From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1333010-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6A1E6158086
	for <garchives@archives.gentoo.org>; Sun, 24 Oct 2021 01:13:44 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9EE71E0824;
	Sun, 24 Oct 2021 01:13:43 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 648F0E0824
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Oct 2021 01:13:43 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7F1E934334F
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Oct 2021 01:13:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id BC5A6156
	for <gentoo-commits@lists.gentoo.org>; Sun, 24 Oct 2021 01:13:40 +0000 (UTC)
From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" <vapier@gentoo.org>
Message-ID: <1635037985.288877d0e268087dacb4b593202e28f86b6d31d4.vapier@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/
X-VCS-Repository: repo/gentoo
X-VCS-Files: sys-apps/sandbox/Manifest sys-apps/sandbox/metadata.xml sys-apps/sandbox/sandbox-2.27.ebuild
X-VCS-Directories: sys-apps/sandbox/
X-VCS-Committer: vapier
X-VCS-Committer-Name: Mike Frysinger
X-VCS-Revision: 288877d0e268087dacb4b593202e28f86b6d31d4
X-VCS-Branch: master
Date: Sun, 24 Oct 2021 01:13:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 1fcc7796-5934-4124-a8e1-ff6e7185f753
X-Archives-Hash: a6306bb44d0d6d9dc633c15652b4dc6e

commit:     288877d0e268087dacb4b593202e28f86b6d31d4
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 24 01:12:13 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Oct 24 01:13:05 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288877d0

sys-apps/sandbox: version bump to 2.27

Add USE=nnp flag to control new NO_NEW_PRIVS behavior.  In case things
go horribly wrong, can easily flip the flag off to keep from blowing
everyone up.

Bug: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 sys-apps/sandbox/Manifest            |  1 +
 sys-apps/sandbox/metadata.xml        |  3 ++
 sys-apps/sandbox/sandbox-2.27.ebuild | 64 ++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)

diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 121fc4437e1..744bc206cac 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,3 +1,4 @@
 DIST sandbox-2.24.tar.xz 438408 BLAKE2B 5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843 SHA512 8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0
 DIST sandbox-2.25.tar.xz 436004 BLAKE2B c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c SHA512 4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d
 DIST sandbox-2.26.tar.xz 444412 BLAKE2B 3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161 SHA512 f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa
+DIST sandbox-2.27.tar.xz 448948 BLAKE2B 03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104 SHA512 2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7

diff --git a/sys-apps/sandbox/metadata.xml b/sys-apps/sandbox/metadata.xml
index e270f4674f6..11e084f7c9b 100644
--- a/sys-apps/sandbox/metadata.xml
+++ b/sys-apps/sandbox/metadata.xml
@@ -5,4 +5,7 @@
   <email>sandbox@gentoo.org</email>
   <name>Sandbox Maintainers</name>
 </maintainer>
+<use>
+  <flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo)</flag>
+</use>
 </pkgmetadata>

diff --git a/sys-apps/sandbox/sandbox-2.27.ebuild b/sys-apps/sandbox/sandbox-2.27.ebuild
new file mode 100644
index 00000000000..ed70783105b
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.27.ebuild
@@ -0,0 +1,64 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic multilib-minimal multiprocessing
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
+SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="+nnp"
+
+DEPEND="app-arch/xz-utils
+	>=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
+
+sandbox_death_notice() {
+	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+	default
+
+	if ! use nnp ; then
+		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
+	fi
+
+	# sandbox uses `__asm__ (".symver "...` which does
+	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
+	append-flags -fno-lto
+	append-ldflags -fno-lto
+}
+
+multilib_src_configure() {
+	filter-lfs-flags #90228
+
+	ECONF_SOURCE="${S}" econf
+}
+
+multilib_src_test() {
+	# Default sandbox build will run with --jobs set to # cpus.
+	# -j1 to prevent test faiures caused by file descriptor
+	# injection GNU make does.
+	emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+	doenvd "${FILESDIR}"/09sandbox
+
+	dodoc AUTHORS ChangeLog* README.md
+}
+
+pkg_postinst() {
+	mkdir -p "${EROOT}"/var/log/sandbox
+	chown root:portage "${EROOT}"/var/log/sandbox
+	chmod 0770 "${EROOT}"/var/log/sandbox
+}