[gentoo-commits] repo/gentoo:master commit in: sys-apps/firejail/, sys-apps/firejail/files/

["Joonas Niilola" <juippis@gentoo.org>]

commit:     cc196a524bd19f0f9e5960c0fb4744347f0fd3af
Author:     Hank Leininger <hlein <AT> korelogic <DOT> com>
AuthorDate: Thu Jun  9 22:01:22 2022 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Wed Jun 15 05:47:49 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc196a52

sys-apps/firejail: bump to 0.9.70 for security fixes; cleanup

Fix for CVE-2022-31214. Drop old version & un-tended-to live ebuild.

Signed-off-by: Hank Leininger <hlein <AT> korelogic.com>
Bug: https://bugs.gentoo.org/850748
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Closes: https://github.com/gentoo/gentoo/pull/25840
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 sys-apps/firejail/Manifest                         |  1 +
 .../firejail/files/firejail-0.9.70-envlimits.patch | 12 +++
 .../files/firejail-0.9.70-firecfg.config.patch     | 82 ++++++++++++++++++
 ...rejail-0.9.68.ebuild => firejail-0.9.70.ebuild} |  6 +-
 sys-apps/firejail/firejail-9999.ebuild             | 99 ----------------------
 sys-apps/firejail/metadata.xml                     |  1 -
 6 files changed, 98 insertions(+), 103 deletions(-)

diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest
index ae81ea9d7be4..93c7782e051e 100644
--- a/sys-apps/firejail/Manifest
+++ b/sys-apps/firejail/Manifest
@@ -1 +1,2 @@
 DIST firejail-0.9.68.tar.xz 477332 BLAKE2B 4d995715caa81b69bb9a16f604a2463b2db48fad5ba869bb5f353973ce8ec273dbabe07ee340b40094d6fe15bcef7e356cd07e7e7dfd0491d2d1632f64878a0e SHA512 8c03c145bb91fe696407052968bd1069defc44d274bd74d33fccebb28324121d259973fccc1d1cdc38fb2902bb842e921adc9440596a92a4aa13c4e06963e354
+DIST firejail-0.9.70.tar.xz 485096 BLAKE2B d5164ba5ee08e80415a84999e4152f1f9c897f50def669731098126cec117aed3cf4b21603aeb13ccbdb1bffa9d48de69dcb19fe7135691e891b9b83f48a5ca1 SHA512 a790ccb711da6c3e52677011d7eb38c482ffb5066498d4586018671ab4ee533e02edb31fda872e0647fd27c00014b04305eafcb56f1f1b07f470aa4fb701cbe5

diff --git a/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch b/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch
new file mode 100644
index 000000000000..d99db424c052
--- /dev/null
+++ b/sys-apps/firejail/files/firejail-0.9.70-envlimits.patch
@@ -0,0 +1,12 @@
+diff -urP firejail-0.9.70.orig/src/firejail/firejail.h firejail-0.9.70/src/firejail/firejail.h
+--- firejail-0.9.70.orig/src/firejail/firejail.h	2022-06-08 07:42:50.000000000 -0600
++++ firejail-0.9.70/src/firejail/firejail.h	2022-06-09 13:06:04.094034022 -0600
+@@ -706,7 +706,7 @@
+ int check_kernel_procs(void);
+ void run_no_sandbox(int argc, char **argv) __attribute__((noreturn));
+ 
+-#define MAX_ENVS 256			// some sane maximum number of environment variables
++#define MAX_ENVS 2048			// some sane maximum number of environment variables
+ #define MAX_ENV_LEN (PATH_MAX + 32)	// FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps
+ // env.c
+ typedef enum {

diff --git a/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch b/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch
new file mode 100644
index 000000000000..ff751b9dc684
--- /dev/null
+++ b/sys-apps/firejail/files/firejail-0.9.70-firecfg.config.patch
@@ -0,0 +1,82 @@
+diff -urP firejail-0.9.70.orig/src/firecfg/firecfg.config firejail-0.9.70/src/firecfg/firecfg.config
+--- firejail-0.9.70.orig/src/firecfg/firecfg.config	2022-06-08 07:42:50.000000000 -0600
++++ firejail-0.9.70/src/firecfg/firecfg.config	2022-06-09 13:06:38.646038407 -0600
+@@ -213,7 +213,8 @@
+ electron-mail
+ electrum
+ element-desktop
+-elinks
++# Breaks emerge/portage on Gentoo: 'too many environment variables'
++#elinks
+ empathy
+ enchant
+ enchant-2
+@@ -259,7 +260,8 @@
+ flameshot
+ flashpeak-slimjet
+ flowblade
+-fontforge
++# Breaks emerge/portage on Gentoo
++#fontforge
+ font-manager
+ fossamail
+ four-in-a-row
+@@ -490,11 +492,16 @@
+ luminance-hdr
+ lximage-qt
+ lxmusic
+-lynx
++# Breaks emerge/portage on Gentoo: 'too many environment variables'
++#lynx
+ lyx
+ macrofusion
+ magicor
+-man
++# Breaks: $ man chromium-browser
++# WARNING: terminal is not fully functional
++# Press RETURN to continue 
++# Manual page chromium-browser(1) byte 0/0 (END) (press h for help or q to quit)
++#man
+ manaplus
+ marker
+ masterpdfeditor
+@@ -571,7 +578,8 @@
+ musictube
+ musixmatch
+ mutool
+-mutt
++# Breaks when configs are under ~/.mutt/
++#mutt
+ mypaint
+ mypaint-ora-thumbnailer
+ natron
+@@ -635,7 +643,8 @@
+ palemoon
+ #pandoc
+ parole
+-patch
++# Breaks emerge/portage on Gentoo: 'too many environment variables', path issues
++#patch
+ pavucontrol
+ pavucontrol-qt
+ pcsxr
+@@ -761,7 +770,8 @@
+ stellarium
+ strawberry
+ straw-viewer
+-strings
++# Breaks emerge/portage on Gentoo
++#strings
+ studio.sh
+ subdownloader
+ supertux2
+@@ -880,7 +890,8 @@
+ weechat
+ weechat-curses
+ wesnoth
+-wget
++# Breaks emerge/portage on Gentoo: 'too many environment variables', path issues
++#wget
+ wget2
+ whalebird
+ whois

diff --git a/sys-apps/firejail/firejail-0.9.68.ebuild b/sys-apps/firejail/firejail-0.9.70.ebuild
similarity index 96%
rename from sys-apps/firejail/firejail-0.9.68.ebuild
rename to sys-apps/firejail/firejail-0.9.70.ebuild
index 50077c0d2db7..5c5a610f1024 100644
--- a/sys-apps/firejail/firejail-0.9.68.ebuild
+++ b/sys-apps/firejail/firejail-0.9.70.ebuild
@@ -9,7 +9,7 @@ inherit toolchain-funcs python-single-r1 linux-info
 
 if [[ ${PV} != 9999 ]]; then
 	SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz"
-	KEYWORDS="amd64 ~arm ~arm64 ~x86"
+	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/netblue30/firejail.git"
@@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/"
 
 LICENSE="GPL-2"
 SLOT="0"
-IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X"
+IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns X"
 # Needs a lot of work to function within sandbox/portage
 # bug #769731
 RESTRICT="test"
@@ -39,6 +39,7 @@ REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )"
 
 PATCHES=(
 	"${FILESDIR}/${P}-envlimits.patch"
+	"${FILESDIR}/${P}-firecfg.config.patch"
 	)
 
 pkg_setup() {
@@ -81,7 +82,6 @@ src_configure() {
 		$(use_enable network) \
 		$(use_enable private-home) \
 		$(use_enable userns) \
-		$(use_enable whitelist) \
 		$(use_enable X x11)
 
 	cat > 99firejail <<-EOF || die

diff --git a/sys-apps/firejail/firejail-9999.ebuild b/sys-apps/firejail/firejail-9999.ebuild
deleted file mode 100644
index 440d20af51ec..000000000000
--- a/sys-apps/firejail/firejail-9999.ebuild
+++ /dev/null
@@ -1,99 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-PYTHON_COMPAT=( python3_{8..10} )
-
-inherit toolchain-funcs python-single-r1 linux-info
-
-if [[ ${PV} != 9999 ]]; then
-	SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz"
-	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
-else
-	inherit git-r3
-	EGIT_REPO_URI="https://github.com/netblue30/firejail.git"
-	EGIT_BRANCH="master"
-fi
-
-DESCRIPTION="Security sandbox for any type of processes"
-HOMEPAGE="https://firejail.wordpress.com/"
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X"
-# Needs a lot of work to function within sandbox/portage
-# bug #769731
-RESTRICT="test"
-
-RDEPEND="!sys-apps/firejail-lts
-	apparmor? ( sys-libs/libapparmor )
-	contrib? ( ${PYTHON_DEPS} )
-	dbusproxy? ( sys-apps/xdg-dbus-proxy )"
-
-DEPEND="${RDEPEND}
-	sys-libs/libseccomp
-	test? ( dev-tcltk/expect )"
-
-REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )"
-
-pkg_setup() {
-	CONFIG_CHECK="~SQUASHFS"
-	local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode"
-	check_extra_config
-	use contrib && python-single-r1_pkg_setup
-}
-
-src_prepare() {
-	default
-
-	find -type f -name Makefile.in -exec sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' {} + || die
-
-	sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' ./src/common.mk.in || die
-
-	# fix up hardcoded paths to templates and docs
-	local files=$(grep -E -l -r '/usr/share/doc/firejail([^-]|$)' ./RELNOTES ./src/man/ ./etc/profile*/ ./test/ || die)
-	for file in ${files[@]} ; do
-		sed -i -r -e "s:/usr/share/doc/firejail([^-]|\$):/usr/share/doc/${PF}\1:" "${file}" || die
-	done
-
-	# remove compression of man pages
-	sed -i -r -e '/rm -f \$\$man.gz; \\/d; /gzip -9n \$\$man; \\/d; s|\*\.([[:digit:]])\) install -m 0644 \$\$man\.gz|\*\.\1\) install -m 0644 \$\$man|g' Makefile.in || die
-
-	if use contrib; then
-		python_fix_shebang -f contrib/*.py
-	fi
-}
-
-src_configure() {
-	econf \
-		--disable-firetunnel \
-		--enable-suid \
-		$(use_enable apparmor) \
-		$(use_enable chroot) \
-		$(use_enable dbusproxy) \
-		$(use_enable file-transfer) \
-		$(use_enable globalcfg) \
-		$(use_enable network) \
-		$(use_enable private-home) \
-		$(use_enable userns) \
-		$(use_enable whitelist) \
-		$(use_enable X x11)
-}
-
-src_compile() {
-	emake CC="$(tc-getCC)"
-}
-
-src_install() {
-	default
-
-	rm "${ED}"/usr/share/doc/${PF}/COPYING || die
-
-	if use contrib; then
-		python_scriptinto /usr/$(get_libdir)/firejail
-		python_doscript contrib/*.py
-		insinto /usr/$(get_libdir)/firejail
-		dobin contrib/*.sh
-	fi
-}

diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml
index ea3a52f878b9..91bf2e4aa95b 100644
--- a/sys-apps/firejail/metadata.xml
+++ b/sys-apps/firejail/metadata.xml
@@ -31,7 +31,6 @@
 		<flag name="network">Enable networking features</flag>
 		<flag name="private-home">Enable private home feature</flag>
 		<flag name="userns">Enable attaching a new user namespace to a sandbox (--noroot option)</flag>
-		<flag name="whitelist">Enable whitelist</flag>
 		<flag name="X">Enable X11 sandboxing</flag>
 	</use>
 </pkgmetadata>