From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1007509-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 71B0F1382C5
	for <garchives@archives.gentoo.org>; Mon,  5 Mar 2018 18:37:34 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 83F76E0809;
	Mon,  5 Mar 2018 18:37:33 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 51BFAE0809
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:33 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id BE5FC335C0A
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:31 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 4AFF31EF
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:30 +0000 (UTC)
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" <vapier@gentoo.org>
Message-ID: <1520274738.0a3af690b27f38bcce7b11f5888cc20ef24009eb.vapier@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/gawk/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/gawk/gawk-4.2.1-r1.ebuild sys-apps/gawk/metadata.xml
X-VCS-Directories: sys-apps/gawk/
X-VCS-Committer: vapier
X-VCS-Committer-Name: Mike Frysinger
X-VCS-Revision: 0a3af690b27f38bcce7b11f5888cc20ef24009eb
X-VCS-Branch: master
Date: Mon,  5 Mar 2018 18:37:30 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d1660f90-8ccc-4084-828e-50a6d36385e8
X-Archives-Hash: 8ede99f5c1bd54413fa05b89f2ba848e

commit:     0a3af690b27f38bcce7b11f5888cc20ef24009eb
Author:     Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Mon Mar  5 18:10:17 2018 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Mar  5 18:32:18 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a3af690

sys-apps/gawk: add USE=forced-sandbox to always enable --sandbox

For building locked down systems, it's nice to be able to force all
awk scripts into a sane/secure mode.

 sys-apps/gawk/gawk-4.2.1-r1.ebuild | 93 ++++++++++++++++++++++++++++++++++++++
 sys-apps/gawk/metadata.xml         |  1 +
 2 files changed, 94 insertions(+)

diff --git a/sys-apps/gawk/gawk-4.2.1-r1.ebuild b/sys-apps/gawk/gawk-4.2.1-r1.ebuild
new file mode 100644
index 00000000000..3bf1a7e90d2
--- /dev/null
+++ b/sys-apps/gawk/gawk-4.2.1-r1.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs multilib
+
+DESCRIPTION="GNU awk pattern-matching language"
+HOMEPAGE="https://www.gnu.org/software/gawk/gawk.html"
+SRC_URI="mirror://gnu/gawk/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="forced-sandbox mpfr nls readline"
+
+RDEPEND="
+	dev-libs/gmp:0=
+	mpfr? ( dev-libs/mpfr:0= )
+	readline? ( sys-libs/readline:0= )
+"
+DEPEND="${RDEPEND}
+	nls? ( sys-devel/gettext )"
+
+src_prepare() {
+	default
+
+	# use symlinks rather than hardlinks, and disable version links
+	sed -i \
+		-e '/^LN =/s:=.*:= $(LN_S):' \
+		-e '/install-exec-hook:/s|$|\nfoo:|' \
+		Makefile.in doc/Makefile.in || die
+	sed -i '/^pty1:$/s|$|\n_pty1:|' test/Makefile.in #413327
+	# fix standards conflict on Solaris
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		sed -i \
+			-e '/\<_XOPEN_SOURCE\>/s/1$/600/' \
+			-e '/\<_XOPEN_SOURCE_EXTENDED\>/s/1//' \
+			extension/inplace.c || die
+	fi
+
+	if use forced-sandbox ; then
+		# Upstream doesn't want to add a configure flag for this.
+		# https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html
+		sed -i \
+			-e '/^int do_flags = false;/s:false:DO_SANDBOX:' \
+			main.c || die
+		# Make sure the sed took.
+		grep -q '^int do_flags = DO_SANDBOX;' main.c || die "forcing sandbox failed"
+	fi
+}
+
+src_configure() {
+	export ac_cv_libsigsegv=no
+	local myeconfargs=(
+		--libexec='$(libdir)/misc'
+		$(use_with mpfr)
+		$(use_enable nls)
+		$(use_with readline)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	rm -rf README_d # automatic dodocs barfs
+	default
+
+	# Install headers
+	insinto /usr/include/awk
+	doins *.h
+	rm "${ED%/}"/usr/include/awk/config.h || die
+}
+
+pkg_postinst() {
+	# symlink creation here as the links do not belong to gawk, but to any awk
+	if has_version app-admin/eselect \
+			&& has_version app-eselect/eselect-awk ; then
+		eselect awk update ifunset
+	else
+		local l
+		for l in "${EROOT}"/usr/share/man/man1/gawk.1* "${EROOT}"/usr/bin/gawk; do
+			[[ -e ${l} && ! -e ${l/gawk/awk} ]] && ln -s "${l##*/}" "${l/gawk/awk}"
+		done
+		[[ ! -e ${EROOT}/bin/awk ]] && ln -s "../usr/bin/gawk" "${EROOT}/bin/awk"
+	fi
+}
+
+pkg_postrm() {
+	if has_version app-admin/eselect \
+			&& has_version app-eselect/eselect-awk ; then
+		eselect awk update ifunset
+	fi
+}

diff --git a/sys-apps/gawk/metadata.xml b/sys-apps/gawk/metadata.xml
index 3fa1f988999..58cec04bdcb 100644
--- a/sys-apps/gawk/metadata.xml
+++ b/sys-apps/gawk/metadata.xml
@@ -6,6 +6,7 @@
 	<name>Gentoo Base System</name>
 </maintainer>
 <use>
+	<flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables e/r/w commands)</flag>
 	<flag name="mpfr">use mpfr for high precision arithmetic (-M / --bignum)</flag>
 </use>
 </pkgmetadata>