sys-apps/sandbox: Fix opendir sandbox abort with long paths

Shell globbing code could end up calling opendir on a whole command line
with arguments, exceeding 8k characters - for example when libtool gets
passed an -export-symbols-regex with a wildcard.
Due to the length exceeding sandbox internal SB_PATH_MAX, it gets trimmed
internally in sandbox syscall checks (even though opendir isn't an actual
syscall), gets confused and throws an ISE abort.
Fix it by adding a precheck that simply fails early with ENAMETOOLONG on
too long paths, as the real glibc function would do the same.

Fixes large projects hitting sandbox abort inside the driving POSIX shell
globbing function due to a long list of linker arguments (such as many object
files) being passed to libtool together with an -export-symbols-regex with
a wildcard. Known affected packages include graphicsmagick and newer
gnome-builder.

p.masked for a short time as a maintainer timeout, seeking independent
validation as a critical packages non-maintainer revbump.

Gentoo-Bug: 553092
Package-Manager: portage-2.3.3
Signed-off-by: Mart Raudsepp <leio@gentoo.org>

3 files changed, 248 insertions, 0 deletions

diff --git a/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch b/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
new file mode 100644
index 00000000000..2ff89bcdfcb
--- /dev/null
+++ b/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
@@ -0,0 +1,79 @@
+From 3f668dc6ba1910085e61b3a24167ab1352c60d92 Mon Sep 17 00:00:00 2001
+From: Mart Raudsepp <leio@gentoo.org>
+Date: Fri, 11 Nov 2016 12:34:48 +0200
+Subject: [PATCH] libsandbox: do not abort with a long name to opendir
+
+Add a pre-check for opendir that catches too long name arguments
+given to opendir, as it would get messed up and abort before it
+even gets to the open*() syscall (which would handle it correctly),
+due to opendir going through before_syscall/check_syscall, even
+though it isn't a true syscall and it getting cut to SB_PATH_MAX
+inbetween and getting confused somewhere.
+
+URL: https://bugs.gentoo.org/553092
+Signed-off-by: Mart Raudsepp <leio@gentoo.org>
+---
+ libsandbox/wrapper-funcs/opendir.c           |  2 ++
+ libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++
+ libsandbox/wrappers.h                        |  1 +
+ 3 files changed, 29 insertions(+)
+ create mode 100644 libsandbox/wrapper-funcs/opendir_pre_check.c
+
+diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
+index 7670775..70c2692 100644
+--- a/libsandbox/wrapper-funcs/opendir.c
++++ b/libsandbox/wrapper-funcs/opendir.c
+@@ -10,4 +10,6 @@
+ #define WRAPPER_SAFE() SB_SAFE(name)
+ #define WRAPPER_RET_TYPE DIR *
+ #define WRAPPER_RET_DEFAULT NULL
++#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name)
++
+ #include "__wrapper_simple.c"
+diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c
+new file mode 100644
+index 0000000..60c869f
+--- /dev/null
++++ b/libsandbox/wrapper-funcs/opendir_pre_check.c
+@@ -0,0 +1,26 @@
++/*
++ * opendir() pre-check.
++ *
++ * Copyright 1999-2016 Gentoo Foundation
++ * Licensed under the GPL-2
++ */
++
++bool sb_opendir_pre_check(const char *func, const char *name)
++{
++	/* If length of name is larger than PATH_MAX, we would mess it up
++	 * before it reaches the open syscall, which would cleanly error out
++	 * via sandbox as well (actually with much smaller lengths than even
++	 * PATH_MAX).
++	 * So error out early in this case, in order to avoid an abort in
++	 * check_syscall later on, which gets ran for opendir, despite it not
++	 * being a syscall.
++	 */
++	if (strnlen(name, PATH_MAX) == PATH_MAX) {
++		errno = ENAMETOOLONG;
++		sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
++			func, name, strerror(errno));
++		return false;
++	}
++
++	return true;
++}
+diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
+index 0aa58bb..bf5bf64 100644
+--- a/libsandbox/wrappers.h
++++ b/libsandbox/wrappers.h
+@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check  (const char *func, const char *pathn
+ attribute_hidden bool sb_mkdirat_pre_check  (const char *func, const char *pathname, int dirfd);
+ attribute_hidden bool sb_openat_pre_check   (const char *func, const char *pathname, int dirfd, int flags);
+ attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
++attribute_hidden bool sb_opendir_pre_check  (const char *func, const char *name);
+ attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
+ attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
+                                              char *dirfd_path, size_t dirfd_path_len);
+-- 
+2.9.0
+
diff --git a/sys-apps/sandbox/sandbox-2.10-r3.ebuild b/sys-apps/sandbox/sandbox-2.10-r3.ebuild
new file mode 100644
index 00000000000..910a931a836
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.10-r3.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+EAPI="5"
+
+inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+	https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE=""
+
+DEPEND="app-arch/xz-utils
+	>=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
+	epatch "${FILESDIR}"/${P}-disable-same.patch
+	epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
+	epatch_user
+}
+
+multilib_src_configure() {
+	filter-lfs-flags #90228
+
+	local myconf=()
+	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+	ECONF_SOURCE="${S}" \
+	econf "${myconf[@]}"
+}
+
+multilib_src_test() {
+	# Default sandbox build will run with --jobs set to # cpus.
+	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+	doenvd "${FILESDIR}"/09sandbox
+
+	keepdir /var/log/sandbox
+	fowners root:portage /var/log/sandbox
+	fperms 0770 /var/log/sandbox
+
+	cd "${S}"
+	dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+	chown root:portage "${ED}"/var/log/sandbox
+	chmod 0770 "${ED}"/var/log/sandbox
+
+	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+		local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+		if [[ -n ${old} ]] ; then
+			elog "Removing old sandbox libraries for you:"
+			find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
+		fi
+	fi
+}
+
+pkg_postinst() {
+	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+		chmod 0755 "${EROOT}"/etc/sandbox.d #265376
+	fi
+}
diff --git a/sys-apps/sandbox/sandbox-2.11-r4.ebuild b/sys-apps/sandbox/sandbox-2.11-r4.ebuild
new file mode 100644
index 00000000000..0cba4b731e7
--- /dev/null
+++ b/sys-apps/sandbox/sandbox-2.11-r4.ebuild
@@ -0,0 +1,85 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+#
+# don't monkey with this ebuild unless contacting portage devs.
+# period.
+#
+
+EAPI="5"
+
+inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
+
+DESCRIPTION="sandbox'd LD_PRELOAD hack"
+HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
+SRC_URI="mirror://gentoo/${P}.tar.xz
+	https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE=""
+
+DEPEND="app-arch/xz-utils
+	>=app-misc/pax-utils-0.1.19" #265376
+RDEPEND=""
+
+has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
+
+sandbox_death_notice() {
+	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
+	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-execvpe.patch #578516
+	epatch "${FILESDIR}"/${P}-exec-hash.patch #578524
+	epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894
+	epatch "${FILESDIR}"/${PN}-2.10-fix-opendir.patch #553092
+	epatch_user
+}
+
+multilib_src_configure() {
+	filter-lfs-flags #90228
+
+	local myconf=()
+	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
+
+	ECONF_SOURCE="${S}" \
+	econf "${myconf[@]}"
+}
+
+multilib_src_test() {
+	# Default sandbox build will run with --jobs set to # cpus.
+	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
+}
+
+multilib_src_install_all() {
+	doenvd "${FILESDIR}"/09sandbox
+
+	keepdir /var/log/sandbox
+	fowners root:portage /var/log/sandbox
+	fperms 0770 /var/log/sandbox
+
+	cd "${S}"
+	dodoc AUTHORS ChangeLog* NEWS README
+}
+
+pkg_preinst() {
+	chown root:portage "${ED}"/var/log/sandbox
+	chmod 0770 "${ED}"/var/log/sandbox
+
+	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+		local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
+		if [[ -n ${old} ]] ; then
+			elog "Removing old sandbox libraries for you:"
+			find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
+		fi
+	fi
+}
+
+pkg_postinst() {
+	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
+		chmod 0755 "${EROOT}"/etc/sandbox.d #265376
+	fi
+}