diff options
| -rw-r--r-- | profiles/package.mask | 4 | ||||
| -rw-r--r-- | sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch | 79 | ||||
| -rw-r--r-- | sys-apps/sandbox/sandbox-2.10-r3.ebuild | 84 | ||||
| -rw-r--r-- | sys-apps/sandbox/sandbox-2.11-r4.ebuild | 85 |
4 files changed, 252 insertions, 0 deletions
diff --git a/profiles/package.mask b/profiles/package.mask index 438ba4fc28f..979a78599b5 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -30,6 +30,10 @@ #--- END OF EXAMPLES --- +# Mart Raudsepp <leio@gentoo.org> (30 Dec 2016) +# Temporary testing mask for non-maintainer commit of a bugfix, #553092 +=sys-apps/sandbox-2.10-r3 + # David Seifert <soap@gentoo.org> (29 Dec 2016) # Ancient codebase, maintenance nightmare, dead # upstream, games-emulation/vbam is spiritual successor diff --git a/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch b/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch new file mode 100644 index 00000000000..2ff89bcdfcb --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch @@ -0,0 +1,79 @@ +From 3f668dc6ba1910085e61b3a24167ab1352c60d92 Mon Sep 17 00:00:00 2001 +From: Mart Raudsepp <leio@gentoo.org> +Date: Fri, 11 Nov 2016 12:34:48 +0200 +Subject: [PATCH] libsandbox: do not abort with a long name to opendir + +Add a pre-check for opendir that catches too long name arguments +given to opendir, as it would get messed up and abort before it +even gets to the open*() syscall (which would handle it correctly), +due to opendir going through before_syscall/check_syscall, even +though it isn't a true syscall and it getting cut to SB_PATH_MAX +inbetween and getting confused somewhere. + +URL: https://bugs.gentoo.org/553092 +Signed-off-by: Mart Raudsepp <leio@gentoo.org> +--- + libsandbox/wrapper-funcs/opendir.c | 2 ++ + libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++ + libsandbox/wrappers.h | 1 + + 3 files changed, 29 insertions(+) + create mode 100644 libsandbox/wrapper-funcs/opendir_pre_check.c + +diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c +index 7670775..70c2692 100644 +--- a/libsandbox/wrapper-funcs/opendir.c ++++ b/libsandbox/wrapper-funcs/opendir.c +@@ -10,4 +10,6 @@ + #define WRAPPER_SAFE() SB_SAFE(name) + #define WRAPPER_RET_TYPE DIR * + #define WRAPPER_RET_DEFAULT NULL ++#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name) ++ + #include "__wrapper_simple.c" +diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c +new file mode 100644 +index 0000000..60c869f +--- /dev/null ++++ b/libsandbox/wrapper-funcs/opendir_pre_check.c +@@ -0,0 +1,26 @@ ++/* ++ * opendir() pre-check. ++ * ++ * Copyright 1999-2016 Gentoo Foundation ++ * Licensed under the GPL-2 ++ */ ++ ++bool sb_opendir_pre_check(const char *func, const char *name) ++{ ++ /* If length of name is larger than PATH_MAX, we would mess it up ++ * before it reaches the open syscall, which would cleanly error out ++ * via sandbox as well (actually with much smaller lengths than even ++ * PATH_MAX). ++ * So error out early in this case, in order to avoid an abort in ++ * check_syscall later on, which gets ran for opendir, despite it not ++ * being a syscall. ++ */ ++ if (strnlen(name, PATH_MAX) == PATH_MAX) { ++ errno = ENAMETOOLONG; ++ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n", ++ func, name, strerror(errno)); ++ return false; ++ } ++ ++ return true; ++} +diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h +index 0aa58bb..bf5bf64 100644 +--- a/libsandbox/wrappers.h ++++ b/libsandbox/wrappers.h +@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check (const char *func, const char *pathn + attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathname, int dirfd); + attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags); + attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags); ++attribute_hidden bool sb_opendir_pre_check (const char *func, const char *name); + attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd); + attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd, + char *dirfd_path, size_t dirfd_path_len); +-- +2.9.0 + diff --git a/sys-apps/sandbox/sandbox-2.10-r3.ebuild b/sys-apps/sandbox/sandbox-2.10-r3.ebuild new file mode 100644 index 00000000000..910a931a836 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.10-r3.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +EAPI="5" + +inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + https://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714 + epatch "${FILESDIR}"/${P}-disable-same.patch + epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092 + epatch_user +} + +multilib_src_configure() { + filter-lfs-flags #90228 + + local myconf=() + host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092 + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" +} + +multilib_src_test() { + # Default sandbox build will run with --jobs set to # cpus. + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" +} + +multilib_src_install_all() { + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${ED}"/var/log/sandbox + chmod 0770 "${ED}"/var/log/sandbox + + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete + fi + fi +} + +pkg_postinst() { + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + chmod 0755 "${EROOT}"/etc/sandbox.d #265376 + fi +} diff --git a/sys-apps/sandbox/sandbox-2.11-r4.ebuild b/sys-apps/sandbox/sandbox-2.11-r4.ebuild new file mode 100644 index 00000000000..0cba4b731e7 --- /dev/null +++ b/sys-apps/sandbox/sandbox-2.11-r4.ebuild @@ -0,0 +1,85 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +EAPI="5" + +inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/" +SRC_URI="mirror://gentoo/${P}.tar.xz + https://dev.gentoo.org/~vapier/dist/${P}.tar.xz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="" + +DEPEND="app-arch/xz-utils + >=app-misc/pax-utils-0.1.19" #265376 +RDEPEND="" + +has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice" + +sandbox_death_notice() { + ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox" +} + +src_prepare() { + epatch "${FILESDIR}"/${P}-execvpe.patch #578516 + epatch "${FILESDIR}"/${P}-exec-hash.patch #578524 + epatch "${FILESDIR}"/${P}-exec-prelink.patch #599894 + epatch "${FILESDIR}"/${PN}-2.10-fix-opendir.patch #553092 + epatch_user +} + +multilib_src_configure() { + filter-lfs-flags #90228 + + local myconf=() + host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092 + + ECONF_SOURCE="${S}" \ + econf "${myconf[@]}" +} + +multilib_src_test() { + # Default sandbox build will run with --jobs set to # cpus. + emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)" +} + +multilib_src_install_all() { + doenvd "${FILESDIR}"/09sandbox + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog* NEWS README +} + +pkg_preinst() { + chown root:portage "${ED}"/var/log/sandbox + chmod 0770 "${ED}"/var/log/sandbox + + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*') + if [[ -n ${old} ]] ; then + elog "Removing old sandbox libraries for you:" + find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete + fi + fi +} + +pkg_postinst() { + if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then + chmod 0755 "${EROOT}"/etc/sandbox.d #265376 + fi +} |