From 7f01cbdf444491306d2b8557973f16b48d93ff69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Amadeusz=20=C5=BBo=C5=82nowski?= <aidecoe@gentoo.org>
Date: Sat, 4 Jun 2016 19:14:12 +0100
Subject: sys-apps/firejail: Allow compile time configuration

Networking features and most Linux kernel security features require root
privileges during configuration. Firejail (as a SUID binary) opens the
access to these features therefore it may be desired to turn off some
of the features on compile time.

Bump EAPI to 6.  Depend on x11-wm/xpra for X11 sandboxing feature.

Package-Manager: portage-2.3.0_rc1
---
 sys-apps/firejail/firejail-0.9.40-r1.ebuild | 42 +++++++++++++++++++++++++++++
 sys-apps/firejail/metadata.xml              | 14 ++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 sys-apps/firejail/firejail-0.9.40-r1.ebuild

(limited to 'sys-apps/firejail')

diff --git a/sys-apps/firejail/firejail-0.9.40-r1.ebuild b/sys-apps/firejail/firejail-0.9.40-r1.ebuild
new file mode 100644
index 00000000000..778ced4a203
--- /dev/null
+++ b/sys-apps/firejail/firejail-0.9.40-r1.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils
+
+DESCRIPTION="Security sandbox for any type of processes"
+HOMEPAGE="https://firejail.wordpress.com/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+bind +chroot +file-transfer +network network-restricted +seccomp
+	+userns x11"
+
+RDEPEND="x11? ( x11-wm/xpra )"
+
+PATCHES=( "${FILESDIR}"/${P}-sysmacros.patch )
+
+src_prepare() {
+	default
+	find -name Makefile.in -exec sed -i -r \
+			-e '/CFLAGS/s: (-O2|-ggdb) : :g' \
+			-e '1iCC=@CC@' {} + || die
+}
+
+src_configure() {
+	local myeconfargs=(
+		$(use_enable bind)
+		$(use_enable chroot)
+		$(use_enable file-transfer)
+		$(use_enable network)
+		$(use_enable seccomp)
+		$(use_enable userns)
+		$(use_enable x11)
+	)
+	use network-restricted && myeconfargs+=( --enable-network=restricted )
+	econf "${myeconfargs[@]}"
+}
diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml
index 0b1ef011ca9..004a53cb064 100644
--- a/sys-apps/firejail/metadata.xml
+++ b/sys-apps/firejail/metadata.xml
@@ -16,4 +16,18 @@
 	<upstream>
 		<remote-id type="sourceforge">firejail</remote-id>
 	</upstream>
+	<use>
+		<flag name="bind">Enable custom bind mounts</flag>
+		<flag name="chroot">Enable chrooting to custom directory</flag>
+		<flag name="file-transfer">Enable file transfers between sandboxes and
+			the host system</flag>
+		<flag name="network">Enable networking features</flag>
+		<flag name="network-restricted">Grant access to --interface,
+			--net=ethXXX and --netfilter only to root user; regular users are
+			only allowed --net=none</flag>
+		<flag name="seccomp">Enable system call filtering</flag>
+		<flag name="userns">Enable attaching a new user namespace to a
+			sandbox (--noroot option)</flag>
+		<flag name="x11">Enable X11 sandboxing</flag>
+	</use>
 </pkgmetadata>
-- 
cgit v1.2.1