[gentoo-commits] repo/gentoo:master commit in: sys-apps/sandbox/

[Mike Frysinger]

commit:     288877d0e268087dacb4b593202e28f86b6d31d4
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 24 01:12:13 2021 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Oct 24 01:13:05 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288877d0

sys-apps/sandbox: version bump to 2.27

Add USE=nnp flag to control new NO_NEW_PRIVS behavior.  In case things
go horribly wrong, can easily flip the flag off to keep from blowing
everyone up.

Bug: https://bugs.gentoo.org/442172
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org>

 sys-apps/sandbox/Manifest            |  1 +
 sys-apps/sandbox/metadata.xml        |  3 ++
 sys-apps/sandbox/sandbox-2.27.ebuild | 64 ++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)

diff --git a/sys-apps/sandbox/Manifest b/sys-apps/sandbox/Manifest
index 121fc4437e1..744bc206cac 100644
--- a/sys-apps/sandbox/Manifest
+++ b/sys-apps/sandbox/Manifest
@@ -1,3 +1,4 @@
 DIST sandbox-2.24.tar.xz 438408 BLAKE2B 
5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843
 SHA512 
8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0
 DIST sandbox-2.25.tar.xz 436004 BLAKE2B 
c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c
 SHA512 
4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d
 DIST sandbox-2.26.tar.xz 444412 BLAKE2B 
3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161
 SHA512 
f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa
+DIST sandbox-2.27.tar.xz 448948 BLAKE2B 
03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104
 SHA512 
2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7

diff --git a/sys-apps/sandbox/metadata.xml b/sys-apps/sandbox/metadata.xml
index e270f4674f6..11e084f7c9b 100644
--- a/sys-apps/sandbox/metadata.xml
+++ b/sys-apps/sandbox/metadata.xml
@@ -5,4 +5,7 @@
   <email>sand...@gentoo.org</email>
   <name>Sandbox Maintainers</name>
 </maintainer>
+<use>
+  <flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from 
gaining privileges (e.g. sudo)</flag>
+</use>
 </pkgmetadata>

diff --git a/sys-apps/sandbox/sandbox-2.27.ebuild 
b/sys-apps/sandbox/sandbox-2.27.ebuild
new file mode 100644
index 00000000000..ed70783105b
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.27.ebuild
@@ -0,0 +1,64 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit flag-o-matic multilib-minimal multiprocessing
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox";
+SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz";
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv 
~s390 ~sparc ~x86"
+IUSE="+nnp"
+
+DEPEND="app-arch/xz-utils
+       >=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" 
sandbox_death_notice"
+
+sandbox_death_notice() {
+       ewarn "If configure failed with a 'cannot run C compiled programs' 
error, try this:"
+       ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+       default
+
+       if ! use nnp ; then
+               sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' 
src/sandbox.c || die
+       fi
+
+       # sandbox uses `__asm__ (".symver "...` which does
+       # not play well with gcc's LTO: https://gcc.gnu.org/PR48200
+       append-flags -fno-lto
+       append-ldflags -fno-lto
+}
+
+multilib_src_configure() {
+       filter-lfs-flags #90228
+
+       ECONF_SOURCE="${S}" econf
+}
+
+multilib_src_test() {
+       # Default sandbox build will run with --jobs set to # cpus.
+       # -j1 to prevent test faiures caused by file descriptor
+       # injection GNU make does.
+       emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+       doenvd "${FILESDIR}"/09sandbox
+
+       dodoc AUTHORS ChangeLog* README.md
+}
+
+pkg_postinst() {
+       mkdir -p "${EROOT}"/var/log/sandbox
+       chown root:portage "${EROOT}"/var/log/sandbox
+       chmod 0770 "${EROOT}"/var/log/sandbox
+}