace(int request, const char *srequest, void *addr, void *data)
+ {
+ long ret;
+ try_again:
+diff -Naur sandbox-2.11.orig/scripts/gen_symbol_header.awk sandbox-2.11/scripts/gen_symbol_header.awk
+--- sandbox-2.11.orig/scripts/gen_symbol_header.awk 2009-08-25 22:59:48.000000000 -0700
++++ sandbox-2.11/scripts/gen_symbol_header.awk 2016-03-29 10:33:37.236471898 -0700
+@@ -161,7 +161,7 @@
+ else
+ printf("symbol_version(%s, %s, %s);\n",
+ sym_real_name, sym_index, symbol_array[2]);
+- } else {
++ } else if (!(sym_index ~ 64)) {
+ # For non-versioned libc's we use strong aliases
+ printf("strong_alias(%s, %s);\n", sym_real_name,
+ sym_index);
diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
deleted file mode 100644
index e4dc529..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 19:41:49 -0500
-Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before
- checking the dirfd
-
-When it comes to processing errors, an empty path is checked before
-an invalid dirfd. Make sure sandbox matches that behavior for the
-random testsuites out there that look for this.
-
-URL: https://bugs.gentoo.org/346929
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__pre_check.c | 2 ++
- libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------
- libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++-----------
- libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------
- libsandbox/wrappers.h | 2 ++
- tests/mkdirat-3.sh | 7 +++++++
- tests/mkdirat.at | 1 +
- tests/openat-2.sh | 9 +++++++++
- tests/openat.at | 1 +
- tests/unlinkat-4.sh | 7 +++++++
- tests/unlinkat.at | 1 +
- 11 files changed, 44 insertions(+), 35 deletions(-)
- create mode 100755 tests/mkdirat-3.sh
- create mode 100755 tests/openat-2.sh
- create mode 100755 tests/unlinkat-4.sh
-
-diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c
-index 2d5711f..28ad91f 100644
---- a/libsandbox/wrapper-funcs/__pre_check.c
-+++ b/libsandbox/wrapper-funcs/__pre_check.c
-@@ -20,3 +20,5 @@
- #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF
- # include "unlinkat_pre_check.c"
- #endif
-+
-+#include "__pre_at_check.c"
-diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-index 77a65df..0b48d1f 100644
---- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c
-@@ -1,20 +1,13 @@
- bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd)
- {
- char canonic[SB_PATH_MAX];
-- char dirfd_path[SB_PATH_MAX];
-
- save_errno();
-
-- /* Expand the dirfd path first */
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ /* Check incoming args against common *at issues */
-+ char dirfd_path[SB_PATH_MAX];
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Then break down any relative/symlink paths */
- if (-1 == canonicalize(pathname, canonic))
-diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
-index 0127708..5fd5eaa 100644
---- a/libsandbox/wrapper-funcs/openat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
-@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
-
- save_errno();
-
-- /* Expand the dirfd path first */
-+ /* Check incoming args against common *at issues */
- char dirfd_path[SB_PATH_MAX];
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Doesn't exist -> skip permission checks */
- struct stat st;
-diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-index 9f5e7d7..c004d15 100644
---- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c
-@@ -1,20 +1,13 @@
- bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd)
- {
- char canonic[SB_PATH_MAX];
-- char dirfd_path[SB_PATH_MAX];
-
- save_errno();
-
-- /* Expand the dirfd path first */
-- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) {
-- case -1:
-- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-- func, pathname, strerror(errno));
-- return false;
-- case 0:
-- pathname = dirfd_path;
-- break;
-- }
-+ /* Check incoming args against common *at issues */
-+ char dirfd_path[SB_PATH_MAX];
-+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path)))
-+ return false;
-
- /* Then break down any relative/symlink paths */
- if (-1 == canonicalize(pathname, canonic))
-diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
-index 5b97787..0aa58bb 100644
---- a/libsandbox/wrappers.h
-+++ b/libsandbox/wrappers.h
-@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn
- attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
- attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
- attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
-+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
-+ char *dirfd_path, size_t dirfd_path_len);
-
- #endif
---
-1.8.1.2
-
-From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 19:41:49 -0500
-Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before
- checking the dirfd [missing file]
-
-When it comes to processing errors, an empty path is checked before
-an invalid dirfd. Make sure sandbox matches that behavior for the
-random testsuites out there that look for this.
-
-Forgot to `git add` in the previous commit :/.
-
-URL: https://bugs.gentoo.org/346929
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
- create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c
-
-diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c
-new file mode 100644
-index 0000000..f72c40c
---- /dev/null
-+++ b/libsandbox/wrapper-funcs/__pre_at_check.c
-@@ -0,0 +1,34 @@
-+/*
-+ * common *at() pre-checks.
-+ *
-+ * Copyright 1999-2012 Gentoo Foundation
-+ * Licensed under the GPL-2
-+ */
-+
-+/* We assume the parent has nested use with save/restore errno */
-+bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
-+ char *dirfd_path, size_t dirfd_path_len)
-+{
-+ /* the empty path name should fail with ENOENT before any dirfd
-+ * checks get a chance to run #346929
-+ */
-+ if (*pathname && *pathname[0] == '\0') {
-+ errno = ENOENT;
-+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
-+ func, *pathname, strerror(errno));
-+ return false;
-+ }
-+
-+ /* Expand the dirfd path first */
-+ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) {
-+ case -1:
-+ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n",
-+ func, *pathname, strerror(errno));
-+ return false;
-+ case 0:
-+ *pathname = dirfd_path;
-+ break;
-+ }
-+
-+ return true;
-+}
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
deleted file mode 100644
index fbecb07..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 17 Nov 2012 14:14:26 -0500
-Subject: [PATCH] sandbox.desktop: drop .svg from Icon field
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-URL: http://bugs.gentoo.org/443672
-Reported-by: Petteri Räty <betelgeuse@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- data/sandbox.desktop | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/data/sandbox.desktop b/data/sandbox.desktop
-index 5b5b576..27a887e 100644
---- a/data/sandbox.desktop
-+++ b/data/sandbox.desktop
-@@ -5,6 +5,6 @@ Type=Application
- Comment=launch a sandboxed shell ... useful for debugging ebuilds
- Exec=sandbox
- TryExec=sandbox
--Icon=sandbox.svg
-+Icon=sandbox
- Categories=Development;
- Terminal=true
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-include-PROTECTED-symbols.patch b/sys-apps/sandbox/files/sandbox-2.6-include-PROTECTED-symbols.patch
deleted file mode 100644
index cb29a6c..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-include-PROTECTED-symbols.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -Naur sandbox-2.6.orig/scripts/gen_symbol_version_map.awk sandbox-2.6/scripts/gen_symbol_version_map.awk
---- sandbox-2.6.orig/scripts/gen_symbol_version_map.awk 2009-02-20 06:29:29.000000000 +0000
-+++ sandbox-2.6/scripts/gen_symbol_version_map.awk 2015-06-08 19:29:55.727290000 +0000
-@@ -14,7 +14,7 @@
-
- # Only check FUNCtion symbols which are not LOCAL, or
- # do not have DEFAULT visibility
-- if ($4 != "FUNC" || $5 == "LOCAL" || $6 != "DEFAULT")
-+ if ($4 != "FUNC" || $5 == "LOCAL" || ($6 != "DEFAULT" && $6 != "PROTECTED"))
- next;
-
- for (x in SYMBOLS) {
diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
deleted file mode 100644
index bfea9e5..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sun, 3 Mar 2013 05:34:09 -0500
-Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values
-
-Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox
-with portage. It changed how the sandbox log env var was accessed by
-moving from getenv() to get_sandbox_log(). The latter has path checking
-and will kick out values that contain a slash. That means every time a
-new process starts, a new sandbox log path will be generated, and when a
-program triggers a violation, it'll write to the new file. Meanwhile,
-portage itself watches the original one which never gets updated.
-
-This code has been around forever w/out documentation, and I can't think
-of a reason we need it. So punt it.
-
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsbutil/get_sandbox_log.c | 14 +++++---------
- 1 file changed, 5 insertions(+), 9 deletions(-)
-
-diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c
-index a79b399..bdb4278 100644
---- a/libsbutil/get_sandbox_log.c
-+++ b/libsbutil/get_sandbox_log.c
-@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c
-
- sandbox_log_env = getenv(env);
-
-- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) {
-- /* When testing, just use what the env says to */
-+ if (sandbox_log_env) {
-+ /* If the env is viable, roll with it. We aren't really
-+ * about people breaking the security of the sandbox by
-+ * exporting SANDBOX_LOG=/dev/null.
-+ */
- strncpy(path, sandbox_log_env, SB_PATH_MAX);
- } else {
-- /* THIS CHUNK BREAK THINGS BY DOING THIS:
-- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log
-- */
-- if ((NULL != sandbox_log_env) &&
-- (NULL != strchr(sandbox_log_env, '/')))
-- sandbox_log_env = NULL;
--
- snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s",
- SANDBOX_LOG_LOCATION, prefix,
- (sandbox_log_env == NULL ? "" : sandbox_log_env),
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch
deleted file mode 100644
index fe22749..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-gcc crashes when trying to use pch under hardened kernels
-
-http://bugs.gentoo.org/425524
-
---- Makefile.in
-+++ Makefile.in
-@@ -300,7 +300,7 @@
- src \
- tests
-
--SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch
-+SANDBOX_PCH =
- BUILT_SOURCES = $(SANDBOX_PCH)
- noinst_LTLIBRARIES = libpch.la
- nodist_libpch_la_SOURCES = $(SANDBOX_PCH)
-@@ -862,10 +862,9 @@
- $(builddir)/headers.h.gch: headers.h
- $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP)
-
--libsbutil: libsbutil/headers.h.gch
--libsandbox: libsbutil libsandbox/headers.h.gch
--src: libsbutil headers.h.gch
--tests: src headers.h.gch
-+libsandbox: libsbutil
-+src: libsbutil
-+tests: src
-
- ChangeLog:
- touch ChangeLog
diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
deleted file mode 100644
index 0101ece..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Mon, 24 Dec 2012 18:46:29 -0500
-Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)
-
-We don't check for O_NOFOLLOW in the open wrappers, so we end up
-returning the wrong error when operating on broken symlinks.
-
-URL: https://bugs.gentoo.org/413441
-Reported-by: Marien Zwart <marienz@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/wrapper-funcs/__64_post.h | 1 +
- libsandbox/wrapper-funcs/__64_pre.h | 1 +
- libsandbox/wrapper-funcs/openat_pre_check.c | 2 +-
- tests/open-2.sh | 10 ++++++++++
- tests/open.at | 1 +
- 5 files changed, 14 insertions(+), 1 deletion(-)
- create mode 100755 tests/open-2.sh
-
-diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
-index 2fd2182..82d2a16 100644
---- a/libsandbox/wrapper-funcs/__64_post.h
-+++ b/libsandbox/wrapper-funcs/__64_post.h
-@@ -1,3 +1,4 @@
- #undef SB64
- #undef stat
-+#undef lstat
- #undef off_t
-diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
-index 2132110..0b34b25 100644
---- a/libsandbox/wrapper-funcs/__64_pre.h
-+++ b/libsandbox/wrapper-funcs/__64_pre.h
-@@ -1,3 +1,4 @@
- #define SB64
- #define stat stat64
-+#define lstat lstat64
- #define off_t off64_t
-diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
-index c827ee6..0127708 100644
---- a/libsandbox/wrapper-funcs/openat_pre_check.c
-+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
-@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
-
- /* Doesn't exist -> skip permission checks */
- struct stat st;
-- if (-1 == stat(pathname, &st)) {
-+ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
- sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
- func, pathname, strerror(errno));
- return false;
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
deleted file mode 100644
index 7fc0972..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 23 Jun 2012 11:52:51 -0700
-Subject: [PATCH] libsandbox: clean up open file handles in parent tracing
- process
-
-Currently, if a non-static app sets up a pipe (with cloexec enabled) and
-executes a static app, the handle to that pipe is left open in the parent
-process. This causes trouble when the parent is waiting for that to be
-closed immediately.
-
-Since none of the fds in the forked parent process matter to us, we can
-just go ahead and clean up all fds before we start tracing the child.
-
-URL: http://bugs.gentoo.org/364877
-Reported-by: Victor Stinner <victor.stinner@haypocalc.com>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/trace.c | 3 +-
- libsbutil/sb_close.c | 26 +++++++++++-
- libsbutil/sbutil.h | 1 +
- tests/Makefile.am | 2 +
- tests/pipe-fork_static_tst.c | 18 +++++++++
- tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
- tests/script-9.sh | 5 +++
- tests/script.at | 1 +
- 8 files changed, 149 insertions(+), 2 deletions(-)
- create mode 100644 tests/pipe-fork_static_tst.c
- create mode 100644 tests/pipe-fork_tst.c
- create mode 100755 tests/script-9.sh
-
-diff --git a/libsandbox/trace.c b/libsandbox/trace.c
-index 32ad2d6..dfbab18 100644
---- a/libsandbox/trace.c
-+++ b/libsandbox/trace.c
-@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[])
- /* Not all kernel versions support this, so ignore return */
- ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD);
- #endif
-+ sb_close_all_fds();
- trace_loop();
-- return;
-+ sb_ebort("ISE: child should have quit, as should we\n");
- }
-
- sb_debug("child setting up ...");
-diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c
-index 17a4560..5379197 100644
---- a/libsbutil/sb_close.c
-+++ b/libsbutil/sb_close.c
-@@ -29,3 +29,27 @@ int sb_close(int fd)
-
- return res;
- }
-+
-+/* Quickly close all the open fds (good for daemonization) */
-+void sb_close_all_fds(void)
-+{
-+ DIR *dirp;
-+ struct dirent *de;
-+ int dfd, fd;
-+ const char *fd_dir = sb_get_fd_dir();
-+
-+ dirp = opendir(fd_dir);
-+ if (!dirp)
-+ sb_ebort("could not process %s\n", fd_dir);
-+ dfd = dirfd(dirp);
-+
-+ while ((de = readdir(dirp)) != NULL) {
-+ if (de->d_name[0] == '.')
-+ continue;
-+ fd = atoi(de->d_name);
-+ if (fd != dfd)
-+ close(fd);
-+ }
-+
-+ closedir(dirp);
-+}
-diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h
-index 02b88cb..479734b 100644
---- a/libsbutil/sbutil.h
-+++ b/libsbutil/sbutil.h
-@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode);
- size_t sb_read(int fd, void *buf, size_t count);
- size_t sb_write(int fd, const void *buf, size_t count);
- int sb_close(int fd);
-+void sb_close_all_fds(void);
- int sb_copy_file_to_fd(const char *file, int ofd);
-
- /* Reliable output */
---
-1.8.1.2
-
diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
deleted file mode 100644
index 7e73822..0000000
--- a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Fri, 6 Jul 2012 14:58:16 -0400
-Subject: [PATCH] libsandbox: fix hppa trace code
-
-URL: https://bugs.gentoo.org/425062
-Reported-by: Jeroen Roovers <jer@gentoo.org>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
----
- libsandbox/trace/linux/hppa.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c
-index d23b0d1..5414354 100644
---- a/libsandbox/trace/linux/hppa.c
-+++ b/libsandbox/trace/linux/hppa.c
-@@ -1,5 +1,5 @@
--#define trace_reg_sysnum (20 * 4) /* PT_GR20 */
--#define trace_reg_ret (28 * 4) /* PT_GR28 */
-+#define trace_reg_sysnum gr[20]
-+#define trace_reg_ret gr[28]
-
- static unsigned long trace_arg(void *vregs, int num)
- {
---
-1.7.9.7
-
diff --git a/sys-apps/sandbox/sandbox-2.10-r99.ebuild b/sys-apps/sandbox/sandbox-2.10-r1.ebuild
similarity index 93%
rename from sys-apps/sandbox/sandbox-2.10-r99.ebuild
rename to sys-apps/sandbox/sandbox-2.10-r1.ebuild
index a7f6174..e2209ff 100644
--- a/sys-apps/sandbox/sandbox-2.10-r99.ebuild
+++ b/sys-apps/sandbox/sandbox-2.10-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@@ -16,7 +16,7 @@ SRC_URI="mirror://gentoo/${P}.tar.xz
LICENSE="GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
IUSE="multilib"
DEPEND="app-arch/xz-utils
@@ -28,7 +28,7 @@ has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_D
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES=-sandbox emerge sandbox"
+ ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
diff --git a/sys-apps/sandbox/sandbox-2.11-r3.ebuild b/sys-apps/sandbox/sandbox-2.11-r3.ebuild
new file mode 100644
index 0000000..d8f30a0
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.11-r3.ebuild
@@ -0,0 +1,89 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+EAPI="5"
+
+inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+ https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE=""
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-execvpe.patch #578516
+ epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
+ epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894
+
+ # Fix for MUSL
+ epatch "${FILESDIR}/${P}-musl.patch"
+ epatch "${FILESDIR}/${PN}-2.10-fix-visibility-musl.patch"
+
+ epatch_user
+}
+
+multilib_src_configure() {
+ filter-lfs-flags #90228
+
+ local myconf=()
+ host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+ ECONF_SOURCE="${S}" \
+ econf "${myconf[@]}"
+}
+
+multilib_src_test() {
+ # Default sandbox build will run with --jobs set to # cpus.
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+ doenvd "${FILESDIR}"/09sandbox
+
+ keepdir /var/log/sandbox
+ fowners root:portage /var/log/sandbox
+ fperms 0770 /var/log/sandbox
+
+ cd "${S}"
+ dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+ chown root:portage "${ED}"/var/log/sandbox
+ chmod 0770 "${ED}"/var/log/sandbox
+
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+ if [[ -n ${old} ]] ; then
+ elog "Removing old sandbox libraries for you:"
+ find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
+ fi
+ fi
+}
+
+pkg_postinst() {
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ chmod 0755 "${EROOT}"/etc/sandbox.d #265376
+ fi
+}
diff --git a/sys-apps/sandbox/sandbox-2.6-r999.ebuild b/sys-apps/sandbox/sandbox-2.6-r999.ebuild
deleted file mode 100644
index 63e3a39..0000000
--- a/sys-apps/sandbox/sandbox-2.6-r999.ebuild
+++ /dev/null
@@ -1,138 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="http://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- http://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES=-sandbox emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062
- epatch "${FILESDIR}"/${P}-log-var.patch
- epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877
- epatch "${FILESDIR}"/${P}-desktop.patch #443672
- epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441
- epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929
- epatch "${FILESDIR}"/${P}-no-pch.patch #425524
- epatch "${FILESDIR}"/${P}-musl.patch
- epatch "${FILESDIR}"/${P}-include-PROTECTED-symbols.patch
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- # hack for conflict between powerpc bits/user.h and asm/ptrace.h
- use elibc_musl && append-cppflags -D_ASM_POWERPC_PTRACE_H
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="../${P}/" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-
- # Sandbox builds on mips-musl but fails to run
- use mips && chmod -x "${ROOT}"/usr/bin/sandbox
-}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/musl:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2017-03-11 18:10 Aric Belsito
0 siblings, 0 replies; 4+ messages in thread
From: Aric Belsito @ 2017-03-11 18:10 UTC (permalink / raw
To: gentoo-commits
commit: bce355694be541fdcdedc2f6e14d1425f92b6a49
Author: Aric Belsito <lluixhi <AT> gmail <DOT> com>
AuthorDate: Sat Mar 11 18:09:28 2017 +0000
Commit: Aric Belsito <lluixhi <AT> gmail <DOT> com>
CommitDate: Sat Mar 11 18:09:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=bce35569
sys-apps/sandbox: version bump to 2.10-r4/2.11-r5
drop 2.10-r1 (same keywords as 2.10-r3)
sync with upstream
sys-apps/sandbox/Manifest | 7 +-
.../files/sandbox-2.11-symlinkat-renameat.patch | 124 ++++++++++++++++++++
sys-apps/sandbox/sandbox-2.10-r1.ebuild | 130 ---------------------
sys-apps/sandbox/sandbox-2.10-r3.ebuild | 2 +-
...ndbox-2.10-r3.ebuild => sandbox-2.10-r4.ebuild} | 3 +-
...ndbox-2.11-r4.ebuild => sandbox-2.11-r5.ebuild} | 1 +
6 files changed, 132 insertions(+), 135 deletions(-)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 89fcf61..12f24b3 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -7,10 +7,11 @@ AUX sandbox-2.11-exec-hash.patch 4310 SHA256 e9dbdab6b1db8cbe547aa94057fce55bc6a
AUX sandbox-2.11-exec-prelink.patch 4960 SHA256 a8dda45a024a42b7b6fbc2ee49a461879eb866ab915c268079704e1698dd0cef SHA512 9bccda3a940aa95d7542c23e3eeb3b58326bc81920fdcfa6dd3e3c40de5ca9c47948f93afe9e58753b6cf3af10342bf581116f038b29c9fa5c25fd0027c5551c WHIRLPOOL 0e99a04fe636287570ad31998c93b9be8eceeb7a6619f18089d7f4a2df4b9c400874ea132a6e8a3855fbee439607d7e7e583fcad3ef4a0fee0cc46b0b5943bf5
AUX sandbox-2.11-execvpe.patch 986 SHA256 28574866614505b0f65dae5af4a90128997a40c402c6fbe80e809fedad93c113 SHA512 594b8e008178c1d8fa174733e95a02ad6bab1f025225b57e5c224a0b86021a0213cc30a83f607a47aff8756fa561e093b112384a89cc6c842cf2eb7f474e1213 WHIRLPOOL 7309559f0788fafefe17532b88265ed695bdba0836329aad3a4720b0e5d944ea5808dc7f08e0837edb2595da741c033a80cb67e74246a4ba63782497ffd95d7f
AUX sandbox-2.11-musl.patch 1851 SHA256 1f2586e81a06daf7b69642d9c5fbf53563832a4ccd769ec696d9c2baabd2874c SHA512 2800191fbf312d9b8858ef29975355ae51a4aff05ccc7c425f5168fe2db24562e4cf164e8ee35ecc77e0777be9d37cc52d66fdd4bf3eaeb0fc4c68c240a0cb61 WHIRLPOOL 9c2abfcd5f68391c4890beeaf99020a9160635c888de7b45238174e7ac51ffac393150698feb0061fd3104e71a6825f9be98e5495a415ede8d2493a77f3e35e8
+AUX sandbox-2.11-symlinkat-renameat.patch 3418 SHA256 74036803fd8cc07e903abdc2202167cff5e03a82d0db64ad8969b642201a993e SHA512 cbefae8aa9c289db0bfe7b2429f64aa4c437be0e269eaa657eb3b22a3086db1fca45a624cb181978b4157f0cb9b475b4ece2eb9337285bf8bede709ad4431c52 WHIRLPOOL d8943c3f4cda8428c7ab1a75decd67c5e743e5ca998d7e0ae8ba8828923b1c9dc4429c293af4dc9655d3a45e189020fd754f8152471f1626b113a50f69886c9b
AUX sandbox-2.6-musl.patch 1821 SHA256 df08faebffbfade91a2620ff8b56c2087e4a34506fbff3dcf9bc35c2d5bd467c SHA512 69d11e80c97a844c0d84404e802950c876edda8eb7909c90f6f5d4b3fe8a33b5bc884ecc3741c10c8bd7e0871db2db1853cfac969a153d162423b3f3c94039c9 WHIRLPOOL 7120eaf3062cb18c3b13a61fe2b6f839a5f267650d9aa809fafc6d25e8faaadd7af3d5fb41cce66ecf71668555847d264ea977442f03f4dfe7b88b98cf86f78e
DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192
DIST sandbox-2.11.tar.xz 423492 SHA256 a1cb203f95057176ca0c5b53b8b9dafd41d1b64a6cf5039a9e1fb4a51b17f237 SHA512 0aa6c773c109749180442d1a46d1b957dea0c30f893e4be1ac0b410e1aad48fdd2972ec591aa2da3a0c74b32d2b7bd51b7c2263bd7b26f8a34bb762d8a48ea0b WHIRLPOOL a2222cc778f2181473cf23b46a62257e5f3857edebb457dcf230f02da0d153e38a28f78a20dee67c9e564c10239d8bd6982a6e894de666f6eff4550f7ad8cdee
-EBUILD sandbox-2.10-r1.ebuild 2977 SHA256 2b308bd2634a1a30e8438d41e141aee5119d0ae23b493bbb092f76c471af0d81 SHA512 15e3f29bf3397201410f7f364346efaa6d3d75350ab1ff2dabdb246dde71ee8c5ceeef1e9e4c3913d64808eb8783aceead74a92c2f182f793b57d90c1b183e6f WHIRLPOOL 8f95e1726ddd28343850da33f4ca98216ea1e03f574c9d808903015ea9f82023b2b6e655106e17786dac8c0b74c3e33346c28638644dc71fdaacf5f6481414c1
-EBUILD sandbox-2.10-r3.ebuild 2195 SHA256 90cfd0584191678bb1b3e1fdff224341df5ea75cf7fcf6f20cf527c83b1b1aa1 SHA512 2ca76592d8575b013358ca6a6b3377d3a7def07c28d1187b055c8930115f6a9f8afe0045a74a3490cd9b99fc229a140554a2ae10959940b6d7c340bf634b6865 WHIRLPOOL d0b9c552d80ad0807e9a143b77b2d8d69edb3081a722f19eb3ee0a572a02adad83ca9cd71cee82abd27f5912acf190c29a506f06c2993933e782d5fb435319d1
-EBUILD sandbox-2.11-r4.ebuild 2333 SHA256 09b213dc0465790033254ff8de391d429f87d6f56686752c082099e2d3aa8bf9 SHA512 7ac3f0557fc88617a429e730436b8dfb1ed130d811fac3e340a4d09404851f58bbb740348bc2f8b78306286731f59e9ebb89ed550d6d1efa013d0f1010ef4946 WHIRLPOOL 6c5d22cec6cad1f92cadab73b9a901fb2ab465c4a33deff4ce89eedc6f5915f1107893d0841d4cbd85e80ee907dfa07914c70abac3f98159baa593668d8e83e7
+EBUILD sandbox-2.10-r3.ebuild 2264 SHA256 a168ce865021a1dfe502a46d5bbe9a41bcabc3b3f30c5cee72d72ec1ed936544 SHA512 8957ae632332a6ad74fbc5c781cadfd27e3b2d26b13a5b2e94e5c4e09e7ed7714645eb655535fe42657f3ca633871e6849b9046bb5b76a99a0089ae9db4ebfcf WHIRLPOOL 0a5499e44698a4c47dd7858521ea7674885eb4a287db2a96fe9219ee521ecf8cc1125f04806d058382fb8340967484f67631a8b152ef1dda58c391e67fb9eb7e
+EBUILD sandbox-2.10-r4.ebuild 2343 SHA256 f2db8de7d79e75d6a5d0bf8f803e6eea6d3c6e63758632db1c6422a288b230ba SHA512 e734b76a865c7d2c73621a3300dd7dee0eeebe54b85922b166e7960edde26c9bb0cffff88ccb30e4bc638554135967272fb8d39ca46eaa2fd7739a3d25d4a07a WHIRLPOOL e895fb01eadbacc6c96b550a5a8974e211e1a39149c280a119f65e8e0b259501caaeb368872a875266a073e97eaab71b837c4c7a59b652fb66010934f760dc5d
+EBUILD sandbox-2.11-r5.ebuild 2393 SHA256 7e1b2f4941d10ba468ecab75fbcc1fd9c4aabfc8a33f05b3788739546ba84e84 SHA512 43c6825205c07ea230135ce0fa124eb002bc89e5212ecfb1c5966dceac0460e15a6ea210e02c27f29040575a0a888a2de0c9cbbbdc980740d71df55971be0d50 WHIRLPOOL 722eea8e3b2c3d9323146617a0798ef5697a8b7bc6e0afba338d51b8cd34e0f95def6dac1cf2f042bea30a93f487e7f203a3fe4bbe113f0561968f3c678c632e
MISC metadata.xml 331 SHA256 593acb3cb5d82507c93a39cc745aebf1aa453683a039ff7d7f9d12ad9ed042a4 SHA512 f112b562f8b2a1022c0f4eac7a0e55369046d1d7d6052ab1514d841c968fc8cb33e9c337326db23a5944f3f43a676d4743dec4413ddd6e7f5c6cf63c82969675 WHIRLPOOL 0e306bda54e820ed6883b47ea0e305c5a361a88047b8f6ccd1ba621e1ef7bec08809019e638949e05e892e3d3eeffe48568b6e31e1db8071ca9932b0ea2d9f2e
diff --git a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
new file mode 100644
index 0000000..e33011f
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
@@ -0,0 +1,124 @@
+From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Fri, 10 Mar 2017 10:15:50 -0800
+Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
+
+These funcs don't deref their path args, so flag them as such.
+
+URL: https://bugs.gentoo.org/612202
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/libsandbox.c | 4 +++-
+ tests/renameat-2.sh | 12 ++++++++++++
+ tests/renameat-3.sh | 11 +++++++++++
+ tests/renameat.at | 2 ++
+ tests/symlinkat-2.sh | 10 ++++++++++
+ tests/symlinkat-3.sh | 9 +++++++++
+ tests/symlinkat.at | 2 ++
+ 7 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100755 tests/renameat-2.sh
+ create mode 100755 tests/renameat-3.sh
+ create mode 100755 tests/symlinkat-2.sh
+ create mode 100755 tests/symlinkat-3.sh
+
+diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
+index e809308d717d..de48bd79ba53 100644
+--- a/libsandbox/libsandbox.c
++++ b/libsandbox/libsandbox.c
+@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
+ sb_nr == SB_NR_LCHOWN ||
+ sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_RENAME ||
++ sb_nr == SB_NR_RENAMEAT ||
+ sb_nr == SB_NR_RMDIR ||
+- sb_nr == SB_NR_SYMLINK))
++ sb_nr == SB_NR_SYMLINK ||
++ sb_nr == SB_NR_SYMLINKAT))
+ {
+ /* These funcs sometimes operate on symlinks */
+ if (!((sb_nr == SB_NR_FCHOWNAT ||
+diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
+new file mode 100755
+index 000000000000..d0fbe8ae4574
+--- /dev/null
++++ b/tests/renameat-2.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++ln -s /asdf sym || exit 1
++touch file
++renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
++[ ! -e file ]
++[ ! -L sym ]
++[ -e sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
+new file mode 100755
+index 000000000000..9ae5c9a6511a
+--- /dev/null
++++ b/tests/renameat-3.sh
+@@ -0,0 +1,11 @@
++#!/bin/sh
++# make sure we reject bad renames #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++touch file
++renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
++[ -e file ]
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat.at b/tests/renameat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/renameat.at
++++ b/tests/renameat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
+new file mode 100755
+index 000000000000..168362e8806f
+--- /dev/null
++++ b/tests/symlinkat-2.sh
+@@ -0,0 +1,10 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
+new file mode 100755
+index 000000000000..a01c750dd2b6
+--- /dev/null
++++ b/tests/symlinkat-3.sh
+@@ -0,0 +1,9 @@
++#!/bin/sh
++# make sure we reject bad symlinks #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat.at b/tests/symlinkat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/symlinkat.at
++++ b/tests/symlinkat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+--
+2.12.0
+
diff --git a/sys-apps/sandbox/sandbox-2.10-r1.ebuild b/sys-apps/sandbox/sandbox-2.10-r1.ebuild
deleted file mode 100644
index e2209ff..0000000
--- a/sys-apps/sandbox/sandbox-2.10-r1.ebuild
+++ /dev/null
@@ -1,130 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-#
-# don't monkey with this ebuild unless contacting portage devs.
-# period.
-#
-
-inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing pax-utils
-
-DESCRIPTION="sandbox'd LD_PRELOAD hack"
-HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
-SRC_URI="mirror://gentoo/${P}.tar.xz
- https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="multilib"
-
-DEPEND="app-arch/xz-utils
- >=app-misc/pax-utils-0.1.19" #265376
-RDEPEND=""
-
-EMULTILIB_PKG="true"
-has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
-
-sandbox_death_notice() {
- ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
- ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
-}
-
-sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; }
-
-sb_foreach_abi() {
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- cd "${WORKDIR}/build-${ABI}"
- einfo "Running $1 for ABI=${ABI}..."
- "$@"
- done
- ABI=${OABI}
-}
-
-src_unpack() {
- unpacker
- cd "${S}"
- epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
- epatch "${FILESDIR}"/${P}-disable-same.patch
- epatch "${FILESDIR}"/${PN}-2.6-musl.patch
- epatch "${FILESDIR}"/${P}-fix-visibility-musl.patch
- epatch_user
-}
-
-sb_configure() {
- mkdir "${WORKDIR}/build-${ABI}"
- cd "${WORKDIR}/build-${ABI}"
-
- use multilib && multilib_toolchain_setup ${ABI}
-
- local myconf=()
- host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
-
- einfo "Configuring sandbox for ABI=${ABI}..."
- ECONF_SOURCE="${S}" \
- econf ${myconf} || die
-}
-
-sb_compile() {
- emake || die
-}
-
-src_compile() {
- filter-lfs-flags #90228
-
- # Run configures in parallel!
- multijob_init
- local OABI=${ABI}
- for ABI in $(sb_get_install_abis) ; do
- multijob_child_init sb_configure
- done
- ABI=${OABI}
- multijob_finish
-
- sb_foreach_abi sb_compile
-}
-
-sb_test() {
- emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die
-}
-
-src_test() {
- sb_foreach_abi sb_test
-}
-
-sb_install() {
- emake DESTDIR="${D}" install || die
- insinto /etc/sandbox.d #333131
- doins etc/sandbox.d/00default || die
-}
-
-src_install() {
- sb_foreach_abi sb_install
-
- doenvd "${FILESDIR}"/09sandbox
-
- keepdir /var/log/sandbox
- fowners root:portage /var/log/sandbox
- fperms 0770 /var/log/sandbox
-
- cd "${S}"
- dodoc AUTHORS ChangeLog* NEWS README
-}
-
-pkg_preinst() {
- chown root:portage "${D}"/var/log/sandbox
- chmod 0770 "${D}"/var/log/sandbox
-
- local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
- if [[ -n ${old} ]] ; then
- elog "Removing old sandbox libraries for you:"
- elog ${old//${ROOT}}
- find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \;
- fi
-}
-
-pkg_postinst() {
- chmod 0755 "${ROOT}"/etc/sandbox.d #265376
-}
diff --git a/sys-apps/sandbox/sandbox-2.10-r3.ebuild b/sys-apps/sandbox/sandbox-2.10-r3.ebuild
index d4a2e5b..c3a50cd 100644
--- a/sys-apps/sandbox/sandbox-2.10-r3.ebuild
+++ b/sys-apps/sandbox/sandbox-2.10-r3.ebuild
@@ -17,7 +17,7 @@ SRC_URI="mirror://gentoo/${P}.tar.xz
LICENSE="GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
diff --git a/sys-apps/sandbox/sandbox-2.10-r3.ebuild b/sys-apps/sandbox/sandbox-2.10-r4.ebuild
similarity index 92%
copy from sys-apps/sandbox/sandbox-2.10-r3.ebuild
copy to sys-apps/sandbox/sandbox-2.10-r4.ebuild
index d4a2e5b..dc6bf45 100644
--- a/sys-apps/sandbox/sandbox-2.10-r3.ebuild
+++ b/sys-apps/sandbox/sandbox-2.10-r4.ebuild
@@ -17,7 +17,7 @@ SRC_URI="mirror://gentoo/${P}.tar.xz
LICENSE="GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
@@ -35,6 +35,7 @@ src_prepare() {
epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
epatch "${FILESDIR}"/${P}-disable-same.patch
epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
+ epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202
epatch "${FILESDIR}"/${PN}-2.6-musl.patch
epatch "${FILESDIR}"/${P}-fix-visibility-musl.patch
epatch_user
diff --git a/sys-apps/sandbox/sandbox-2.11-r4.ebuild b/sys-apps/sandbox/sandbox-2.11-r5.ebuild
similarity index 97%
rename from sys-apps/sandbox/sandbox-2.11-r4.ebuild
rename to sys-apps/sandbox/sandbox-2.11-r5.ebuild
index e370c3a..b765bc5 100644
--- a/sys-apps/sandbox/sandbox-2.11-r4.ebuild
+++ b/sys-apps/sandbox/sandbox-2.11-r5.ebuild
@@ -36,6 +36,7 @@ src_prepare() {
epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894
epatch "${FILESDIR}"/${PN}-2.10-fix-opendir.patch #553092
+ epatch "${FILESDIR}"/${P}-symlinkat-renameat.patch #612202
epatch "${FILESDIR}"/${P}-musl.patch
epatch "${FILESDIR}"/${PN}-2.10-fix-visibility-musl.patch
epatch_user
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/musl:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/
@ 2017-10-29 3:16 Jory Pratt
0 siblings, 0 replies; 4+ messages in thread
From: Jory Pratt @ 2017-10-29 3:16 UTC (permalink / raw
To: gentoo-commits
commit: f347f9d1b05fe115584e07ca93470afc19ab6690
Author: Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 29 03:15:54 2017 +0000
Commit: Jory Pratt <anarchy <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 03:15:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=f347f9d1
sys-apps/sandbox - add missing sandbox-2.11-symlinkat-renameat.patch
patch
sys-apps/sandbox/Manifest | 1 +
.../files/sandbox-2.11-symlinkat-renameat.patch | 124 +++++++++++++++++++++
2 files changed, 125 insertions(+)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 5fc228f..1a3dacc 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -4,6 +4,7 @@ AUX sandbox-2.10-fix-opendir.patch 3311 SHA256 33e31a0331d75985e6fb254001d657988
AUX sandbox-2.10-fix-visibility-musl.patch 573 SHA256 67f70fa39867eeeee45b343db78c73fdb6e63b8a1b52d3dc288894402239dd12 SHA512 a740e0b1a68c0609dc3080e88ab8ab87885fe05f5e0864d10ed76e8e7000f7879cb206342c38d4097c691a7c85d1936e98802b206084eb2af9f78bd43158d759 WHIRLPOOL 0c226daa4b6d36c2df001d3d67b9e4023944c5b010d1bc311d731c121dd94b533546479a7b1b77bcb8be608ecf70508fb7dd65b22bafdb2d13a2860c9c0659da
AUX sandbox-2.10-memory-corruption.patch 1515 SHA256 4876cc9962d56d3c5fc5418fe12ef1a399e34ff0272f12640c4a5c5b775e8888 SHA512 1eb650824cc7a876fabef382cafb451a507326a8422fb7bb5014699046b64ea8f4cf2bba9efcb75d7a2eac4eff493d06153422f85c119f49635ac0840071660c WHIRLPOOL db2c834119c7887ed746154e73e88cc09bf2a31184b3cda2732b70cb43dd8bc7f59f1072a4cc56ebcf593ba67330b9888832dc186ee55e009428d607f62293ab
AUX sandbox-2.11-musl.patch 1851 SHA256 1f2586e81a06daf7b69642d9c5fbf53563832a4ccd769ec696d9c2baabd2874c SHA512 2800191fbf312d9b8858ef29975355ae51a4aff05ccc7c425f5168fe2db24562e4cf164e8ee35ecc77e0777be9d37cc52d66fdd4bf3eaeb0fc4c68c240a0cb61 WHIRLPOOL 9c2abfcd5f68391c4890beeaf99020a9160635c888de7b45238174e7ac51ffac393150698feb0061fd3104e71a6825f9be98e5495a415ede8d2493a77f3e35e8
+AUX sandbox-2.11-symlinkat-renameat.patch 3418 SHA256 74036803fd8cc07e903abdc2202167cff5e03a82d0db64ad8969b642201a993e SHA512 cbefae8aa9c289db0bfe7b2429f64aa4c437be0e269eaa657eb3b22a3086db1fca45a624cb181978b4157f0cb9b475b4ece2eb9337285bf8bede709ad4431c52 WHIRLPOOL d8943c3f4cda8428c7ab1a75decd67c5e743e5ca998d7e0ae8ba8828923b1c9dc4429c293af4dc9655d3a45e189020fd754f8152471f1626b113a50f69886c9b
AUX sandbox-2.6-musl.patch 1821 SHA256 df08faebffbfade91a2620ff8b56c2087e4a34506fbff3dcf9bc35c2d5bd467c SHA512 69d11e80c97a844c0d84404e802950c876edda8eb7909c90f6f5d4b3fe8a33b5bc884ecc3741c10c8bd7e0871db2db1853cfac969a153d162423b3f3c94039c9 WHIRLPOOL 7120eaf3062cb18c3b13a61fe2b6f839a5f267650d9aa809fafc6d25e8faaadd7af3d5fb41cce66ecf71668555847d264ea977442f03f4dfe7b88b98cf86f78e
DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192
DIST sandbox-2.12.tar.xz 424252 SHA256 265a490a8c528237c55ad26dfd7f62336fa5727c82358fc9cfbaa2e52c47fc50 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9 WHIRLPOOL 4f3089746a11616c60057165f387122b74e8d2f30a2d77db296405a2b6f401fc625645bca73092436162f5d98a88bfb2a3b42909b0eceb9a59ab810d803441b0
diff --git a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
new file mode 100644
index 0000000..e33011f
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
@@ -0,0 +1,124 @@
+From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Fri, 10 Mar 2017 10:15:50 -0800
+Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
+
+These funcs don't deref their path args, so flag them as such.
+
+URL: https://bugs.gentoo.org/612202
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/libsandbox.c | 4 +++-
+ tests/renameat-2.sh | 12 ++++++++++++
+ tests/renameat-3.sh | 11 +++++++++++
+ tests/renameat.at | 2 ++
+ tests/symlinkat-2.sh | 10 ++++++++++
+ tests/symlinkat-3.sh | 9 +++++++++
+ tests/symlinkat.at | 2 ++
+ 7 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100755 tests/renameat-2.sh
+ create mode 100755 tests/renameat-3.sh
+ create mode 100755 tests/symlinkat-2.sh
+ create mode 100755 tests/symlinkat-3.sh
+
+diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
+index e809308d717d..de48bd79ba53 100644
+--- a/libsandbox/libsandbox.c
++++ b/libsandbox/libsandbox.c
+@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
+ sb_nr == SB_NR_LCHOWN ||
+ sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_RENAME ||
++ sb_nr == SB_NR_RENAMEAT ||
+ sb_nr == SB_NR_RMDIR ||
+- sb_nr == SB_NR_SYMLINK))
++ sb_nr == SB_NR_SYMLINK ||
++ sb_nr == SB_NR_SYMLINKAT))
+ {
+ /* These funcs sometimes operate on symlinks */
+ if (!((sb_nr == SB_NR_FCHOWNAT ||
+diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
+new file mode 100755
+index 000000000000..d0fbe8ae4574
+--- /dev/null
++++ b/tests/renameat-2.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++ln -s /asdf sym || exit 1
++touch file
++renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
++[ ! -e file ]
++[ ! -L sym ]
++[ -e sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
+new file mode 100755
+index 000000000000..9ae5c9a6511a
+--- /dev/null
++++ b/tests/renameat-3.sh
+@@ -0,0 +1,11 @@
++#!/bin/sh
++# make sure we reject bad renames #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++touch file
++renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
++[ -e file ]
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat.at b/tests/renameat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/renameat.at
++++ b/tests/renameat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
+new file mode 100755
+index 000000000000..168362e8806f
+--- /dev/null
++++ b/tests/symlinkat-2.sh
+@@ -0,0 +1,10 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
+new file mode 100755
+index 000000000000..a01c750dd2b6
+--- /dev/null
++++ b/tests/symlinkat-3.sh
+@@ -0,0 +1,9 @@
++#!/bin/sh
++# make sure we reject bad symlinks #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat.at b/tests/symlinkat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/symlinkat.at
++++ b/tests/symlinkat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+--
+2.12.0
+
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-10-29 3:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-17 21:44 [gentoo-commits] proj/musl:master commit in: sys-apps/sandbox/files/, sys-apps/sandbox/ Aric Belsito
-- strict thread matches above, loose matches on Subject: below --
2017-10-29 3:16 Jory Pratt
2017-03-11 18:10 Aric Belsito
2016-01-21 22:56 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox