commit: 207991fdff291c3ccecf2899ad88a91d351136c6 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Tue Oct 3 19:06:04 2017 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Tue Oct 3 19:09:28 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=207991fd
sys-apps/sandbox: Drop old sys-apps/sandbox/Manifest | 4 - .../files/sandbox-2.6-check-empty-paths-at.patch | 201 --------------------- sys-apps/sandbox/files/sandbox-2.6-desktop.patch | 30 --- sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch | 13 -- sys-apps/sandbox/files/sandbox-2.6-log-var.patch | 51 ------ sys-apps/sandbox/files/sandbox-2.6-no-pch.patch | 29 --- .../sandbox/files/sandbox-2.6-open-nofollow.patch | 54 ------ .../files/sandbox-2.6-static-close-fd.patch | 93 ---------- .../sandbox/files/sandbox-2.6-trace-hppa.patch | 27 --- .../sandbox/files/sandbox-2.8-write-ptmx.patch | 34 ---- sys-apps/sandbox/sandbox-2.6-r1.ebuild | 130 ------------- sys-apps/sandbox/sandbox-2.7.ebuild | 122 ------------- sys-apps/sandbox/sandbox-2.8.ebuild | 123 ------------- sys-apps/sandbox/sandbox-2.9.ebuild | 122 ------------- 14 files changed, 1033 deletions(-) diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest index 5ca84948432..b4efad9fa3d 100644 --- a/sys-apps/sandbox/Manifest +++ b/sys-apps/sandbox/Manifest @@ -1,6 +1,2 @@ DIST sandbox-2.10.tar.xz 417068 SHA256 019d6a2646b3a5f9b6fc3fcb6ff99332901017eb845442bec8573b9901506fa6 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305 WHIRLPOOL 5d6cffa7317cafeba02af75de9ae914d4365a62b54d3dfcc14cb272e621f2f76a60a945591ccb57dd59d6750152087cb2f21e43ded3ec181d6b42df173147192 DIST sandbox-2.12.tar.xz 424252 SHA256 265a490a8c528237c55ad26dfd7f62336fa5727c82358fc9cfbaa2e52c47fc50 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9 WHIRLPOOL 4f3089746a11616c60057165f387122b74e8d2f30a2d77db296405a2b6f401fc625645bca73092436162f5d98a88bfb2a3b42909b0eceb9a59ab810d803441b0 -DIST sandbox-2.6.tar.xz 366356 SHA256 95615c5879dfc419713f22ba5506a2802a50ea0ce8a2f57c656354f2e50b1c4d SHA512 32ba7fb675c67fdc8bc52da1db7ed6878e5fea8753accb30d9aca00f708e0dde03287b5962caf5ef031bea6934d6ef3e18404b015c70ebd551d3fd8109ad2371 WHIRLPOOL bab2d015fb0de92a2266408ca7941c8fb66b599179040cfc727ffce5b2424a9722dc55ba89d198e3361044d8cb357314205488d2a980c7b8af063fd8940f0c03 -DIST sandbox-2.7.tar.xz 390304 SHA256 d6e1230180d84fb64c9788dd372a73a1cd2496ead91cad333a211320d3041149 SHA512 81056460afabe3f9163594f662f5faf87b6dfe8511a001fc4d6ce0171492eb29f3b645a45320032d34475bb2c24bf212d1d05b50878a340f1e2ca580f8f8f38a WHIRLPOOL ad070df6351537e49f939ba195f27ccf5e4566bb8b6e4ba391ab8174771eacf909571284c6fa873d5b55e8540605d2766a3de5d451b6af132c0ff6d96e43f554 -DIST sandbox-2.8.tar.xz 410588 SHA256 f01dcac27a4641d1898c4a19bf3a0572f8ec85c3ba12e6ede8af36f6bc047165 SHA512 73a21e72f5825f43ee887efbe73f4ccd8771c7f45438104077aa83448d0a2727ab65be89a7a1a690d3662594df680ca4dc29908763e5abe2a81594b6f8f6ff2e WHIRLPOOL 6c93a0d8737bab4e710f0f20645514c9a5413a2d357a64c2e8b8428567221b949134881e705f979aa374635a278c0b3c646a6cffaf1015024db8f2aab2ec7c74 -DIST sandbox-2.9.tar.xz 415992 SHA256 ee6e92932c5a30d784548985b69adb357662fadd32d961776f197879ff8230c7 SHA512 9f9b886c160fa14119c7bc389b2eeb1050b150dccd60f64d809db43a23bc703004cb9ccaa454b970adb5e0616b19c9e9e0e6e52fccf6b16608ab89b3c2c3cee7 WHIRLPOOL aeae0387fe618c2af2945747629991649935f344906017f5b00e1a63496c2cc03ee5b7f078ee1d83897fad3f54793e02be86a6f297b7bbd4af2918b2a8157633 diff --git a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch b/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch deleted file mode 100644 index e4dc5290ed5..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-check-empty-paths-at.patch +++ /dev/null @@ -1,201 +0,0 @@ -From dd726dcc6a95355d0e0cc949018d9c8aefc89a02 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Mon, 24 Dec 2012 19:41:49 -0500 -Subject: [PATCH 1/2] libsandbox: reject "" paths with *at funcs before - checking the dirfd - -When it comes to processing errors, an empty path is checked before -an invalid dirfd. Make sure sandbox matches that behavior for the -random testsuites out there that look for this. - -URL: https://bugs.gentoo.org/346929 -Reported-by: Marien Zwart <mari...@gentoo.org> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsandbox/wrapper-funcs/__pre_check.c | 2 ++ - libsandbox/wrapper-funcs/mkdirat_pre_check.c | 17 +++++------------ - libsandbox/wrapper-funcs/openat_pre_check.c | 15 ++++----------- - libsandbox/wrapper-funcs/unlinkat_pre_check.c | 17 +++++------------ - libsandbox/wrappers.h | 2 ++ - tests/mkdirat-3.sh | 7 +++++++ - tests/mkdirat.at | 1 + - tests/openat-2.sh | 9 +++++++++ - tests/openat.at | 1 + - tests/unlinkat-4.sh | 7 +++++++ - tests/unlinkat.at | 1 + - 11 files changed, 44 insertions(+), 35 deletions(-) - create mode 100755 tests/mkdirat-3.sh - create mode 100755 tests/openat-2.sh - create mode 100755 tests/unlinkat-4.sh - -diff --git a/libsandbox/wrapper-funcs/__pre_check.c b/libsandbox/wrapper-funcs/__pre_check.c -index 2d5711f..28ad91f 100644 ---- a/libsandbox/wrapper-funcs/__pre_check.c -+++ b/libsandbox/wrapper-funcs/__pre_check.c -@@ -20,3 +20,5 @@ - #if SB_NR_UNLINK != SB_NR_UNDEF && SB_NR_UNLINKAT == SB_NR_UNDEF - # include "unlinkat_pre_check.c" - #endif -+ -+#include "__pre_at_check.c" -diff --git a/libsandbox/wrapper-funcs/mkdirat_pre_check.c b/libsandbox/wrapper-funcs/mkdirat_pre_check.c -index 77a65df..0b48d1f 100644 ---- a/libsandbox/wrapper-funcs/mkdirat_pre_check.c -+++ b/libsandbox/wrapper-funcs/mkdirat_pre_check.c -@@ -1,20 +1,13 @@ - bool sb_mkdirat_pre_check(const char *func, const char *pathname, int dirfd) - { - char canonic[SB_PATH_MAX]; -- char dirfd_path[SB_PATH_MAX]; - - save_errno(); - -- /* Expand the dirfd path first */ -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { -- case -1: -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", -- func, pathname, strerror(errno)); -- return false; -- case 0: -- pathname = dirfd_path; -- break; -- } -+ /* Check incoming args against common *at issues */ -+ char dirfd_path[SB_PATH_MAX]; -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) -+ return false; - - /* Then break down any relative/symlink paths */ - if (-1 == canonicalize(pathname, canonic)) -diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c -index 0127708..5fd5eaa 100644 ---- a/libsandbox/wrapper-funcs/openat_pre_check.c -+++ b/libsandbox/wrapper-funcs/openat_pre_check.c -@@ -15,17 +15,10 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int - - save_errno(); - -- /* Expand the dirfd path first */ -+ /* Check incoming args against common *at issues */ - char dirfd_path[SB_PATH_MAX]; -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { -- case -1: -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", -- func, pathname, strerror(errno)); -- return false; -- case 0: -- pathname = dirfd_path; -- break; -- } -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) -+ return false; - - /* Doesn't exist -> skip permission checks */ - struct stat st; -diff --git a/libsandbox/wrapper-funcs/unlinkat_pre_check.c b/libsandbox/wrapper-funcs/unlinkat_pre_check.c -index 9f5e7d7..c004d15 100644 ---- a/libsandbox/wrapper-funcs/unlinkat_pre_check.c -+++ b/libsandbox/wrapper-funcs/unlinkat_pre_check.c -@@ -1,20 +1,13 @@ - bool sb_unlinkat_pre_check(const char *func, const char *pathname, int dirfd) - { - char canonic[SB_PATH_MAX]; -- char dirfd_path[SB_PATH_MAX]; - - save_errno(); - -- /* Expand the dirfd path first */ -- switch (resolve_dirfd_path(dirfd, pathname, dirfd_path, sizeof(dirfd_path))) { -- case -1: -- sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", -- func, pathname, strerror(errno)); -- return false; -- case 0: -- pathname = dirfd_path; -- break; -- } -+ /* Check incoming args against common *at issues */ -+ char dirfd_path[SB_PATH_MAX]; -+ if (!sb_common_at_pre_check(func, &pathname, dirfd, dirfd_path, sizeof(dirfd_path))) -+ return false; - - /* Then break down any relative/symlink paths */ - if (-1 == canonicalize(pathname, canonic)) -diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h -index 5b97787..0aa58bb 100644 ---- a/libsandbox/wrappers.h -+++ b/libsandbox/wrappers.h -@@ -28,5 +28,7 @@ attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathn - attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); - attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); - attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); -+attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, -+ char *dirfd_path, size_t dirfd_path_len); - - #endif --- -1.8.1.2 - -From 0b8a6d9773cc0e6d86bf1187f46817d5716698fe Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Mon, 24 Dec 2012 19:41:49 -0500 -Subject: [PATCH 2/2] libsandbox: reject "" paths with *at funcs before - checking the dirfd [missing file] - -When it comes to processing errors, an empty path is checked before -an invalid dirfd. Make sure sandbox matches that behavior for the -random testsuites out there that look for this. - -Forgot to `git add` in the previous commit :/. - -URL: https://bugs.gentoo.org/346929 -Reported-by: Marien Zwart <mari...@gentoo.org> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsandbox/wrapper-funcs/__pre_at_check.c | 34 +++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - create mode 100644 libsandbox/wrapper-funcs/__pre_at_check.c - -diff --git a/libsandbox/wrapper-funcs/__pre_at_check.c b/libsandbox/wrapper-funcs/__pre_at_check.c -new file mode 100644 -index 0000000..f72c40c ---- /dev/null -+++ b/libsandbox/wrapper-funcs/__pre_at_check.c -@@ -0,0 +1,34 @@ -+/* -+ * common *at() pre-checks. -+ * -+ * Copyright 1999-2012 Gentoo Foundation -+ * Licensed under the GPL-2 -+ */ -+ -+/* We assume the parent has nested use with save/restore errno */ -+bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, -+ char *dirfd_path, size_t dirfd_path_len) -+{ -+ /* the empty path name should fail with ENOENT before any dirfd -+ * checks get a chance to run #346929 -+ */ -+ if (*pathname && *pathname[0] == '\0') { -+ errno = ENOENT; -+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", -+ func, *pathname, strerror(errno)); -+ return false; -+ } -+ -+ /* Expand the dirfd path first */ -+ switch (resolve_dirfd_path(dirfd, *pathname, dirfd_path, dirfd_path_len)) { -+ case -1: -+ sb_debug_dyn("EARLY FAIL: %s(%s) @ resolve_dirfd_path: %s\n", -+ func, *pathname, strerror(errno)); -+ return false; -+ case 0: -+ *pathname = dirfd_path; -+ break; -+ } -+ -+ return true; -+} --- -1.8.1.2 - diff --git a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch b/sys-apps/sandbox/files/sandbox-2.6-desktop.patch deleted file mode 100644 index fbecb0727f9..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-desktop.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 00044ab0c8aaaabf048b5ff0ec2da5b3d7d25752 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Sat, 17 Nov 2012 14:14:26 -0500 -Subject: [PATCH] sandbox.desktop: drop .svg from Icon field -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -URL: http://bugs.gentoo.org/443672 -Reported-by: Petteri Räty <betelge...@gentoo.org> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - data/sandbox.desktop | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/data/sandbox.desktop b/data/sandbox.desktop -index 5b5b576..27a887e 100644 ---- a/data/sandbox.desktop -+++ b/data/sandbox.desktop -@@ -5,6 +5,6 @@ Type=Application - Comment=launch a sandboxed shell ... useful for debugging ebuilds - Exec=sandbox - TryExec=sandbox --Icon=sandbox.svg -+Icon=sandbox - Categories=Development; - Terminal=true --- -1.8.1.2 - diff --git a/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch b/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch deleted file mode 100644 index fd87d6a272a..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-gcc-5.patch +++ /dev/null @@ -1,13 +0,0 @@ -fix building w/gcc-5 - ---- a/libsandbox/Makefile.in -+++ b/libsandbox/Makefile.in -@@ -68,7 +68,7 @@ sb_nr.h: symbols.h $(SB_NR_FILE) - - TRACE_MAKE_HEADER = \ - $(SB_AWK) $(GEN_TRACE_SCRIPT) -v MODE=gen | \ -- $(COMPILE) -E -include $(top_srcdir)/headers.h - $$f | \ -+ $(COMPILE) -E -P -include $(top_srcdir)/headers.h - $$f | \ - $(SB_AWK) $(GEN_TRACE_SCRIPT) -v syscall_prefix=$$t > $$header - trace_syscalls.h: $(GEN_TRACE_SCRIPT) Makefile - if SB_SCHIZO diff --git a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch b/sys-apps/sandbox/files/sandbox-2.6-log-var.patch deleted file mode 100644 index bfea9e55e28..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-log-var.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 853b42c86432eefc6d4cfba86197fb37d446366d Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Sun, 3 Mar 2013 05:34:09 -0500 -Subject: [PATCH] sandbox: accept SANDBOX_LOG vars whatever their values - -Commit 40abb498ca4a24495fe34e133379382ce8c3eaca subtly broke the sandbox -with portage. It changed how the sandbox log env var was accessed by -moving from getenv() to get_sandbox_log(). The latter has path checking -and will kick out values that contain a slash. That means every time a -new process starts, a new sandbox log path will be generated, and when a -program triggers a violation, it'll write to the new file. Meanwhile, -portage itself watches the original one which never gets updated. - -This code has been around forever w/out documentation, and I can't think -of a reason we need it. So punt it. - -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsbutil/get_sandbox_log.c | 14 +++++--------- - 1 file changed, 5 insertions(+), 9 deletions(-) - -diff --git a/libsbutil/get_sandbox_log.c b/libsbutil/get_sandbox_log.c -index a79b399..bdb4278 100644 ---- a/libsbutil/get_sandbox_log.c -+++ b/libsbutil/get_sandbox_log.c -@@ -21,17 +21,13 @@ static void _get_sb_log(char *path, const char *tmpdir, const char *env, const c - - sandbox_log_env = getenv(env); - -- if (sandbox_log_env && is_env_on(ENV_SANDBOX_TESTING)) { -- /* When testing, just use what the env says to */ -+ if (sandbox_log_env) { -+ /* If the env is viable, roll with it. We aren't really -+ * about people breaking the security of the sandbox by -+ * exporting SANDBOX_LOG=/dev/null. -+ */ - strncpy(path, sandbox_log_env, SB_PATH_MAX); - } else { -- /* THIS CHUNK BREAK THINGS BY DOING THIS: -- * SANDBOX_LOG=/tmp/sandbox-app-admin/superadduser-1.0.7-11063.log -- */ -- if ((NULL != sandbox_log_env) && -- (NULL != strchr(sandbox_log_env, '/'))) -- sandbox_log_env = NULL; -- - snprintf(path, SB_PATH_MAX, "%s%s%s%s%d%s", - SANDBOX_LOG_LOCATION, prefix, - (sandbox_log_env == NULL ? "" : sandbox_log_env), --- -1.8.1.2 - diff --git a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch b/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch deleted file mode 100644 index fe2274927f4..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-no-pch.patch +++ /dev/null @@ -1,29 +0,0 @@ -gcc crashes when trying to use pch under hardened kernels - -http://bugs.gentoo.org/425524 - ---- Makefile.in -+++ Makefile.in -@@ -300,7 +300,7 @@ - src \ - tests - --SANDBOX_PCH = headers.h.gch libsandbox/headers.h.gch libsbutil/headers.h.gch -+SANDBOX_PCH = - BUILT_SOURCES = $(SANDBOX_PCH) - noinst_LTLIBRARIES = libpch.la - nodist_libpch_la_SOURCES = $(SANDBOX_PCH) -@@ -862,10 +862,9 @@ - $(builddir)/headers.h.gch: headers.h - $(AM_V_GEN)$(COMPILE) -c -o $@.o $< && $(GCH_CP) - --libsbutil: libsbutil/headers.h.gch --libsandbox: libsbutil libsandbox/headers.h.gch --src: libsbutil headers.h.gch --tests: src headers.h.gch -+libsandbox: libsbutil -+src: libsbutil -+tests: src - - ChangeLog: - touch ChangeLog diff --git a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch b/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch deleted file mode 100644 index 0101ece2c2b..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Mon, 24 Dec 2012 18:46:29 -0500 -Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW) - -We don't check for O_NOFOLLOW in the open wrappers, so we end up -returning the wrong error when operating on broken symlinks. - -URL: https://bugs.gentoo.org/413441 -Reported-by: Marien Zwart <mari...@gentoo.org> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsandbox/wrapper-funcs/__64_post.h | 1 + - libsandbox/wrapper-funcs/__64_pre.h | 1 + - libsandbox/wrapper-funcs/openat_pre_check.c | 2 +- - tests/open-2.sh | 10 ++++++++++ - tests/open.at | 1 + - 5 files changed, 14 insertions(+), 1 deletion(-) - create mode 100755 tests/open-2.sh - -diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h -index 2fd2182..82d2a16 100644 ---- a/libsandbox/wrapper-funcs/__64_post.h -+++ b/libsandbox/wrapper-funcs/__64_post.h -@@ -1,3 +1,4 @@ - #undef SB64 - #undef stat -+#undef lstat - #undef off_t -diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h -index 2132110..0b34b25 100644 ---- a/libsandbox/wrapper-funcs/__64_pre.h -+++ b/libsandbox/wrapper-funcs/__64_pre.h -@@ -1,3 +1,4 @@ - #define SB64 - #define stat stat64 -+#define lstat lstat64 - #define off_t off64_t -diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c -index c827ee6..0127708 100644 ---- a/libsandbox/wrapper-funcs/openat_pre_check.c -+++ b/libsandbox/wrapper-funcs/openat_pre_check.c -@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int - - /* Doesn't exist -> skip permission checks */ - struct stat st; -- if (-1 == stat(pathname, &st)) { -+ if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) { - sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", - func, pathname, strerror(errno)); - return false; --- -1.8.1.2 - diff --git a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch b/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch deleted file mode 100644 index 7fc0972507b..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-static-close-fd.patch +++ /dev/null @@ -1,93 +0,0 @@ -From a3ff1534945c3898332b2481c9fd355dfbd56e1f Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Sat, 23 Jun 2012 11:52:51 -0700 -Subject: [PATCH] libsandbox: clean up open file handles in parent tracing - process - -Currently, if a non-static app sets up a pipe (with cloexec enabled) and -executes a static app, the handle to that pipe is left open in the parent -process. This causes trouble when the parent is waiting for that to be -closed immediately. - -Since none of the fds in the forked parent process matter to us, we can -just go ahead and clean up all fds before we start tracing the child. - -URL: http://bugs.gentoo.org/364877 -Reported-by: Victor Stinner <victor.stin...@haypocalc.com> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsandbox/trace.c | 3 +- - libsbutil/sb_close.c | 26 +++++++++++- - libsbutil/sbutil.h | 1 + - tests/Makefile.am | 2 + - tests/pipe-fork_static_tst.c | 18 +++++++++ - tests/pipe-fork_tst.c | 95 ++++++++++++++++++++++++++++++++++++++++++++ - tests/script-9.sh | 5 +++ - tests/script.at | 1 + - 8 files changed, 149 insertions(+), 2 deletions(-) - create mode 100644 tests/pipe-fork_static_tst.c - create mode 100644 tests/pipe-fork_tst.c - create mode 100755 tests/script-9.sh - -diff --git a/libsandbox/trace.c b/libsandbox/trace.c -index 32ad2d6..dfbab18 100644 ---- a/libsandbox/trace.c -+++ b/libsandbox/trace.c -@@ -504,8 +504,9 @@ void trace_main(const char *filename, char *const argv[]) - /* Not all kernel versions support this, so ignore return */ - ptrace(PTRACE_SETOPTIONS, trace_pid, NULL, (void *)PTRACE_O_TRACESYSGOOD); - #endif -+ sb_close_all_fds(); - trace_loop(); -- return; -+ sb_ebort("ISE: child should have quit, as should we\n"); - } - - sb_debug("child setting up ..."); -diff --git a/libsbutil/sb_close.c b/libsbutil/sb_close.c -index 17a4560..5379197 100644 ---- a/libsbutil/sb_close.c -+++ b/libsbutil/sb_close.c -@@ -29,3 +29,27 @@ int sb_close(int fd) - - return res; - } -+ -+/* Quickly close all the open fds (good for daemonization) */ -+void sb_close_all_fds(void) -+{ -+ DIR *dirp; -+ struct dirent *de; -+ int dfd, fd; -+ const char *fd_dir = sb_get_fd_dir(); -+ -+ dirp = opendir(fd_dir); -+ if (!dirp) -+ sb_ebort("could not process %s\n", fd_dir); -+ dfd = dirfd(dirp); -+ -+ while ((de = readdir(dirp)) != NULL) { -+ if (de->d_name[0] == '.') -+ continue; -+ fd = atoi(de->d_name); -+ if (fd != dfd) -+ close(fd); -+ } -+ -+ closedir(dirp); -+} -diff --git a/libsbutil/sbutil.h b/libsbutil/sbutil.h -index 02b88cb..479734b 100644 ---- a/libsbutil/sbutil.h -+++ b/libsbutil/sbutil.h -@@ -97,6 +97,7 @@ int sb_open(const char *path, int flags, mode_t mode); - size_t sb_read(int fd, void *buf, size_t count); - size_t sb_write(int fd, const void *buf, size_t count); - int sb_close(int fd); -+void sb_close_all_fds(void); - int sb_copy_file_to_fd(const char *file, int ofd); - - /* Reliable output */ --- -1.8.1.2 - diff --git a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch b/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch deleted file mode 100644 index 7e738228657..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.6-trace-hppa.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7b01f6103a9baddaf0252e7f850a4cef91a48b67 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Fri, 6 Jul 2012 14:58:16 -0400 -Subject: [PATCH] libsandbox: fix hppa trace code - -URL: https://bugs.gentoo.org/425062 -Reported-by: Jeroen Roovers <j...@gentoo.org> -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - libsandbox/trace/linux/hppa.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libsandbox/trace/linux/hppa.c b/libsandbox/trace/linux/hppa.c -index d23b0d1..5414354 100644 ---- a/libsandbox/trace/linux/hppa.c -+++ b/libsandbox/trace/linux/hppa.c -@@ -1,5 +1,5 @@ --#define trace_reg_sysnum (20 * 4) /* PT_GR20 */ --#define trace_reg_ret (28 * 4) /* PT_GR28 */ -+#define trace_reg_sysnum gr[20] -+#define trace_reg_ret gr[28] - - static unsigned long trace_arg(void *vregs, int num) - { --- -1.7.9.7 - diff --git a/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch b/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch deleted file mode 100644 index d22f53b0f11..00000000000 --- a/sys-apps/sandbox/files/sandbox-2.8-write-ptmx.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6b9b505f4a7716a50ff9e63c85f2c4882987a732 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Sun, 20 Sep 2015 04:40:39 -0400 -Subject: [PATCH] sandbox.conf: allow writing to /dev/ptmx - -We implicitly permit write access to this node by not catching functions -like openpty and posix_openpt, but when projects try to access the node -directly (due to legacy/fallback logic), the sandbox would reject them. -Make access to the node explicit since it's generally harmless. - -URL: https://bugs.gentoo.org/413327 -URL: https://bugs.gentoo.org/550650 -URL: https://bugs.gentoo.org/550670 -Signed-off-by: Mike Frysinger <vap...@gentoo.org> ---- - etc/sandbox.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/etc/sandbox.conf b/etc/sandbox.conf -index dc460f0..1d7655c 100644 ---- a/etc/sandbox.conf -+++ b/etc/sandbox.conf -@@ -64,7 +64,7 @@ SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full" - # Console device nodes - SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts" - # Device filesystems --SANDBOX_WRITE="/dev/pts/:/dev/shm" -+SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm" - # Tempory storage - SANDBOX_WRITE="/tmp/:/var/tmp/" - # Needed for shells --- -2.5.2 - diff --git a/sys-apps/sandbox/sandbox-2.6-r1.ebuild b/sys-apps/sandbox/sandbox-2.6-r1.ebuild deleted file mode 100644 index 5fedb39c104..00000000000 --- a/sys-apps/sandbox/sandbox-2.6-r1.ebuild +++ /dev/null @@ -1,130 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# -# don't monkey with this ebuild unless contacting portage devs. -# period. -# - -inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing - -DESCRIPTION="sandbox'd LD_PRELOAD hack" -HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"; -SRC_URI="mirror://gentoo/${P}.tar.xz - https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"; - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd -x86-fbsd" -IUSE="multilib" - -DEPEND="app-arch/xz-utils - >=app-misc/pax-utils-0.1.19" #265376 -RDEPEND="" - -EMULTILIB_PKG="true" -has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" - -sandbox_death_notice() { - ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" - ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" -} - -sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } - -sb_foreach_abi() { - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - cd "${WORKDIR}/build-${ABI}" - einfo "Running $1 for ABI=${ABI}..." - "$@" - done - ABI=${OABI} -} - -src_unpack() { - unpacker - cd "${S}" - epatch "${FILESDIR}"/${P}-trace-hppa.patch #425062 - epatch "${FILESDIR}"/${P}-log-var.patch - epatch "${FILESDIR}"/${P}-static-close-fd.patch #364877 - epatch "${FILESDIR}"/${P}-desktop.patch #443672 - epatch "${FILESDIR}"/${P}-open-nofollow.patch #413441 - epatch "${FILESDIR}"/${P}-check-empty-paths-at.patch #346929 - epatch "${FILESDIR}"/${P}-no-pch.patch #425524 - epatch "${FILESDIR}"/${P}-gcc-5.patch - epatch_user -} - -sb_configure() { - mkdir "${WORKDIR}/build-${ABI}" - cd "${WORKDIR}/build-${ABI}" - - use multilib && multilib_toolchain_setup ${ABI} - - einfo "Configuring sandbox for ABI=${ABI}..." - ECONF_SOURCE="../${P}/" \ - econf ${myconf} || die -} - -sb_compile() { - emake || die -} - -src_compile() { - filter-lfs-flags #90228 - - # Run configures in parallel! - multijob_init - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - multijob_child_init sb_configure - done - ABI=${OABI} - multijob_finish - - sb_foreach_abi sb_compile -} - -sb_test() { - emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die -} - -src_test() { - sb_foreach_abi sb_test -} - -sb_install() { - emake DESTDIR="${D}" install || die - insinto /etc/sandbox.d #333131 - doins etc/sandbox.d/00default || die -} - -src_install() { - sb_foreach_abi sb_install - - doenvd "${FILESDIR}"/09sandbox - - keepdir /var/log/sandbox - fowners root:portage /var/log/sandbox - fperms 0770 /var/log/sandbox - - cd "${S}" - dodoc AUTHORS ChangeLog* NEWS README -} - -pkg_preinst() { - chown root:portage "${D}"/var/log/sandbox - chmod 0770 "${D}"/var/log/sandbox - - local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') - if [[ -n ${old} ]] ; then - elog "Removing old sandbox libraries for you:" - elog ${old//${ROOT}} - find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; - fi -} - -pkg_postinst() { - chmod 0755 "${ROOT}"/etc/sandbox.d #265376 -} diff --git a/sys-apps/sandbox/sandbox-2.7.ebuild b/sys-apps/sandbox/sandbox-2.7.ebuild deleted file mode 100644 index e2c6358e731..00000000000 --- a/sys-apps/sandbox/sandbox-2.7.ebuild +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# -# don't monkey with this ebuild unless contacting portage devs. -# period. -# - -inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing - -DESCRIPTION="sandbox'd LD_PRELOAD hack" -HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"; -SRC_URI="mirror://gentoo/${P}.tar.xz - https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"; - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" -IUSE="multilib" - -DEPEND="app-arch/xz-utils - >=app-misc/pax-utils-0.1.19" #265376 -RDEPEND="" - -EMULTILIB_PKG="true" -has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" - -sandbox_death_notice() { - ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" - ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" -} - -sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } - -sb_foreach_abi() { - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - cd "${WORKDIR}/build-${ABI}" - einfo "Running $1 for ABI=${ABI}..." - "$@" - done - ABI=${OABI} -} - -src_unpack() { - unpacker - cd "${S}" - epatch_user -} - -sb_configure() { - mkdir "${WORKDIR}/build-${ABI}" - cd "${WORKDIR}/build-${ABI}" - - use multilib && multilib_toolchain_setup ${ABI} - - einfo "Configuring sandbox for ABI=${ABI}..." - ECONF_SOURCE="${S}" \ - econf ${myconf} || die -} - -sb_compile() { - emake || die -} - -src_compile() { - filter-lfs-flags #90228 - - # Run configures in parallel! - multijob_init - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - multijob_child_init sb_configure - done - ABI=${OABI} - multijob_finish - - sb_foreach_abi sb_compile -} - -sb_test() { - emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die -} - -src_test() { - sb_foreach_abi sb_test -} - -sb_install() { - emake DESTDIR="${D}" install || die - insinto /etc/sandbox.d #333131 - doins etc/sandbox.d/00default || die -} - -src_install() { - sb_foreach_abi sb_install - - doenvd "${FILESDIR}"/09sandbox - - keepdir /var/log/sandbox - fowners root:portage /var/log/sandbox - fperms 0770 /var/log/sandbox - - cd "${S}" - dodoc AUTHORS ChangeLog* NEWS README -} - -pkg_preinst() { - chown root:portage "${D}"/var/log/sandbox - chmod 0770 "${D}"/var/log/sandbox - - local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') - if [[ -n ${old} ]] ; then - elog "Removing old sandbox libraries for you:" - elog ${old//${ROOT}} - find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; - fi -} - -pkg_postinst() { - chmod 0755 "${ROOT}"/etc/sandbox.d #265376 -} diff --git a/sys-apps/sandbox/sandbox-2.8.ebuild b/sys-apps/sandbox/sandbox-2.8.ebuild deleted file mode 100644 index cd56a63a9a8..00000000000 --- a/sys-apps/sandbox/sandbox-2.8.ebuild +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# -# don't monkey with this ebuild unless contacting portage devs. -# period. -# - -inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing - -DESCRIPTION="sandbox'd LD_PRELOAD hack" -HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"; -SRC_URI="mirror://gentoo/${P}.tar.xz - https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"; - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" -IUSE="multilib" - -DEPEND="app-arch/xz-utils - >=app-misc/pax-utils-0.1.19" #265376 -RDEPEND="" - -EMULTILIB_PKG="true" -has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" - -sandbox_death_notice() { - ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" - ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" -} - -sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } - -sb_foreach_abi() { - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - cd "${WORKDIR}/build-${ABI}" - einfo "Running $1 for ABI=${ABI}..." - "$@" - done - ABI=${OABI} -} - -src_unpack() { - unpacker - cd "${S}" - epatch "${FILESDIR}"/${P}-write-ptmx.patch #413327 - epatch_user -} - -sb_configure() { - mkdir "${WORKDIR}/build-${ABI}" - cd "${WORKDIR}/build-${ABI}" - - use multilib && multilib_toolchain_setup ${ABI} - - einfo "Configuring sandbox for ABI=${ABI}..." - ECONF_SOURCE="${S}" \ - econf ${myconf} || die -} - -sb_compile() { - emake || die -} - -src_compile() { - filter-lfs-flags #90228 - - # Run configures in parallel! - multijob_init - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - multijob_child_init sb_configure - done - ABI=${OABI} - multijob_finish - - sb_foreach_abi sb_compile -} - -sb_test() { - emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die -} - -src_test() { - sb_foreach_abi sb_test -} - -sb_install() { - emake DESTDIR="${D}" install || die - insinto /etc/sandbox.d #333131 - doins etc/sandbox.d/00default || die -} - -src_install() { - sb_foreach_abi sb_install - - doenvd "${FILESDIR}"/09sandbox - - keepdir /var/log/sandbox - fowners root:portage /var/log/sandbox - fperms 0770 /var/log/sandbox - - cd "${S}" - dodoc AUTHORS ChangeLog* NEWS README -} - -pkg_preinst() { - chown root:portage "${D}"/var/log/sandbox - chmod 0770 "${D}"/var/log/sandbox - - local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') - if [[ -n ${old} ]] ; then - elog "Removing old sandbox libraries for you:" - elog ${old//${ROOT}} - find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; - fi -} - -pkg_postinst() { - chmod 0755 "${ROOT}"/etc/sandbox.d #265376 -} diff --git a/sys-apps/sandbox/sandbox-2.9.ebuild b/sys-apps/sandbox/sandbox-2.9.ebuild deleted file mode 100644 index e2c6358e731..00000000000 --- a/sys-apps/sandbox/sandbox-2.9.ebuild +++ /dev/null @@ -1,122 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# -# don't monkey with this ebuild unless contacting portage devs. -# period. -# - -inherit eutils flag-o-matic toolchain-funcs multilib unpacker multiprocessing - -DESCRIPTION="sandbox'd LD_PRELOAD hack" -HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"; -SRC_URI="mirror://gentoo/${P}.tar.xz - https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"; - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" -IUSE="multilib" - -DEPEND="app-arch/xz-utils - >=app-misc/pax-utils-0.1.19" #265376 -RDEPEND="" - -EMULTILIB_PKG="true" -has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" - -sandbox_death_notice() { - ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" - ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" -} - -sb_get_install_abis() { use multilib && get_install_abis || echo ${ABI:-default} ; } - -sb_foreach_abi() { - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - cd "${WORKDIR}/build-${ABI}" - einfo "Running $1 for ABI=${ABI}..." - "$@" - done - ABI=${OABI} -} - -src_unpack() { - unpacker - cd "${S}" - epatch_user -} - -sb_configure() { - mkdir "${WORKDIR}/build-${ABI}" - cd "${WORKDIR}/build-${ABI}" - - use multilib && multilib_toolchain_setup ${ABI} - - einfo "Configuring sandbox for ABI=${ABI}..." - ECONF_SOURCE="${S}" \ - econf ${myconf} || die -} - -sb_compile() { - emake || die -} - -src_compile() { - filter-lfs-flags #90228 - - # Run configures in parallel! - multijob_init - local OABI=${ABI} - for ABI in $(sb_get_install_abis) ; do - multijob_child_init sb_configure - done - ABI=${OABI} - multijob_finish - - sb_foreach_abi sb_compile -} - -sb_test() { - emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" || die -} - -src_test() { - sb_foreach_abi sb_test -} - -sb_install() { - emake DESTDIR="${D}" install || die - insinto /etc/sandbox.d #333131 - doins etc/sandbox.d/00default || die -} - -src_install() { - sb_foreach_abi sb_install - - doenvd "${FILESDIR}"/09sandbox - - keepdir /var/log/sandbox - fowners root:portage /var/log/sandbox - fperms 0770 /var/log/sandbox - - cd "${S}" - dodoc AUTHORS ChangeLog* NEWS README -} - -pkg_preinst() { - chown root:portage "${D}"/var/log/sandbox - chmod 0770 "${D}"/var/log/sandbox - - local old=$(find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*') - if [[ -n ${old} ]] ; then - elog "Removing old sandbox libraries for you:" - elog ${old//${ROOT}} - find "${ROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -exec rm -fv {} \; - fi -} - -pkg_postinst() { - chmod 0755 "${ROOT}"/etc/sandbox.d #265376 -}
