[gentoo-commits] repo/gentoo:master commit in: sys-apps/sed/

["Mike Frysinger" <vapier@gentoo.org>]

commit:     61acdcd13e97339d20c3058a211ee5599831748d
Author:     Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Mon Mar  5 18:28:50 2018 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Mar  5 18:32:18 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61acdcd1

sys-apps/sed: add USE=forced-sandbox to always enable --sandbox

For building locked down systems, it's nice to be able to force all
awk scripts into a sane/secure mode.

 sys-apps/sed/metadata.xml      |  3 ++
 sys-apps/sed/sed-4.4-r1.ebuild | 66 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/sys-apps/sed/metadata.xml b/sys-apps/sed/metadata.xml
index b738f8c54a0..ea2a7bdbf75 100644
--- a/sys-apps/sed/metadata.xml
+++ b/sys-apps/sed/metadata.xml
@@ -8,4 +8,7 @@
 <upstream>
 	<remote-id type="sourceforge">sed</remote-id>
 </upstream>
+<use>
+	<flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables e/r/w commands)</flag>
+</use>
 </pkgmetadata>

diff --git a/sys-apps/sed/sed-4.4-r1.ebuild b/sys-apps/sed/sed-4.4-r1.ebuild
new file mode 100644
index 00000000000..26c3858da53
--- /dev/null
+++ b/sys-apps/sed/sed-4.4-r1.ebuild
@@ -0,0 +1,66 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Super-useful stream editor"
+HOMEPAGE="http://sed.sourceforge.net/"
+SRC_URI="mirror://gnu/sed/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="acl forced-sandbox nls selinux static"
+
+RDEPEND="acl? ( virtual/acl )
+	nls? ( virtual/libintl )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+	nls? ( sys-devel/gettext )"
+
+src_bootstrap_sed() {
+	# make sure system-sed works #40786
+	export NO_SYS_SED=""
+	if ! type -p sed > /dev/null ; then
+		NO_SYS_SED="!!!"
+		./bootstrap.sh || die "couldnt bootstrap"
+		cp sed/sed "${T}"/ || die "couldnt copy"
+		export PATH="${PATH}:${T}"
+		emake clean
+	fi
+}
+
+src_prepare() {
+	# Don't use sed before bootstrap if we have to recover a broken host sed.
+	src_bootstrap_sed
+
+	if use forced-sandbox ; then
+		# Upstream doesn't want to add a configure flag for this.
+		# https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html
+		sed -i \
+			-e '/^bool sandbox = false;/s:false:true:' \
+			sed/sed.c || die
+		# Make sure the sed took.
+		grep -q '^bool sandbox = true;' sed/sed.c || die "forcing sandbox failed"
+	fi
+}
+
+src_configure() {
+	local myconf=()
+	if use userland_GNU; then
+		myconf+=( --exec-prefix="${EPREFIX}" )
+	else
+		myconf+=( --program-prefix=g )
+	fi
+
+	export ac_cv_search_setfilecon=$(usex selinux -lselinux)
+	export ac_cv_header_selinux_{context,selinux}_h=$(usex selinux)
+	use static && append-ldflags -static
+	myconf+=(
+		$(use_enable acl)
+		$(use_enable nls)
+	)
+	econf "${myconf[@]}"
+}