From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/
Date: Sun, 24 Oct 2021 01:13:40 +0000 (UTC) [thread overview]
Message-ID: <1635037985.288877d0e268087dacb4b593202e28f86b6d31d4.vapier@gentoo> (raw)
commit: 288877d0e268087dacb4b593202e28f86b6d31d4
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 24 01:12:13 2021 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Oct 24 01:13:05 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288877d0
sys-apps/sandbox: version bump to 2.27
Add USE=nnp flag to control new NO_NEW_PRIVS behavior. In case things
go horribly wrong, can easily flip the flag off to keep from blowing
everyone up.
Bug: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>
sys-apps/sandbox/Manifest | 1 +
sys-apps/sandbox/metadata.xml | 3 ++
sys-apps/sandbox/sandbox-2.27.ebuild | 64 ++++++++++++++++++++++++++++++++++++
3 files changed, 68 insertions(+)
diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 121fc4437e1..744bc206cac 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,3 +1,4 @@
DIST sandbox-2.24.tar.xz 438408 BLAKE2B 5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843 SHA512 8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0
DIST sandbox-2.25.tar.xz 436004 BLAKE2B c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c SHA512 4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d
DIST sandbox-2.26.tar.xz 444412 BLAKE2B 3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161 SHA512 f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa
+DIST sandbox-2.27.tar.xz 448948 BLAKE2B 03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104 SHA512 2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7
diff --git a/sys-apps/sandbox/metadata.xml b/sys-apps/sandbox/metadata.xml
index e270f4674f6..11e084f7c9b 100644
--- a/sys-apps/sandbox/metadata.xml
+++ b/sys-apps/sandbox/metadata.xml
@@ -5,4 +5,7 @@
<email>sandbox@gentoo.org</email>
<name>Sandbox Maintainers</name>
</maintainer>
+<use>
+ <flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo)</flag>
+</use>
</pkgmetadata>
diff --git a/sys-apps/sandbox/sandbox-2.27.ebuild b/sys-apps/sandbox/sandbox-2.27.ebuild
new file mode 100644
index 00000000000..ed70783105b
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.27.ebuild
@@ -0,0 +1,64 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic multilib-minimal multiprocessing
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
+SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="+nnp"
+
+DEPEND="app-arch/xz-utils
+ >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
+
+sandbox_death_notice() {
+ ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+ ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+ default
+
+ if ! use nnp ; then
+ sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
+ fi
+
+ # sandbox uses `__asm__ (".symver "...` which does
+ # not play well with gcc's LTO: https://gcc.gnu.org/PR48200
+ append-flags -fno-lto
+ append-ldflags -fno-lto
+}
+
+multilib_src_configure() {
+ filter-lfs-flags #90228
+
+ ECONF_SOURCE="${S}" econf
+}
+
+multilib_src_test() {
+ # Default sandbox build will run with --jobs set to # cpus.
+ # -j1 to prevent test faiures caused by file descriptor
+ # injection GNU make does.
+ emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+ doenvd "${FILESDIR}"/09sandbox
+
+ dodoc AUTHORS ChangeLog* README.md
+}
+
+pkg_postinst() {
+ mkdir -p "${EROOT}"/var/log/sandbox
+ chown root:portage "${EROOT}"/var/log/sandbox
+ chmod 0770 "${EROOT}"/var/log/sandbox
+}
next reply other threads:[~2021-10-24 1:13 UTC|newest]
Thread overview: 202+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-24 1:13 Mike Frysinger [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-01-17 21:29 [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/ Mike Gilbert
2025-01-14 18:47 Mike Gilbert
2025-01-08 4:16 Mike Gilbert
2024-12-22 19:24 Mike Gilbert
2024-12-22 4:07 Mike Gilbert
2024-11-04 19:37 Mike Gilbert
2024-11-04 19:37 Mike Gilbert
2024-10-12 22:08 Sam James
2024-09-13 19:45 Arthur Zamarin
2024-09-13 19:35 Arthur Zamarin
2024-09-13 19:33 Arthur Zamarin
2024-09-13 19:33 Arthur Zamarin
2024-09-13 19:33 Arthur Zamarin
2024-09-13 19:33 Arthur Zamarin
2024-09-13 19:33 Arthur Zamarin
2024-06-27 18:39 Mike Gilbert
2023-10-10 15:09 Arthur Zamarin
2023-10-10 4:47 Sam James
2023-10-10 4:31 Sam James
2023-10-10 4:31 Sam James
2023-10-10 4:31 Sam James
2023-10-10 4:31 Sam James
2023-10-10 4:31 Sam James
2023-10-10 4:31 Sam James
2023-08-25 17:04 Andreas K. Hüttel
2023-08-06 0:51 Mike Gilbert
2023-07-17 18:17 Arthur Zamarin
2023-07-17 18:17 Arthur Zamarin
2023-07-17 18:16 Arthur Zamarin
2023-07-17 18:16 Arthur Zamarin
2023-07-17 17:40 Arthur Zamarin
2023-07-17 16:53 Arthur Zamarin
2023-07-17 16:53 Arthur Zamarin
2023-07-17 16:53 Arthur Zamarin
2023-07-17 14:03 Mike Gilbert
2023-07-10 16:00 Mike Gilbert
2023-07-08 3:18 Mike Gilbert
2023-07-08 3:16 Mike Gilbert
2023-07-05 18:07 Mike Gilbert
2023-07-02 0:00 Mike Gilbert
2023-06-30 17:01 Mike Gilbert
2023-06-21 17:28 Sam James
2023-06-21 17:28 Sam James
2023-06-21 17:28 Sam James
2023-06-21 17:28 Sam James
2023-06-21 17:28 Sam James
2023-06-21 17:02 Sam James
2023-06-21 17:02 Sam James
2023-06-21 14:55 Mike Gilbert
2023-06-16 14:07 Sam James
2023-06-16 13:56 Sam James
2023-06-16 13:56 Sam James
2023-06-16 13:56 Sam James
2023-06-16 13:56 Sam James
2023-06-16 13:56 Sam James
2023-06-13 19:08 Mike Gilbert
2023-01-03 6:14 Sam James
2023-01-03 6:14 Sam James
2022-12-31 13:28 Sam James
2022-12-31 13:01 Sam James
2022-12-30 21:46 Mike Gilbert
2022-12-30 21:46 Mike Gilbert
2022-04-24 2:35 Sam James
2022-04-02 7:43 Arthur Zamarin
2022-03-26 19:49 Agostino Sarubbo
2022-03-26 16:46 Arthur Zamarin
2022-03-25 7:46 Agostino Sarubbo
2022-03-24 8:38 Agostino Sarubbo
2022-03-24 8:36 Agostino Sarubbo
2022-03-24 8:31 Agostino Sarubbo
2021-11-03 7:00 Mike Frysinger
2021-11-03 0:34 Mike Frysinger
2021-11-02 4:27 Mike Frysinger
2021-10-28 7:36 Mike Frysinger
2021-10-28 7:36 Mike Frysinger
2021-10-21 23:01 Mike Frysinger
2021-10-21 23:01 Mike Frysinger
2021-10-01 6:06 Jakov Smolić
2021-09-07 16:02 Michał Górny
2021-06-11 10:33 Michał Górny
2021-06-11 1:26 Sam James
2021-06-11 1:26 Sam James
2021-06-11 1:26 Sam James
2021-06-09 14:43 Sergei Trofimovich
2021-06-07 16:16 Sam James
2021-06-07 6:28 Sergei Trofimovich
2021-06-06 17:40 Sergei Trofimovich
2021-06-05 20:52 Sam James
2021-06-05 20:43 Sam James
2021-06-05 20:43 Sam James
2021-05-17 16:36 Sergei Trofimovich
2021-05-15 18:04 Sam James
2021-05-15 18:03 Sam James
2021-05-15 18:02 Sam James
2021-05-15 17:59 Sam James
2021-05-15 17:56 Sam James
2021-05-15 17:55 Sam James
2021-05-11 7:17 Sergei Trofimovich
2021-05-10 22:34 Sergei Trofimovich
2021-05-04 22:26 Sam James
2021-05-04 22:14 Sergei Trofimovich
2021-05-03 16:58 Sam James
2021-05-03 16:55 Sam James
2021-05-03 16:53 Sam James
2021-05-03 16:51 Sam James
2021-05-02 9:24 Sergei Trofimovich
2021-04-25 19:31 Michał Górny
2021-04-25 19:23 Sam James
2021-04-25 10:04 Sam James
2021-04-25 8:56 Sergei Trofimovich
2021-04-25 5:16 Sam James
2021-04-25 5:14 Sam James
2021-04-25 5:14 Sam James
2021-04-25 5:11 Sam James
2021-04-25 5:09 Sam James
2021-04-10 20:20 Sergei Trofimovich
2021-03-27 11:45 Sergei Trofimovich
2021-03-11 9:52 Michał Górny
2020-12-22 8:07 Michał Górny
2020-12-22 8:07 Michał Górny
2020-12-22 5:25 Sam James
2020-11-14 9:24 Mikle Kolyada
2020-11-03 22:47 Sergei Trofimovich
2020-11-03 10:57 Sam James
2020-10-26 23:49 Sergei Trofimovich
2020-10-26 0:15 Sam James
2020-10-25 23:21 Sam James
2020-10-25 22:13 Sam James
2020-10-25 21:34 Thomas Deutschmann
2020-10-25 8:12 Michał Górny
2020-06-05 16:10 Sergei Trofimovich
2020-06-04 20:39 Mart Raudsepp
2020-06-03 15:12 Agostino Sarubbo
2020-06-03 9:22 Agostino Sarubbo
2020-06-01 20:51 Sergei Trofimovich
2020-06-01 17:02 Sergei Trofimovich
2020-05-31 19:12 Sergei Trofimovich
2020-05-31 10:53 Michał Górny
2020-05-31 8:25 Michał Górny
2019-05-04 15:16 Mikle Kolyada
2019-03-13 10:09 Andreas K. Hüttel
2019-03-11 12:51 Andreas K. Hüttel
2019-03-10 10:38 Andreas K. Hüttel
2019-01-09 14:11 Michał Górny
2018-12-02 15:57 Michał Górny
2018-07-21 19:17 Mikle Kolyada
2018-05-01 20:23 Mikle Kolyada
2018-04-24 21:13 Mart Raudsepp
2018-04-22 22:03 Matt Turner
2018-04-16 21:38 Mikle Kolyada
2018-04-07 5:23 Matt Turner
2018-04-07 5:23 Matt Turner
2018-04-01 10:00 Tobias Klausmann
2018-03-29 18:53 Michał Górny
2018-03-26 6:05 Sergei Trofimovich
2018-03-24 21:04 Mikle Kolyada
2018-03-24 16:47 Sergei Trofimovich
2018-03-15 16:38 Mikle Kolyada
2018-03-04 11:34 Tobias Klausmann
2018-03-01 21:28 Mart Raudsepp
2018-02-19 16:21 Michał Górny
2018-01-15 19:03 Tobias Klausmann
2018-01-14 11:25 Sergei Trofimovich
2018-01-13 20:52 Sergei Trofimovich
2018-01-12 19:27 Thomas Deutschmann
2018-01-12 13:50 Thomas Deutschmann
2017-12-05 5:44 Markus Meier
2017-11-24 20:26 Sergei Trofimovich
2017-10-28 22:03 Sergei Trofimovich
2017-10-28 15:01 Manuel Rüger
2017-10-27 13:49 Thomas Deutschmann
2017-10-22 21:42 Tobias Klausmann
2017-10-14 17:31 Sergei Trofimovich
2017-10-13 0:13 Sergei Trofimovich
2017-10-03 19:09 Michał Górny
2017-10-03 19:09 Michał Górny
2017-10-03 19:09 Michał Górny
2017-10-03 19:09 Michał Górny
2017-03-10 18:51 Mike Frysinger
2017-02-23 21:49 Michael Weber
2017-02-18 14:44 Agostino Sarubbo
2017-02-18 5:47 Markus Meier
2017-02-17 10:56 Agostino Sarubbo
2017-02-15 13:49 Tobias Klausmann
2017-02-12 17:01 Agostino Sarubbo
2017-02-05 11:34 Jeroen Roovers
2017-02-04 15:21 Agostino Sarubbo
2016-04-05 19:48 Mike Frysinger
2016-03-29 12:25 Mike Frysinger
2016-03-29 9:57 Mike Frysinger
2016-02-21 8:28 Mike Frysinger
2016-02-14 10:11 Agostino Sarubbo
2016-02-01 19:00 Tobias Klausmann
2016-01-22 4:20 Jeroen Roovers
2016-01-18 9:58 Mike Frysinger
2016-01-17 20:08 Mike Frysinger
2016-01-15 15:23 Agostino Sarubbo
2016-01-14 21:58 Markus Meier
2015-12-19 7:46 Mike Frysinger
2015-09-27 6:27 Mike Frysinger
2015-09-11 17:07 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1635037985.288877d0e268087dacb4b593202e28f86b6d31d4.vapier@gentoo \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox