From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-937522-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 1C5B8139694
for <garchives@archives.gentoo.org>; Fri, 10 Mar 2017 18:51:04 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 62479E0C20;
Fri, 10 Mar 2017 18:51:03 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 32C2CE0C20
for <gentoo-commits@lists.gentoo.org>; Fri, 10 Mar 2017 18:51:03 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id BE99A34105A
for <gentoo-commits@lists.gentoo.org>; Fri, 10 Mar 2017 18:51:01 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 304E463A0
for <gentoo-commits@lists.gentoo.org>; Fri, 10 Mar 2017 18:51:00 +0000 (UTC)
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" <vapier@gentoo.org>
Message-ID: <1489171854.94f5df1e61d1b6159a32f020e1780427fba6d98c.vapier@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/, sys-apps/sandbox/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch sys-apps/sandbox/sandbox-2.10-r4.ebuild sys-apps/sandbox/sandbox-2.11-r5.ebuild
X-VCS-Directories: sys-apps/sandbox/ sys-apps/sandbox/files/
X-VCS-Committer: vapier
X-VCS-Committer-Name: Mike Frysinger
X-VCS-Revision: 94f5df1e61d1b6159a32f020e1780427fba6d98c
X-VCS-Branch: master
Date: Fri, 10 Mar 2017 18:51:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 03f4279a-5835-4eda-9395-d118a1e193d5
X-Archives-Hash: 4284f1735af59788d0e6749bd02bb8ef
commit: 94f5df1e61d1b6159a32f020e1780427fba6d98c
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Fri Mar 10 18:49:39 2017 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Fri Mar 10 18:50:54 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94f5df1e
sys-apps/sandbox: fix handling of symlinks w/symlinkat/renameat #612202
.../files/sandbox-2.11-symlinkat-renameat.patch | 124 +++++++++++++++++++++
sys-apps/sandbox/sandbox-2.10-r4.ebuild | 85 ++++++++++++++
sys-apps/sandbox/sandbox-2.11-r5.ebuild | 86 ++++++++++++++
3 files changed, 295 insertions(+)
diff --git a/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
new file mode 100644
index 00000000000..e33011f7495
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
@@ -0,0 +1,124 @@
+From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Fri, 10 Mar 2017 10:15:50 -0800
+Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
+
+These funcs don't deref their path args, so flag them as such.
+
+URL: https://bugs.gentoo.org/612202
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ libsandbox/libsandbox.c | 4 +++-
+ tests/renameat-2.sh | 12 ++++++++++++
+ tests/renameat-3.sh | 11 +++++++++++
+ tests/renameat.at | 2 ++
+ tests/symlinkat-2.sh | 10 ++++++++++
+ tests/symlinkat-3.sh | 9 +++++++++
+ tests/symlinkat.at | 2 ++
+ 7 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100755 tests/renameat-2.sh
+ create mode 100755 tests/renameat-3.sh
+ create mode 100755 tests/symlinkat-2.sh
+ create mode 100755 tests/symlinkat-3.sh
+
+diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
+index e809308d717d..de48bd79ba53 100644
+--- a/libsandbox/libsandbox.c
++++ b/libsandbox/libsandbox.c
+@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
+ sb_nr == SB_NR_LCHOWN ||
+ sb_nr == SB_NR_REMOVE ||
+ sb_nr == SB_NR_RENAME ||
++ sb_nr == SB_NR_RENAMEAT ||
+ sb_nr == SB_NR_RMDIR ||
+- sb_nr == SB_NR_SYMLINK))
++ sb_nr == SB_NR_SYMLINK ||
++ sb_nr == SB_NR_SYMLINKAT))
+ {
+ /* These funcs sometimes operate on symlinks */
+ if (!((sb_nr == SB_NR_FCHOWNAT ||
+diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
+new file mode 100755
+index 000000000000..d0fbe8ae4574
+--- /dev/null
++++ b/tests/renameat-2.sh
+@@ -0,0 +1,12 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++ln -s /asdf sym || exit 1
++touch file
++renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
++[ ! -e file ]
++[ ! -L sym ]
++[ -e sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
+new file mode 100755
+index 000000000000..9ae5c9a6511a
+--- /dev/null
++++ b/tests/renameat-3.sh
+@@ -0,0 +1,11 @@
++#!/bin/sh
++# make sure we reject bad renames #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++touch file
++renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
++[ -e file ]
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/renameat.at b/tests/renameat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/renameat.at
++++ b/tests/renameat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
+new file mode 100755
+index 000000000000..168362e8806f
+--- /dev/null
++++ b/tests/symlinkat-2.sh
+@@ -0,0 +1,10 @@
++#!/bin/sh
++# make sure we can clobber symlinks #612202
++
++addwrite $PWD
++
++symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
++[ -L sym ]
++test ! -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
+new file mode 100755
+index 000000000000..a01c750dd2b6
+--- /dev/null
++++ b/tests/symlinkat-3.sh
+@@ -0,0 +1,9 @@
++#!/bin/sh
++# make sure we reject bad symlinks #612202
++
++addwrite $PWD
++mkdir deny
++adddeny $PWD/deny
++
++symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
++test -s "${SANDBOX_LOG}"
+diff --git a/tests/symlinkat.at b/tests/symlinkat.at
+index 081d7d20277e..eec4638deeaa 100644
+--- a/tests/symlinkat.at
++++ b/tests/symlinkat.at
+@@ -1 +1,3 @@
+ SB_CHECK(1)
++SB_CHECK(2)
++SB_CHECK(3)
+--
+2.12.0
+
diff --git a/sys-apps/sandbox/sandbox-2.10-r4.ebuild b/sys-apps/sandbox/sandbox-2.10-r4.ebuild
new file mode 100644
index 00000000000..0f792910204
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.10-r4.ebuild
@@ -0,0 +1,85 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+EAPI="5"
+
+inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+ https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE=""
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
+ epatch "${FILESDIR}"/${P}-disable-same.patch
+ epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
+ epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202
+ epatch_user
+}
+
+multilib_src_configure() {
+ filter-lfs-flags #90228
+
+ local myconf=()
+ host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+ ECONF_SOURCE="${S}" \
+ econf "${myconf[@]}"
+}
+
+multilib_src_test() {
+ # Default sandbox build will run with --jobs set to # cpus.
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+ doenvd "${FILESDIR}"/09sandbox
+
+ keepdir /var/log/sandbox
+ fowners root:portage /var/log/sandbox
+ fperms 0770 /var/log/sandbox
+
+ cd "${S}"
+ dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+ chown root:portage "${ED}"/var/log/sandbox
+ chmod 0770 "${ED}"/var/log/sandbox
+
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+ if [[ -n ${old} ]] ; then
+ elog "Removing old sandbox libraries for you:"
+ find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
+ fi
+ fi
+}
+
+pkg_postinst() {
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ chmod 0755 "${EROOT}"/etc/sandbox.d #265376
+ fi
+}
diff --git a/sys-apps/sandbox/sandbox-2.11-r5.ebuild b/sys-apps/sandbox/sandbox-2.11-r5.ebuild
new file mode 100644
index 00000000000..48dd1a7ad99
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.11-r5.ebuild
@@ -0,0 +1,86 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+EAPI="5"
+
+inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+ https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE=""
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-execvpe.patch #578516
+ epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
+ epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894
+ epatch "${FILESDIR}"/${PN}-2.10-fix-opendir.patch #553092
+ epatch "${FILESDIR}"/${P}-symlinkat-renameat.patch #612202
+ epatch_user
+}
+
+multilib_src_configure() {
+ filter-lfs-flags #90228
+
+ local myconf=()
+ host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+ ECONF_SOURCE="${S}" \
+ econf "${myconf[@]}"
+}
+
+multilib_src_test() {
+ # Default sandbox build will run with --jobs set to # cpus.
+ emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+ doenvd "${FILESDIR}"/09sandbox
+
+ keepdir /var/log/sandbox
+ fowners root:portage /var/log/sandbox
+ fperms 0770 /var/log/sandbox
+
+ cd "${S}"
+ dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+ chown root:portage "${ED}"/var/log/sandbox
+ chmod 0770 "${ED}"/var/log/sandbox
+
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+ if [[ -n ${old} ]] ; then
+ elog "Removing old sandbox libraries for you:"
+ find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
+ fi
+ fi
+}
+
+pkg_postinst() {
+ if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+ chmod 0755 "${EROOT}"/etc/sandbox.d #265376
+ fi
+}