From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1007510-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id A17D2138331
	for <garchives@archives.gentoo.org>; Mon,  5 Mar 2018 18:37:34 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id C1293E081E;
	Mon,  5 Mar 2018 18:37:33 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9194AE081E
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:33 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D1C12335C0C
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:31 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 5F10A239
	for <gentoo-commits@lists.gentoo.org>; Mon,  5 Mar 2018 18:37:30 +0000 (UTC)
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" <vapier@gentoo.org>
Message-ID: <1520274738.61acdcd13e97339d20c3058a211ee5599831748d.vapier@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/sed/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/sed/metadata.xml sys-apps/sed/sed-4.4-r1.ebuild
X-VCS-Directories: sys-apps/sed/
X-VCS-Committer: vapier
X-VCS-Committer-Name: Mike Frysinger
X-VCS-Revision: 61acdcd13e97339d20c3058a211ee5599831748d
X-VCS-Branch: master
Date: Mon,  5 Mar 2018 18:37:30 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 9e71fc21-c1f7-4ecb-9b6e-3f67c24d90bf
X-Archives-Hash: cd8ae807fdadf7c15bb8369f760618bf

commit:     61acdcd13e97339d20c3058a211ee5599831748d
Author:     Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Mon Mar  5 18:28:50 2018 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Mar  5 18:32:18 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61acdcd1

sys-apps/sed: add USE=forced-sandbox to always enable --sandbox

For building locked down systems, it's nice to be able to force all
awk scripts into a sane/secure mode.

 sys-apps/sed/metadata.xml      |  3 ++
 sys-apps/sed/sed-4.4-r1.ebuild | 66 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/sys-apps/sed/metadata.xml b/sys-apps/sed/metadata.xml
index b738f8c54a0..ea2a7bdbf75 100644
--- a/sys-apps/sed/metadata.xml
+++ b/sys-apps/sed/metadata.xml
@@ -8,4 +8,7 @@
 <upstream>
 	<remote-id type="sourceforge">sed</remote-id>
 </upstream>
+<use>
+	<flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables e/r/w commands)</flag>
+</use>
 </pkgmetadata>

diff --git a/sys-apps/sed/sed-4.4-r1.ebuild b/sys-apps/sed/sed-4.4-r1.ebuild
new file mode 100644
index 00000000000..26c3858da53
--- /dev/null
+++ b/sys-apps/sed/sed-4.4-r1.ebuild
@@ -0,0 +1,66 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Super-useful stream editor"
+HOMEPAGE="http://sed.sourceforge.net/"
+SRC_URI="mirror://gnu/sed/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="acl forced-sandbox nls selinux static"
+
+RDEPEND="acl? ( virtual/acl )
+	nls? ( virtual/libintl )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+	nls? ( sys-devel/gettext )"
+
+src_bootstrap_sed() {
+	# make sure system-sed works #40786
+	export NO_SYS_SED=""
+	if ! type -p sed > /dev/null ; then
+		NO_SYS_SED="!!!"
+		./bootstrap.sh || die "couldnt bootstrap"
+		cp sed/sed "${T}"/ || die "couldnt copy"
+		export PATH="${PATH}:${T}"
+		emake clean
+	fi
+}
+
+src_prepare() {
+	# Don't use sed before bootstrap if we have to recover a broken host sed.
+	src_bootstrap_sed
+
+	if use forced-sandbox ; then
+		# Upstream doesn't want to add a configure flag for this.
+		# https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html
+		sed -i \
+			-e '/^bool sandbox = false;/s:false:true:' \
+			sed/sed.c || die
+		# Make sure the sed took.
+		grep -q '^bool sandbox = true;' sed/sed.c || die "forcing sandbox failed"
+	fi
+}
+
+src_configure() {
+	local myconf=()
+	if use userland_GNU; then
+		myconf+=( --exec-prefix="${EPREFIX}" )
+	else
+		myconf+=( --program-prefix=g )
+	fi
+
+	export ac_cv_search_setfilecon=$(usex selinux -lselinux)
+	export ac_cv_header_selinux_{context,selinux}_h=$(usex selinux)
+	use static && append-ldflags -static
+	myconf+=(
+		$(use_enable acl)
+		$(use_enable nls)
+	)
+	econf "${myconf[@]}"
+}