* [gentoo-dev] experimental portage patch
@ 2003-07-11 14:50 Ned Ludd
0 siblings, 0 replies; only message in thread
From: Ned Ludd @ 2003-07-11 14:50 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 995 bytes --]
This patch updates the copyright, adds support for LDFLAGS,ASFLAGS and
two new FEATURES.
1) antivirus
* this feature adds hooks to do virus scanning
** before unpacking
** after compiling
- To take advantage of this feature you need to set 3 things in your
make.conf
FEATURES="${FEATURES} antivirus"
# only really tested with f-prot
AVS_SCANNER=/opt/f-prot/f-prot
AVS_OPTS="-archive -dumb -ai -old"
# little to no testing done with clam
#AVS_SCANNER=/usr/bin/clamscan
#AVS_OPTS="--stdout --tgz=/bin/tar --tar=/bin/tar --unzip=/usr/bin/unzip
--disable-summary"
2) hardened
* this feature removes group and other readable bits when installing
setuid files
* this feature removes other readable bits when installing setgid files
* this feature could do alot more depending on the type of feedback I
get.
- To take advantage of this feature you need to set 1 thing in your
make.conf
FEATURES="${FEATURES} hardened"
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)
[-- Attachment #2: Type: text/x-patch, Size: 3227 bytes --]
Index: ebuild.sh
===================================================================
RCS file: /home/cvsroot/gentoo-src/portage/bin/ebuild.sh,v
retrieving revision 1.133
diff -u -b -B -r1.133 ebuild.sh
--- ebuild.sh 2 Jul 2003 03:23:36 -0000 1.133
+++ ebuild.sh 11 Jul 2003 06:39:41 -0000
@@ -252,11 +252,39 @@
}
+# the antivirus feature should be disabled by default except when
+# overridden in the relevant stages
+
+antivirus_scan() {
+ local buf
+ local ret
+ local x
+
+ x=$1
+ ret=1
+
+ ebegin ">>> Virus Scanning ${x} "
+ if [ -x "${AVS_SCANNER}" ]; then
+ # this assumes the syntax of "execfile options file/dir"
+ buf=$(${AVS_SCANNER} ${AVS_OPTS} ${x})
+ ret=$?
+ [ ${ret} != 0 ] && myfail="something here "
+ else
+ myfail="No usable AVS_SCANNER found: ${AVS_SCANNER}"
+ fi
+ eend $ret
+ if [ "${myfail}" != "" ] ; then
+ echo "${buf}"
+ die "${myfail}"
+ fi
+}
+
unpack() {
local x
local y
local myfail
local tarvars
+ local vscan
if [ "$USERLAND" == "BSD" ]; then
tarvars=""
@@ -264,7 +292,12 @@
tarvars="--no-same-owner"
fi
+ vscan=`has antivirus $FEATURES`
+
for x in "$@"; do
+ if [ "${vscan}" != "" ]; then
+ antivirus_scan $(pwd)/${x}
+ fi
myfail="failure unpacking ${x}"
echo ">>> Unpacking ${x} to $(pwd)"
y="$(echo $x | sed 's:.*\.\(tar\)\.[a-zA-Z0-9]*:\1:')"
@@ -645,7 +678,7 @@
dyn_compile() {
trap "abort_compile" SIGINT SIGQUIT
- export CFLAGS CXXFLAGS LIBCFLAGS LIBCXXFLAGS
+ export CFLAGS CXXFLAGS LIBCFLAGS LIBCXXFLAGS LDFLAGS ASFLAGS
if has noauto $FEATURES &>/dev/null && [ ! -f ${BUILDDIR}/.unpacked ]; then
echo
echo "!!! We apparently haven't unpacked... This is probably not what you"
@@ -708,6 +741,12 @@
echo "$RDEPEND" > RDEPEND
echo "$SLOT" > SLOT
echo "$USE" > USE
+
+ # To keep the bugs down only use such flags when absolutely
+ # neccessary.
+ [ -n "${LDFLAGS}" ] && echo "${LDFLAGS}" > LDFLAGS
+ [ -n "${ASFLAGS}" ] && echo "${ASFLAGS}" > ASFLAGS
+
set | bzip2 -9 - > environment.bzip2
cp ${EBUILD} ${PF}.ebuild
if has nostrip $FEATURES $RESTRICT; then
@@ -755,6 +794,10 @@
prepall
cd ${D}
+ if [ "`has antivirus $FEATURES`" != "" ]; then
+ # scan the whole directory
+ antivirus_scan ${D}/
+ fi
declare -i UNSAFE=0
for i in $(find ${D}/ -type f -perm -2002); do
UNSAFE=$(($UNSAFE + 1))
@@ -775,6 +818,23 @@
else
find ${D}/ -group portage -print0 | $XARGS -0 -n100 chgrp root
fi
+ if [ "`has hardened $FEATURES`" != "" ]; then
+ for i in $(find ${D}/ -type f -perm -4000); do
+ ebegin ">>> SetUID: [chmod go-r] $i "
+ chmod go-r $i
+ eend $?
+ done
+ for i in $(find ${D}/ -type f -perm -2000); do
+ ebegin ">>> SetGID: [chmod o-r] $i "
+ chmod o-r $i
+ eend $?
+ done
+ # we could hook right in here and display suidperms or keep
+ # ourselfs a db. -solar
+ #suids=`find ${D}/ -type f \( -perm -4000 -o -perm -2000 \)`
+ #ls -ldh ${suids}
+ #md5sum ${suids}
+ fi
echo ">>> Completed installing into ${D}"
echo
cd ${BUILDDIR}
@@ -822,7 +882,7 @@
dyn_help() {
echo
echo "Portage"
- echo "Copyright 2002 Gentoo Technologies, Inc."
+ echo "Copyright 1999-2003 Gentoo Technologies, Inc."
echo
echo "How to use the ebuild command:"
echo
[-- Attachment #3: Type: text/plain, Size: 37 bytes --]
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-11 14:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-11 14:50 [gentoo-dev] experimental portage patch Ned Ludd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox