public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] experimental portage patch
@ 2003-07-11 14:50 Ned Ludd
  0 siblings, 0 replies; only message in thread
From: Ned Ludd @ 2003-07-11 14:50 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 995 bytes --]

This patch updates the copyright, adds support for LDFLAGS,ASFLAGS and
two new FEATURES.

1) antivirus
 * this feature adds hooks to do virus scanning 
  ** before unpacking
  ** after compiling
- To take advantage of this feature you need to set 3 things in your
make.conf

FEATURES="${FEATURES} antivirus"

# only really tested with f-prot 
AVS_SCANNER=/opt/f-prot/f-prot
AVS_OPTS="-archive -dumb -ai -old"

# little to no testing done with clam
#AVS_SCANNER=/usr/bin/clamscan
#AVS_OPTS="--stdout --tgz=/bin/tar --tar=/bin/tar --unzip=/usr/bin/unzip
--disable-summary"

2) hardened
 * this feature removes group and other readable bits when installing
setuid files
 * this feature removes other readable bits when installing setgid files
 * this feature could do alot more depending on the type of feedback I
get.

- To take advantage of this feature you need to set 1 thing in your
make.conf

FEATURES="${FEATURES} hardened"

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)

[-- Attachment #2: Type: text/x-patch, Size: 3227 bytes --]

Index: ebuild.sh
===================================================================
RCS file: /home/cvsroot/gentoo-src/portage/bin/ebuild.sh,v
retrieving revision 1.133
diff -u -b -B -r1.133 ebuild.sh
--- ebuild.sh	2 Jul 2003 03:23:36 -0000	1.133
+++ ebuild.sh	11 Jul 2003 06:39:41 -0000
@@ -252,11 +252,39 @@
 }
 
 
+# the antivirus feature should be disabled by default except when
+# overridden in the relevant stages
+
+antivirus_scan() {
+	local buf
+	local ret
+	local x
+
+	x=$1
+	ret=1
+
+	ebegin ">>> Virus Scanning ${x} "
+	if [ -x "${AVS_SCANNER}" ]; then
+		# this assumes the syntax of "execfile options file/dir"
+		buf=$(${AVS_SCANNER} ${AVS_OPTS} ${x})
+		ret=$?
+		[ ${ret} != 0 ] && myfail="something here "
+	else
+		myfail="No usable AVS_SCANNER found: ${AVS_SCANNER}"
+	fi
+	eend $ret
+	if [ "${myfail}" != "" ] ; then
+		echo "${buf}"
+		die "${myfail}"
+	fi
+}
+
 unpack() {
 	local x
 	local y
 	local myfail
 	local tarvars
+	local vscan
 
 	if [ "$USERLAND" == "BSD" ]; then
 		tarvars=""
@@ -264,7 +292,12 @@
 		tarvars="--no-same-owner"	
 	fi	
 
+	vscan=`has antivirus $FEATURES`
+
 	for x in "$@"; do
+		if [ "${vscan}" != "" ]; then
+			antivirus_scan $(pwd)/${x}
+		fi
 		myfail="failure unpacking ${x}"
 		echo ">>> Unpacking ${x} to $(pwd)"
 		y="$(echo $x | sed 's:.*\.\(tar\)\.[a-zA-Z0-9]*:\1:')"
@@ -645,7 +678,7 @@
 
 dyn_compile() {
 	trap "abort_compile" SIGINT SIGQUIT
-	export CFLAGS CXXFLAGS LIBCFLAGS LIBCXXFLAGS
+	export CFLAGS CXXFLAGS LIBCFLAGS LIBCXXFLAGS LDFLAGS ASFLAGS
 	if has noauto $FEATURES &>/dev/null && [ ! -f ${BUILDDIR}/.unpacked ]; then
 		echo
 		echo "!!! We apparently haven't unpacked... This is probably not what you"
@@ -708,6 +741,12 @@
 	echo "$RDEPEND"  > RDEPEND
 	echo "$SLOT"     > SLOT
 	echo "$USE"      > USE
+
+	# To keep the bugs down only use such flags when absolutely
+	# neccessary.
+	[ -n "${LDFLAGS}" ] && echo "${LDFLAGS}" > LDFLAGS
+	[ -n "${ASFLAGS}" ] && echo "${ASFLAGS}" > ASFLAGS
+
 	set | bzip2 -9 - > environment.bzip2
 	cp ${EBUILD} ${PF}.ebuild
 	if has nostrip $FEATURES $RESTRICT; then
@@ -755,6 +794,10 @@
 	prepall
 	cd ${D}
 
+	if [ "`has antivirus $FEATURES`" != "" ]; then
+		# scan the whole directory
+		antivirus_scan ${D}/
+	fi
 	declare -i UNSAFE=0
 	for i in $(find ${D}/ -type f -perm -2002); do
 		UNSAFE=$(($UNSAFE + 1))
@@ -775,6 +818,23 @@
 	else	
 		find ${D}/ -group portage -print0 | $XARGS -0 -n100 chgrp root 
 	fi
+	if [ "`has hardened $FEATURES`" != "" ]; then
+		for i in $(find ${D}/ -type f -perm -4000); do
+			ebegin ">>> SetUID: [chmod go-r] $i "
+			chmod go-r $i
+			eend $?
+		done
+		for i in $(find ${D}/ -type f -perm -2000); do
+			ebegin ">>> SetGID: [chmod o-r] $i "
+			chmod o-r $i
+			eend $?
+		done
+		# we could hook right in here and display suidperms or keep
+		# ourselfs a db. -solar
+		#suids=`find ${D}/ -type f \( -perm -4000 -o -perm -2000 \)`
+		#ls -ldh ${suids}
+		#md5sum ${suids}
+	fi
 	echo ">>> Completed installing into ${D}"
 	echo
 	cd ${BUILDDIR}
@@ -822,7 +882,7 @@
 dyn_help() {
 	echo
 	echo "Portage"
-	echo "Copyright 2002 Gentoo Technologies, Inc."
+	echo "Copyright 1999-2003 Gentoo Technologies, Inc."
 	echo 
 	echo "How to use the ebuild command:"
 	echo 


[-- Attachment #3: Type: text/plain, Size: 37 bytes --]

--
gentoo-dev@gentoo.org mailing list

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2003-07-11 14:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-11 14:50 [gentoo-dev] experimental portage patch Ned Ludd

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox