sys-apps/sandbox: Sync with gentoo

It's from gentoo commit 36d4dacd971f39bd0ecde7d93216de68c8efe31a.
2025-08-15 08:56:58 +02:00 · 2022-03-02 17:19:17 +01:00 · 2022-03-02 17:19:17 +01:00 · da9f8ef093
commit da9f8ef093
parent 63c71d0550
19 changed files with 551 additions and 657 deletions
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/Manifest
@ -1,13 +1,8 @@
-AUX 09sandbox 37 BLAKE2B 181213e2cc0bcfa328310cced40bfaba4530d8d2f80e892cb5649d5277c5d59d345ce96ca802a5529a22892c929bafac04c616458fa147a3bee5c89d31b0baf1 SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a
+DIST sandbox-2.24.tar.xz 438408 BLAKE2B 5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843 SHA512 8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0
-AUX sandbox-2.10-disable-same.patch 2547 BLAKE2B 72976e698d1e95cc9153745744e3e9790ade9923ade2459b66969fdd04b0532fad70f08babaf5bbf2240deba9fb92a4a1090cfaec7b2d9a85d6d98adb23926f9 SHA512 bf005fbde7b6ba88df36bb75064658764e488dd2f3c96a6f92c69ad3f2e8d2db12ba2c7bafa9656326b7fde73301c330f68bd064efa0fce2a7eb28fff6ce0a1e
+DIST sandbox-2.25.tar.xz 436004 BLAKE2B c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c SHA512 4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d
-AUX sandbox-2.10-fix-opendir.patch 3311 BLAKE2B d8a604720da1c623e7299215298d6ce3502b58641006e2667047a2477a85e4c071426ae30e5f0a436dfe3d74cc4f34de7fab6729dafec6acddb44974edffe619 SHA512 5c0650d6838b8171a87409ebd8565a90a42603874893708c2cdee5b50535e637f145fa2e51142db857c35a9bc11713b45b7e50c31f96f9ecd6ba342ce8d87928
+DIST sandbox-2.26.tar.xz 444412 BLAKE2B 3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161 SHA512 f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa
-AUX sandbox-2.10-memory-corruption.patch 1515 BLAKE2B 2c0ef4ca1899efd2d525aafb26dcb7ecaf40c3b107e38e3c5d1a39455dd2cd36f8ac8fff43bb1dec22b910e479f328fa139a02f5a8f584ecefcf0ed86e60ad6a SHA512 1eb650824cc7a876fabef382cafb451a507326a8422fb7bb5014699046b64ea8f4cf2bba9efcb75d7a2eac4eff493d06153422f85c119f49635ac0840071660c
+DIST sandbox-2.27.tar.xz 448948 BLAKE2B 03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104 SHA512 2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7
-AUX sandbox-2.11-symlinkat-renameat.patch 3418 BLAKE2B 4864dd5794abbf70d70f30949ee39921f9dafea4445f4cd49d88a5bef9b19769ed0c2c37a7a30fd6e241c159b21aad4f6465ef159ec1652cbb0d4a65e6531869 SHA512 cbefae8aa9c289db0bfe7b2429f64aa4c437be0e269eaa657eb3b22a3086db1fca45a624cb181978b4157f0cb9b475b4ece2eb9337285bf8bede709ad4431c52
+DIST sandbox-2.28.tar.xz 450840 BLAKE2B 1a144db1dcd140ce393f47b224c4389693bd3db6d056749968a9e78730b1075192148aa63fdfd5ab93893dfb96a87bcc36bee8b4540abefca0590a8def8365f2 SHA512 eaac54fbc35f51da3c94bfa10e0556f0fd39c20660fea2aa7d3cbf76dd3e4c9fb4a16cc198425988b79313f9331af030e1dca431c3f057ee4a04927c96897895
-DIST sandbox-2.10.tar.xz 417068 BLAKE2B 78bb5b29b520d41c582e7f7cb444ce580f9f8f05ce80795986ff8e1f84f9320e21fda0c5ae092cce8e5a3dc1c0efa48e1ce69c21107e541d2c569e6369ccb5b0 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305
+DIST sandbox-2.29.tar.xz 452784 BLAKE2B 388f5d9c49134696bafbc6b882581396a9fa2e7caa6ccfb4376706d653f836ce18e0d77527c4c4f2ff753c0b920ab5ab60e151dd8a4e399e13dbc3fe7c0533d6 SHA512 15c0e6b71e8b8547b8188f857568c99b1925d5a837a289b21c4f842341361bf7119b96083697dc83546caf530daab700fb8c2704974e7cfb804d64bb5257a4b4
-DIST sandbox-2.12.tar.xz 424252 BLAKE2B 55eb06cbc15ad9ff8b0c272b8d071591ce3533a6ff807719df79131e6c966d60c3b37d9d8e4e1d466df0992836c4594bf6927b496ecb343a71d7b0656219a6d7 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9
+DIST sandbox-3.0.tar.xz 454384 BLAKE2B b4f38b7c5ed2dc52e558f1b7e36d2308e6017c9d14861c60eace0f240a909f11184e259b2359ea96cad81d21234cc9a6bcd9f313ce56bd2f3bb1ce836f006a50 SHA512 3a35ee0b19a356b1986468ef5d2ecd553b88cbdaf287ce31a211b4072097a9844fca413ffa0f2858b9a4e75ead822fe9d9834f17c241ba32c2f14e02619a70b3
-DIST sandbox-2.13.tar.xz 424968 BLAKE2B efcbf527853e8cfe8b3fec026041f55f51cba78029f92195ec76a45e84cb2b6cc129267c6e50608584607de72a86b2e7836e77f20677de9b94bb5c40999e4712 SHA512 46ad79335e51a1ec0aaa34ab5eeabe9d007818c518682409c5aaf97d49ec23021ece8fa53264ce5332cdd04ef6b3fd9beff0dc0a3cb5dfe2f9b6a6e359f8c1cf
+DIST sandbox-3.1.tar.xz 454404 BLAKE2B f8cc2960f1c7b3367d375952f0a7ca978c1a2cc27b63137046152d1080a1a7b6b99d356af0776d3b57a5c260b2d89f0b7bfb127967407b537642be04e92b8603 SHA512 e57c0fc1ddb5a63012abd02080770d49deaa1d0168508a794df2eaa25b2b7a4fa6c505e8b93572a3745912819202c264cdf980f10dc7101c487a9b03e7f65815
 EBUILD sandbox-2.10-r3.ebuild 2156 BLAKE2B fecdef4a769d481e6479c82c341626de5d935f031b33df13eaae51b2041e0793a9854f3726ae90586586dc7d0008230f7ba6ae948c48d145d5c05bd4fd0aa027 SHA512 a08a00c80dcd282c929078c7c3afed16a7c30d710294e1621cf2ca1841f01f95872dd92a0bea1f3d7bb8850c05cffcefb68c58a36c9b1eac1960d1d4b04e3224
 EBUILD sandbox-2.10-r4.ebuild 2222 BLAKE2B 5f0e178bafb0f28dcf320452c64317d9883afee0a68c09190e3293bd857b5ee816e4656b01b5e1dbb7664802d0e13a05540ab4ba61a04c93788dc1d21cee7c95 SHA512 dca8808e22888f5542a1233604a84b0a5e9952bf6e8792b24a716e477b254fc90ac1efc0cff0eccf832f10026cf56341011e227001c70f0d5eaab36c89b5a23c
 EBUILD sandbox-2.12.ebuild 1931 BLAKE2B cd545ca0c7b3b1ca9672e7a0562da03b9eae5dbef36cec7d1eb59d452785ee8f11c03b9a25a9cfe0862a923d5b0f9349c15c6076f9735062cb43505607520b73 SHA512 2a5ec9b1aacfb63d3c4d8f64d067091ab28c7f54ca295a857d14d11d1f4e410c5475cf32d0801cfa1362ce57045da0ef5e1f413a1b56dc541c5efe56d4410d7c
 EBUILD sandbox-2.13.ebuild 1938 BLAKE2B 26db9bc8c8334a4a20bcb09765861f6ed6b6a3da6edd02cc9438943fc18271a9ffa90a26d37e2f648cdd5073a22de71decc21417db1ea331833f11d146f5ce4d SHA512 11cd256384d562de308cd579a04c3742dc436a8e3f4e30cc66d837373c2352b99b23bd4fbfee6fa61b74b7e1eaae95b7ffec1f0fb9785979b783c17f420cdbe7
 MISC metadata.xml 252 BLAKE2B d709f9b334b2810c5ffe7d73ef430f0f347f26f7649bca4bb8803c8e0be106534bcee6efae4f80b6fb1781b09284bb3dbc32d8dff4a3aa01a924fd3437b9da7c SHA512 de8b6a78dcc379d1d34960caecdab8da9fdb9a9f010ec8611cab79487b5f28f6ae80c8b0884731fa91c4ae98482a195faa8d1ec911b1d95fafdfe9cd622cc5d9
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch
@ -1,77 +0,0 @@
 From 7a923f646ce10b7dec3c7ae5fe2079c10aa21752 Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Sun, 20 Dec 2015 16:08:16 -0500
 Subject: [PATCH] libsbutil: gnulib: hand disable same_name usage
 We don't provide same_name because the one caller we don't use, but it
 relies on gc-sections to avoid link errors.  That flag doesn't work on
 ia64 though, so we need to hand delete the one caller.  Ugh.
 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
 ---
 libsbutil/gnulib/hash-triple.c |  9 ---------
 libsbutil/gnulib/same.h        | 25 -------------------------
 2 files changed, 34 deletions(-)
 delete mode 100644 libsbutil/gnulib/same.h
 diff --git a/libsbutil/gnulib/hash-triple.c b/libsbutil/gnulib/hash-triple.c
 index c3b6d9f..06cfbdf 100644
 --- a/libsbutil/gnulib/hash-triple.c
 +++ b/libsbutil/gnulib/hash-triple.c
@@ -24,7 +24,6 @@
 #include <string.h>
 #include "hash-pjw.h"
 -#include "same.h"
 #include "same-inode.h"
 #define STREQ(a, b) (strcmp (a, b) == 0)
@@ -52,14 +51,6 @@ triple_hash_no_name (void const *x, size_t table_size)
 /* Compare two F_triple structs.  */
 bool
 -triple_compare (void const *x, void const *y)
 -{
 -  struct F_triple const *a = x;
 -  struct F_triple const *b = y;
 -  return (SAME_INODE (*a, *b) && same_name (a->name, b->name)) ? true : false;
 -}
 -
 -bool
 triple_compare_ino_str (void const *x, void const *y)
 {
   struct F_triple const *a = x;
 diff --git a/libsbutil/gnulib/same.h b/libsbutil/gnulib/same.h
 deleted file mode 100644
 index ee313c5..0000000
 --- a/libsbutil/gnulib/same.h
 +++ /dev/null
@@ -1,25 +0,0 @@
 -/* Determine whether two file names refer to the same file.
 -
 -   Copyright (C) 1997-2000, 2003-2004, 2009-2015 Free Software Foundation, Inc.
 -
 -   This program is free software: you can redistribute it and/or modify
 -   it under the terms of the GNU General Public License as published by
 -   the Free Software Foundation; either version 3 of the License, or
 -   (at your option) any later version.
 -
 -   This program is distributed in the hope that it will be useful,
 -   but WITHOUT ANY WARRANTY; without even the implied warranty of
 -   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 -   GNU General Public License for more details.
 -
 -   You should have received a copy of the GNU General Public License
 -   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
 -
 -#ifndef SAME_H_
 -# define SAME_H_ 1
 -
 -# include <stdbool.h>
 -
 -bool same_name (const char *source, const char *dest);
 -
 -#endif /* SAME_H_ */
 -- 
 2.6.2
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch
@ -1,79 +0,0 @@
 From 3f668dc6ba1910085e61b3a24167ab1352c60d92 Mon Sep 17 00:00:00 2001
 From: Mart Raudsepp <leio@gentoo.org>
 Date: Fri, 11 Nov 2016 12:34:48 +0200
 Subject: [PATCH] libsandbox: do not abort with a long name to opendir
 Add a pre-check for opendir that catches too long name arguments
 given to opendir, as it would get messed up and abort before it
 even gets to the open*() syscall (which would handle it correctly),
 due to opendir going through before_syscall/check_syscall, even
 though it isn't a true syscall and it getting cut to SB_PATH_MAX
 inbetween and getting confused somewhere.
 URL: https://bugs.gentoo.org/553092
 Signed-off-by: Mart Raudsepp <leio@gentoo.org>
 ---
 libsandbox/wrapper-funcs/opendir.c           |  2 ++
 libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++
 libsandbox/wrappers.h                        |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 libsandbox/wrapper-funcs/opendir_pre_check.c
 diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
 index 7670775..70c2692 100644
 --- a/libsandbox/wrapper-funcs/opendir.c
 +++ b/libsandbox/wrapper-funcs/opendir.c
@@ -10,4 +10,6 @@
 #define WRAPPER_SAFE() SB_SAFE(name)
 #define WRAPPER_RET_TYPE DIR *
 #define WRAPPER_RET_DEFAULT NULL
 +#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name)
 +
 #include "__wrapper_simple.c"
 diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c
 new file mode 100644
 index 0000000..60c869f
 --- /dev/null
 +++ b/libsandbox/wrapper-funcs/opendir_pre_check.c
@@ -0,0 +1,26 @@
 +/*
 + * opendir() pre-check.
 + *
 + * Copyright 1999-2016 Gentoo Foundation
 + * Licensed under the GPL-2
 + */
 +
 +bool sb_opendir_pre_check(const char *func, const char *name)
 +{
 +	/* If length of name is larger than PATH_MAX, we would mess it up
 +	 * before it reaches the open syscall, which would cleanly error out
 +	 * via sandbox as well (actually with much smaller lengths than even
 +	 * PATH_MAX).
 +	 * So error out early in this case, in order to avoid an abort in
 +	 * check_syscall later on, which gets ran for opendir, despite it not
 +	 * being a syscall.
 +	 */
 +	if (strnlen(name, PATH_MAX) == PATH_MAX) {
 +		errno = ENAMETOOLONG;
 +		sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
 +			func, name, strerror(errno));
 +		return false;
 +	}
 +
 +	return true;
 +}
 diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
 index 0aa58bb..bf5bf64 100644
 --- a/libsandbox/wrappers.h
 +++ b/libsandbox/wrappers.h
@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check  (const char *func, const char *pathn
 attribute_hidden bool sb_mkdirat_pre_check  (const char *func, const char *pathname, int dirfd);
 attribute_hidden bool sb_openat_pre_check   (const char *func, const char *pathname, int dirfd, int flags);
 attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
 +attribute_hidden bool sb_opendir_pre_check  (const char *func, const char *name);
 attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
 attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
                                              char *dirfd_path, size_t dirfd_path_len);
 -- 
 2.9.0
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch
@ -1,42 +0,0 @@
 From 529a388ebb1b4e9d6ad8a1bb61dd8211833a5976 Mon Sep 17 00:00:00 2001
 From: Denis Lisov <dennis.lissov@gmail.com>
 Date: Sat, 19 Dec 2015 19:13:58 +0300
 Subject: [PATCH] libsandbox: fix old_malloc_size check on realloc
 Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
 while it is really the mmap size, which is greater. Thus it may fail
 to reallocate even if required.
 URL: https://bugs.gentoo.org/568714
 Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
 ---
 libsandbox/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/libsandbox/memory.c b/libsandbox/memory.c
 index 8581128..a2d69a2 100644
 --- a/libsandbox/memory.c
 +++ b/libsandbox/memory.c
@@ -40,7 +40,8 @@ static int sb_munmap(void *addr, size_t length)
 #define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
 #define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
 -#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
 +#define SB_MALLOC_TO_MMAP_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
 +#define SB_MALLOC_TO_SIZE(ptr) (SB_MALLOC_TO_MMAP_SIZE(ptr) - MIN_ALIGN)
 void *malloc(size_t size)
 {
@@ -57,7 +58,7 @@ void free(void *ptr)
 {
 	if (ptr == NULL)
 		return;
 -	if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_SIZE(ptr)))
 +	if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_MMAP_SIZE(ptr)))
 		sb_ebort("sandbox memory corruption with free(%p): %s\n",
 			ptr, strerror(errno));
 }
 -- 
 2.6.2
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch
@ -1,124 +0,0 @@
 From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Fri, 10 Mar 2017 10:15:50 -0800
 Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
 These funcs don't deref their path args, so flag them as such.
 URL: https://bugs.gentoo.org/612202
 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
 ---
 libsandbox/libsandbox.c |  4 +++-
 tests/renameat-2.sh     | 12 ++++++++++++
 tests/renameat-3.sh     | 11 +++++++++++
 tests/renameat.at       |  2 ++
 tests/symlinkat-2.sh    | 10 ++++++++++
 tests/symlinkat-3.sh    |  9 +++++++++
 tests/symlinkat.at      |  2 ++
 7 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100755 tests/renameat-2.sh
 create mode 100755 tests/renameat-3.sh
 create mode 100755 tests/symlinkat-2.sh
 create mode 100755 tests/symlinkat-3.sh
 diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
 index e809308d717d..de48bd79ba53 100644
 --- a/libsandbox/libsandbox.c
 +++ b/libsandbox/libsandbox.c
@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
 	      sb_nr == SB_NR_LCHOWN   ||
 	      sb_nr == SB_NR_REMOVE   ||
 	      sb_nr == SB_NR_RENAME   ||
 +	      sb_nr == SB_NR_RENAMEAT ||
 	      sb_nr == SB_NR_RMDIR    ||
 -	      sb_nr == SB_NR_SYMLINK))
 +	      sb_nr == SB_NR_SYMLINK  ||
 +	      sb_nr == SB_NR_SYMLINKAT))
 	{
 		/* These funcs sometimes operate on symlinks */
 		if (!((sb_nr == SB_NR_FCHOWNAT ||
 diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
 new file mode 100755
 index 000000000000..d0fbe8ae4574
 --- /dev/null
 +++ b/tests/renameat-2.sh
@@ -0,0 +1,12 @@
 +#!/bin/sh
 +# make sure we can clobber symlinks #612202
 +
 +addwrite $PWD
 +
 +ln -s /asdf sym || exit 1
 +touch file
 +renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
 +[ ! -e file ]
 +[ ! -L sym ]
 +[ -e sym ]
 +test ! -s "${SANDBOX_LOG}"
 diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
 new file mode 100755
 index 000000000000..9ae5c9a6511a
 --- /dev/null
 +++ b/tests/renameat-3.sh
@@ -0,0 +1,11 @@
 +#!/bin/sh
 +# make sure we reject bad renames #612202
 +
 +addwrite $PWD
 +mkdir deny
 +adddeny $PWD/deny
 +
 +touch file
 +renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
 +[ -e file ]
 +test -s "${SANDBOX_LOG}"
 diff --git a/tests/renameat.at b/tests/renameat.at
 index 081d7d20277e..eec4638deeaa 100644
 --- a/tests/renameat.at
 +++ b/tests/renameat.at
@@ -1 +1,3 @@
 SB_CHECK(1)
 +SB_CHECK(2)
 +SB_CHECK(3)
 diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
 new file mode 100755
 index 000000000000..168362e8806f
 --- /dev/null
 +++ b/tests/symlinkat-2.sh
@@ -0,0 +1,10 @@
 +#!/bin/sh
 +# make sure we can clobber symlinks #612202
 +
 +addwrite $PWD
 +
 +symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
 +[ -L sym ]
 +symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
 +[ -L sym ]
 +test ! -s "${SANDBOX_LOG}"
 diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
 new file mode 100755
 index 000000000000..a01c750dd2b6
 --- /dev/null
 +++ b/tests/symlinkat-3.sh
@@ -0,0 +1,9 @@
 +#!/bin/sh
 +# make sure we reject bad symlinks #612202
 +
 +addwrite $PWD
 +mkdir deny
 +adddeny $PWD/deny
 +
 +symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
 +test -s "${SANDBOX_LOG}"
 diff --git a/tests/symlinkat.at b/tests/symlinkat.at
 index 081d7d20277e..eec4638deeaa 100644
 --- a/tests/symlinkat.at
 +++ b/tests/symlinkat.at
@@ -1 +1,3 @@
 SB_CHECK(1)
 +SB_CHECK(2)
 +SB_CHECK(3)
 -- 
 2.12.0
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-3.1-label-decl.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-3.1-label-decl.patch
@ -0,0 +1,41 @@
 From 82f6d876660ba1132d75ccfef5c4301d123ea505 Mon Sep 17 00:00:00 2001
 From: Mike Frysinger <vapier@gentoo.org>
 Date: Wed, 3 Nov 2021 12:25:10 -0400
 Subject: [PATCH] libsandbox: tweak label/decl code for some compiler settings
 Looks like gcc is inconsistent in when it chokes on this code:
 > a label can only be part of a statement and a declaration is not a statement
 Hoist the decl up to the top of scope to avoid the issue.
 Bug: https://bugs.gentoo.org/821433
 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
 ---
 libsandbox/trace.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/libsandbox/trace.c b/libsandbox/trace.c
 index f3390d99822e..d2899b743048 100644
 --- a/libsandbox/trace.c
 +++ b/libsandbox/trace.c
@@ -704,6 +704,8 @@ static char *flatten_args(char *const argv[])
 bool trace_possible(const char *filename, char *const argv[], const void *data)
 {
 +	char *args;
 +
 	/* If YAMA ptrace_scope is very high, then we can't trace at all.  #771360 */
 	int yama = trace_yama_level();
 	if (yama >= 2) {
@@ -721,7 +723,7 @@ bool trace_possible(const char *filename, char *const argv[], const void *data)
 	}
  fail:
 -	char *args = flatten_args(argv);
 +	args = flatten_args(argv);
 	sb_eqawarn("Unable to trace static ELF: %s: %s\n", filename, args);
 	free(args);
 	return false;
 -- 
 2.33.0
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/metadata.xml
@ -1,8 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 <maintainer type="project">
  <email>sandbox@gentoo.org</email>
  <name>Sandbox Maintainers</name>
 </maintainer>
 <use>
  <flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo)</flag>
 </use>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r3.ebuild
@ -1,84 +0,0 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # don't monkey with this ebuild unless contacting portage devs.
 # period.
 #
 EAPI="5"
 inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
 SRC_URI="mirror://gentoo/${P}.tar.xz
 	https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
 	epatch "${FILESDIR}"/${P}-disable-same.patch
 	epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
 	epatch_user
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	local myconf=()
 	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
 	ECONF_SOURCE="${S}" \
 	econf "${myconf[@]}"
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	cd "${S}"
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_preinst() {
 	chown root:portage "${ED}"/var/log/sandbox
 	chmod 0770 "${ED}"/var/log/sandbox
 	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
 		local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
 		if [[ -n ${old} ]] ; then
 			elog "Removing old sandbox libraries for you:"
 			find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
 		fi
 	fi
 }
 pkg_postinst() {
 	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
 		chmod 0755 "${EROOT}"/etc/sandbox.d #265376
 	fi
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r4.ebuild
@ -1,85 +0,0 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # don't monkey with this ebuild unless contacting portage devs.
 # period.
 #
 EAPI="5"
 inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
 SRC_URI="mirror://gentoo/${P}.tar.xz
 	https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
 	epatch "${FILESDIR}"/${P}-disable-same.patch
 	epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
 	epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202
 	epatch_user
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	local myconf=()
 	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
 	ECONF_SOURCE="${S}" \
 	econf "${myconf[@]}"
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	cd "${S}"
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_preinst() {
 	chown root:portage "${ED}"/var/log/sandbox
 	chmod 0770 "${ED}"/var/log/sandbox
 	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
 		local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
 		if [[ -n ${old} ]] ; then
 			elog "Removing old sandbox libraries for you:"
 			find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
 		fi
 	fi
 }
 pkg_postinst() {
 	if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
 		chmod 0755 "${EROOT}"/etc/sandbox.d #265376
 	fi
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.12.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.12.ebuild
@ -1,76 +0,0 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 EAPI="6"
 inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
 SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~x86-fbsd"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	local myconf=()
 	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
 	ECONF_SOURCE="${S}" \
 	econf "${myconf[@]}"
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_preinst() {
 	chown root:portage "${ED}"/var/log/sandbox
 	chmod 0770 "${ED}"/var/log/sandbox
 	local v
 	for v in ${REPLACING_VERSIONS}; do
 		if [[ ${v} == 1.* ]] ; then
 			local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
 			if [[ -n ${old} ]] ; then
 				elog "Removing old sandbox libraries for you:"
 				find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
 			fi
 		fi
 	done
 }
 pkg_postinst() {
 	local v
 	for v in ${REPLACING_VERSIONS}; do
 		if [[ ${v} == 1.* ]] ; then
 			chmod 0755 "${EROOT}"/etc/sandbox.d #265376
 		fi
 	done
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.13.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.13.ebuild
@ -1,76 +0,0 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 EAPI="6"
 inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
 SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	local myconf=()
 	host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
 	ECONF_SOURCE="${S}" \
 	econf "${myconf[@]}"
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_preinst() {
 	chown root:portage "${ED}"/var/log/sandbox
 	chmod 0770 "${ED}"/var/log/sandbox
 	local v
 	for v in ${REPLACING_VERSIONS}; do
 		if [[ ${v} == 1.* ]] ; then
 			local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
 			if [[ -n ${old} ]] ; then
 				elog "Removing old sandbox libraries for you:"
 				find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
 			fi
 		fi
 	done
 }
 pkg_postinst() {
 	local v
 	for v in ${REPLACING_VERSIONS}; do
 		if [[ ${v} == 1.* ]] ; then
 			chmod 0755 "${EROOT}"/etc/sandbox.d #265376
 		fi
 	done
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.24.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.24.ebuild
@ -0,0 +1,63 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~sam/distfiles/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	# -j1 to prevent test faiures caused by file descriptor
 	# injection GNU make does.
 	emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_postinst() {
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.25.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.25.ebuild
@ -0,0 +1,63 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	# -j1 to prevent test faiures caused by file descriptor
 	# injection GNU make does.
 	emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	keepdir /var/log/sandbox
 	fowners root:portage /var/log/sandbox
 	fperms 0770 /var/log/sandbox
 	dodoc AUTHORS ChangeLog* NEWS README
 }
 pkg_postinst() {
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.26.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.26.ebuild
@ -0,0 +1,58 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE=""
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.27.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.27.ebuild
@ -0,0 +1,62 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="+nnp"
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	if ! use nnp ; then
 		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
 	fi
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.28.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.28.ebuild
@ -0,0 +1,62 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="+nnp"
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	if ! use nnp ; then
 		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
 	fi
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.29.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.29.ebuild
@ -0,0 +1,62 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="+nnp"
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	if ! use nnp ; then
 		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
 	fi
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.0.ebuild
@ -0,0 +1,62 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="+nnp"
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	if ! use nnp ; then
 		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
 	fi
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.1.ebuild
@ -0,0 +1,66 @@
 # Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI="7"
 inherit flag-o-matic multilib-minimal multiprocessing
 DESCRIPTION="sandbox'd LD_PRELOAD hack"
 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
 SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="+nnp"
 DEPEND="app-arch/xz-utils
 	>=app-misc/pax-utils-0.1.19" #265376
 RDEPEND=""
 PATCHES=(
 	"${FILESDIR}"/${P}-label-decl.patch #821433
 )
 has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
 sandbox_death_notice() {
 	ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
 	ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
 }
 src_prepare() {
 	default
 	if ! use nnp ; then
 		sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
 	fi
 	# sandbox uses `__asm__ (".symver "...` which does
 	# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
 	append-flags -fno-lto
 	append-ldflags -fno-lto
 }
 multilib_src_configure() {
 	filter-lfs-flags #90228
 	ECONF_SOURCE="${S}" econf
 }
 multilib_src_test() {
 	# Default sandbox build will run with --jobs set to # cpus.
 	emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
 }
 multilib_src_install_all() {
 	doenvd "${FILESDIR}"/09sandbox
 	dodoc AUTHORS ChangeLog* README.md
 }
 pkg_postinst() {
 	mkdir -p "${EROOT}"/var/log/sandbox
 	chown root:portage "${EROOT}"/var/log/sandbox
 	chmod 0770 "${EROOT}"/var/log/sandbox
 }