mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-15 08:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-apps/sandbox: Sync with gentoo

Browse Source 
It's from gentoo commit 36d4dacd971f39bd0ecde7d93216de68c8efe31a.
This commit is contained in:
Krzesimir Nowak 2022-03-02 17:19:17 +01:00
parent 63c71d0550
commit da9f8ef093
19 changed files with 551 additions and 657 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/Manifest vendored
View File

@ -1,13 +1,8 @@
AUX 09sandbox 37 BLAKE2B 181213e2cc0bcfa328310cced40bfaba4530d8d2f80e892cb5649d5277c5d59d345ce96ca802a5529a22892c929bafac04c616458fa147a3bee5c89d31b0baf1 SHA512 4e8a9c58debde6480224a45559c5f2db4765213d151e47937f9142f110cac3681bf6402acaf21249a37bb17398e7bc00ae7feee68ecdb5b9363c432eac1b052a
AUX sandbox-2.10-disable-same.patch 2547 BLAKE2B 72976e698d1e95cc9153745744e3e9790ade9923ade2459b66969fdd04b0532fad70f08babaf5bbf2240deba9fb92a4a1090cfaec7b2d9a85d6d98adb23926f9 SHA512 bf005fbde7b6ba88df36bb75064658764e488dd2f3c96a6f92c69ad3f2e8d2db12ba2c7bafa9656326b7fde73301c330f68bd064efa0fce2a7eb28fff6ce0a1e
AUX sandbox-2.10-fix-opendir.patch 3311 BLAKE2B d8a604720da1c623e7299215298d6ce3502b58641006e2667047a2477a85e4c071426ae30e5f0a436dfe3d74cc4f34de7fab6729dafec6acddb44974edffe619 SHA512 5c0650d6838b8171a87409ebd8565a90a42603874893708c2cdee5b50535e637f145fa2e51142db857c35a9bc11713b45b7e50c31f96f9ecd6ba342ce8d87928
AUX sandbox-2.10-memory-corruption.patch 1515 BLAKE2B 2c0ef4ca1899efd2d525aafb26dcb7ecaf40c3b107e38e3c5d1a39455dd2cd36f8ac8fff43bb1dec22b910e479f328fa139a02f5a8f584ecefcf0ed86e60ad6a SHA512 1eb650824cc7a876fabef382cafb451a507326a8422fb7bb5014699046b64ea8f4cf2bba9efcb75d7a2eac4eff493d06153422f85c119f49635ac0840071660c
AUX sandbox-2.11-symlinkat-renameat.patch 3418 BLAKE2B 4864dd5794abbf70d70f30949ee39921f9dafea4445f4cd49d88a5bef9b19769ed0c2c37a7a30fd6e241c159b21aad4f6465ef159ec1652cbb0d4a65e6531869 SHA512 cbefae8aa9c289db0bfe7b2429f64aa4c437be0e269eaa657eb3b22a3086db1fca45a624cb181978b4157f0cb9b475b4ece2eb9337285bf8bede709ad4431c52
DIST sandbox-2.10.tar.xz 417068 BLAKE2B 78bb5b29b520d41c582e7f7cb444ce580f9f8f05ce80795986ff8e1f84f9320e21fda0c5ae092cce8e5a3dc1c0efa48e1ce69c21107e541d2c569e6369ccb5b0 SHA512 178b3b8fcb54e6ff67df1c8101866739b49e4d31a66717c21ef502dd2ab609fca70f1a0c662b913e207bfc1ba6994cefdcf5c92ff32add9dd98bd9707f301305
DIST sandbox-2.12.tar.xz 424252 BLAKE2B 55eb06cbc15ad9ff8b0c272b8d071591ce3533a6ff807719df79131e6c966d60c3b37d9d8e4e1d466df0992836c4594bf6927b496ecb343a71d7b0656219a6d7 SHA512 98bd2ee8807d81e65ee0c9f11cfaf2b37da2ee4d8763c68d18c0ff6b14f3cc847ae2d3a0aa30cbe86063a2108ed4d4dcf7cc3fc4f37cb7549d266d4c1989c2a9
DIST sandbox-2.13.tar.xz 424968 BLAKE2B efcbf527853e8cfe8b3fec026041f55f51cba78029f92195ec76a45e84cb2b6cc129267c6e50608584607de72a86b2e7836e77f20677de9b94bb5c40999e4712 SHA512 46ad79335e51a1ec0aaa34ab5eeabe9d007818c518682409c5aaf97d49ec23021ece8fa53264ce5332cdd04ef6b3fd9beff0dc0a3cb5dfe2f9b6a6e359f8c1cf
EBUILD sandbox-2.10-r3.ebuild 2156 BLAKE2B fecdef4a769d481e6479c82c341626de5d935f031b33df13eaae51b2041e0793a9854f3726ae90586586dc7d0008230f7ba6ae948c48d145d5c05bd4fd0aa027 SHA512 a08a00c80dcd282c929078c7c3afed16a7c30d710294e1621cf2ca1841f01f95872dd92a0bea1f3d7bb8850c05cffcefb68c58a36c9b1eac1960d1d4b04e3224
EBUILD sandbox-2.10-r4.ebuild 2222 BLAKE2B 5f0e178bafb0f28dcf320452c64317d9883afee0a68c09190e3293bd857b5ee816e4656b01b5e1dbb7664802d0e13a05540ab4ba61a04c93788dc1d21cee7c95 SHA512 dca8808e22888f5542a1233604a84b0a5e9952bf6e8792b24a716e477b254fc90ac1efc0cff0eccf832f10026cf56341011e227001c70f0d5eaab36c89b5a23c
EBUILD sandbox-2.12.ebuild 1931 BLAKE2B cd545ca0c7b3b1ca9672e7a0562da03b9eae5dbef36cec7d1eb59d452785ee8f11c03b9a25a9cfe0862a923d5b0f9349c15c6076f9735062cb43505607520b73 SHA512 2a5ec9b1aacfb63d3c4d8f64d067091ab28c7f54ca295a857d14d11d1f4e410c5475cf32d0801cfa1362ce57045da0ef5e1f413a1b56dc541c5efe56d4410d7c
EBUILD sandbox-2.13.ebuild 1938 BLAKE2B 26db9bc8c8334a4a20bcb09765861f6ed6b6a3da6edd02cc9438943fc18271a9ffa90a26d37e2f648cdd5073a22de71decc21417db1ea331833f11d146f5ce4d SHA512 11cd256384d562de308cd579a04c3742dc436a8e3f4e30cc66d837373c2352b99b23bd4fbfee6fa61b74b7e1eaae95b7ffec1f0fb9785979b783c17f420cdbe7
MISC metadata.xml 252 BLAKE2B d709f9b334b2810c5ffe7d73ef430f0f347f26f7649bca4bb8803c8e0be106534bcee6efae4f80b6fb1781b09284bb3dbc32d8dff4a3aa01a924fd3437b9da7c SHA512 de8b6a78dcc379d1d34960caecdab8da9fdb9a9f010ec8611cab79487b5f28f6ae80c8b0884731fa91c4ae98482a195faa8d1ec911b1d95fafdfe9cd622cc5d9
DIST sandbox-2.24.tar.xz 438408 BLAKE2B 5e725d17da0abc06d56216f4df2f4034076f50163db1c3bbddbf4fd07dbd5b7d92ef2f1b2c01eb77ff6cf531c5cc6a05e60b028f585310ac56eef96240882843 SHA512 8df5414e334a15f367acfd218ba1b74ba618b93d7bdeca8a039b69cbd81ab048ec5a6cecb24df09fa9a5f4fe214d647acf5138004defd45e6396eec5ae7c93d0
DIST sandbox-2.25.tar.xz 436004 BLAKE2B c9c7d351cdefbb2b1a585904c38742a5a3bde50d3d690c57cff9cdc71ffb822e78a2b56c47afd03fbc70834de5dda13c5a300d9d6b35e09ec400a050d4f8e82c SHA512 4e998c4d9ba6eb69369cc49849060a2e90535eae91fbb64c4d46371fe0ed5182413b14674f10c773fd997b6895bc870ccb23586351f5bb06b69dc11a0cddbe1d
DIST sandbox-2.26.tar.xz 444412 BLAKE2B 3bc88d86ba4e2522895c4448dff6da2cffceb912e5ff9610fe4c3aea255ffd9b9ca9bbe8e45d94508f45e9c141aa6945a9a8d82cba0f3ca102ff6a1624c84161 SHA512 f20766daf2ce43753772a184c86a7b6847f96ab7b60b202616e15d791bc1f770162035a9b1ffe38765dff8d2567ad971a9a2bdeba9a8769845a758fcd95206fa
DIST sandbox-2.27.tar.xz 448948 BLAKE2B 03a311c8c7c8719bac398e39ce49e7149bdaa1d5b2811f395eb2251a32aabba995f97c3d5d27461aadb64bf43adf2b0cbaa7c2f141dd86f64f8dd326422ac104 SHA512 2a53e6fc87cec975962737b1fadc447d86985d27b18ad2caed711116da2ba435f54db0f7dadb02664b2638b9dc77752831cd4820390f5c3e61a42429e13462a7
DIST sandbox-2.28.tar.xz 450840 BLAKE2B 1a144db1dcd140ce393f47b224c4389693bd3db6d056749968a9e78730b1075192148aa63fdfd5ab93893dfb96a87bcc36bee8b4540abefca0590a8def8365f2 SHA512 eaac54fbc35f51da3c94bfa10e0556f0fd39c20660fea2aa7d3cbf76dd3e4c9fb4a16cc198425988b79313f9331af030e1dca431c3f057ee4a04927c96897895
DIST sandbox-2.29.tar.xz 452784 BLAKE2B 388f5d9c49134696bafbc6b882581396a9fa2e7caa6ccfb4376706d653f836ce18e0d77527c4c4f2ff753c0b920ab5ab60e151dd8a4e399e13dbc3fe7c0533d6 SHA512 15c0e6b71e8b8547b8188f857568c99b1925d5a837a289b21c4f842341361bf7119b96083697dc83546caf530daab700fb8c2704974e7cfb804d64bb5257a4b4
DIST sandbox-3.0.tar.xz 454384 BLAKE2B b4f38b7c5ed2dc52e558f1b7e36d2308e6017c9d14861c60eace0f240a909f11184e259b2359ea96cad81d21234cc9a6bcd9f313ce56bd2f3bb1ce836f006a50 SHA512 3a35ee0b19a356b1986468ef5d2ecd553b88cbdaf287ce31a211b4072097a9844fca413ffa0f2858b9a4e75ead822fe9d9834f17c241ba32c2f14e02619a70b3
DIST sandbox-3.1.tar.xz 454404 BLAKE2B f8cc2960f1c7b3367d375952f0a7ca978c1a2cc27b63137046152d1080a1a7b6b99d356af0776d3b57a5c260b2d89f0b7bfb127967407b537642be04e92b8603 SHA512 e57c0fc1ddb5a63012abd02080770d49deaa1d0168508a794df2eaa25b2b7a4fa6c505e8b93572a3745912819202c264cdf980f10dc7101c487a9b03e7f65815

77
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-disable-same.patch vendored
View File

@ -1,77 +0,0 @@
From 7a923f646ce10b7dec3c7ae5fe2079c10aa21752 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sun, 20 Dec 2015 16:08:16 -0500
Subject: [PATCH] libsbutil: gnulib: hand disable same_name usage
We don't provide same_name because the one caller we don't use, but it
relies on gc-sections to avoid link errors. That flag doesn't work on
ia64 though, so we need to hand delete the one caller. Ugh.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
libsbutil/gnulib/hash-triple.c | 9 ---------
libsbutil/gnulib/same.h | 25 -------------------------
2 files changed, 34 deletions(-)
delete mode 100644 libsbutil/gnulib/same.h
diff --git a/libsbutil/gnulib/hash-triple.c b/libsbutil/gnulib/hash-triple.c
index c3b6d9f..06cfbdf 100644
--- a/libsbutil/gnulib/hash-triple.c
+++ b/libsbutil/gnulib/hash-triple.c
@@ -24,7 +24,6 @@
#include <string.h>
#include "hash-pjw.h"
-#include "same.h"
#include "same-inode.h"
#define STREQ(a, b) (strcmp (a, b) == 0)
@@ -52,14 +51,6 @@ triple_hash_no_name (void const *x, size_t table_size)
/* Compare two F_triple structs. */
bool
-triple_compare (void const *x, void const *y)
-{
- struct F_triple const *a = x;
- struct F_triple const *b = y;
- return (SAME_INODE (*a, *b) && same_name (a->name, b->name)) ? true : false;
-}
-
-bool
triple_compare_ino_str (void const *x, void const *y)
{
struct F_triple const *a = x;
diff --git a/libsbutil/gnulib/same.h b/libsbutil/gnulib/same.h
deleted file mode 100644
index ee313c5..0000000
--- a/libsbutil/gnulib/same.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Determine whether two file names refer to the same file.
-
- Copyright (C) 1997-2000, 2003-2004, 2009-2015 Free Software Foundation, Inc.
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>. */
-
-#ifndef SAME_H_
-# define SAME_H_ 1
-
-# include <stdbool.h>
-
-bool same_name (const char *source, const char *dest);
-
-#endif /* SAME_H_ */
--
2.6.2

79
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-fix-opendir.patch vendored
View File

@ -1,79 +0,0 @@
From 3f668dc6ba1910085e61b3a24167ab1352c60d92 Mon Sep 17 00:00:00 2001
From: Mart Raudsepp <leio@gentoo.org>
Date: Fri, 11 Nov 2016 12:34:48 +0200
Subject: [PATCH] libsandbox: do not abort with a long name to opendir
Add a pre-check for opendir that catches too long name arguments
given to opendir, as it would get messed up and abort before it
even gets to the open*() syscall (which would handle it correctly),
due to opendir going through before_syscall/check_syscall, even
though it isn't a true syscall and it getting cut to SB_PATH_MAX
inbetween and getting confused somewhere.
URL: https://bugs.gentoo.org/553092
Signed-off-by: Mart Raudsepp <leio@gentoo.org>
---
libsandbox/wrapper-funcs/opendir.c | 2 ++
libsandbox/wrapper-funcs/opendir_pre_check.c | 26 ++++++++++++++++++++++++++
libsandbox/wrappers.h | 1 +
3 files changed, 29 insertions(+)
create mode 100644 libsandbox/wrapper-funcs/opendir_pre_check.c
diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
index 7670775..70c2692 100644
--- a/libsandbox/wrapper-funcs/opendir.c
+++ b/libsandbox/wrapper-funcs/opendir.c
@@ -10,4 +10,6 @@
#define WRAPPER_SAFE() SB_SAFE(name)
#define WRAPPER_RET_TYPE DIR *
#define WRAPPER_RET_DEFAULT NULL
+#define WRAPPER_PRE_CHECKS() sb_opendir_pre_check(STRING_NAME, name)
+
#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/opendir_pre_check.c b/libsandbox/wrapper-funcs/opendir_pre_check.c
new file mode 100644
index 0000000..60c869f
--- /dev/null
+++ b/libsandbox/wrapper-funcs/opendir_pre_check.c
@@ -0,0 +1,26 @@
+/*
+ * opendir() pre-check.
+ *
+ * Copyright 1999-2016 Gentoo Foundation
+ * Licensed under the GPL-2
+ */
+
+bool sb_opendir_pre_check(const char *func, const char *name)
+{
+ /* If length of name is larger than PATH_MAX, we would mess it up
+ * before it reaches the open syscall, which would cleanly error out
+ * via sandbox as well (actually with much smaller lengths than even
+ * PATH_MAX).
+ * So error out early in this case, in order to avoid an abort in
+ * check_syscall later on, which gets ran for opendir, despite it not
+ * being a syscall.
+ */
+ if (strnlen(name, PATH_MAX) == PATH_MAX) {
+ errno = ENAMETOOLONG;
+ sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
+ func, name, strerror(errno));
+ return false;
+ }
+
+ return true;
+}
diff --git a/libsandbox/wrappers.h b/libsandbox/wrappers.h
index 0aa58bb..bf5bf64 100644
--- a/libsandbox/wrappers.h
+++ b/libsandbox/wrappers.h
@@ -27,6 +27,7 @@ attribute_hidden bool sb_fopen64_pre_check (const char *func, const char *pathn
attribute_hidden bool sb_mkdirat_pre_check (const char *func, const char *pathname, int dirfd);
attribute_hidden bool sb_openat_pre_check (const char *func, const char *pathname, int dirfd, int flags);
attribute_hidden bool sb_openat64_pre_check (const char *func, const char *pathname, int dirfd, int flags);
+attribute_hidden bool sb_opendir_pre_check (const char *func, const char *name);
attribute_hidden bool sb_unlinkat_pre_check (const char *func, const char *pathname, int dirfd);
attribute_hidden bool sb_common_at_pre_check(const char *func, const char **pathname, int dirfd,
char *dirfd_path, size_t dirfd_path_len);
--
2.9.0

42
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.10-memory-corruption.patch vendored
View File

@ -1,42 +0,0 @@
From 529a388ebb1b4e9d6ad8a1bb61dd8211833a5976 Mon Sep 17 00:00:00 2001
From: Denis Lisov <dennis.lissov@gmail.com>
Date: Sat, 19 Dec 2015 19:13:58 +0300
Subject: [PATCH] libsandbox: fix old_malloc_size check on realloc
Realloc uses SB_MALLOC_TO_SIZE assuming it returns the usable size,
while it is really the mmap size, which is greater. Thus it may fail
to reallocate even if required.
URL: https://bugs.gentoo.org/568714
Signed-off-by: Denis Lisov <dennis.lissov@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
libsandbox/memory.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libsandbox/memory.c b/libsandbox/memory.c
index 8581128..a2d69a2 100644
--- a/libsandbox/memory.c
+++ b/libsandbox/memory.c
@@ -40,7 +40,8 @@ static int sb_munmap(void *addr, size_t length)
#define SB_MALLOC_TO_MMAP(ptr) ((void*)((uintptr_t)(ptr) - MIN_ALIGN))
#define SB_MMAP_TO_MALLOC(ptr) ((void*)((uintptr_t)(ptr) + MIN_ALIGN))
-#define SB_MALLOC_TO_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
+#define SB_MALLOC_TO_MMAP_SIZE(ptr) (*((size_t*)SB_MALLOC_TO_MMAP(ptr)))
+#define SB_MALLOC_TO_SIZE(ptr) (SB_MALLOC_TO_MMAP_SIZE(ptr) - MIN_ALIGN)
void *malloc(size_t size)
{
@@ -57,7 +58,7 @@ void free(void *ptr)
{
if (ptr == NULL)
return;
- if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_SIZE(ptr)))
+ if (munmap(SB_MALLOC_TO_MMAP(ptr), SB_MALLOC_TO_MMAP_SIZE(ptr)))
sb_ebort("sandbox memory corruption with free(%p): %s\n",
ptr, strerror(errno));
}
--
2.6.2

124
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-2.11-symlinkat-renameat.patch vendored
View File

@ -1,124 +0,0 @@
From 4c47cfa22802fd8201586bef233d8161df4ff61b Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Fri, 10 Mar 2017 10:15:50 -0800
Subject: [PATCH] libsandbox: whitelist renameat/symlinkat as symlink funcs
These funcs don't deref their path args, so flag them as such.
URL: https://bugs.gentoo.org/612202
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
libsandbox/libsandbox.c | 4 +++-
tests/renameat-2.sh | 12 ++++++++++++
tests/renameat-3.sh | 11 +++++++++++
tests/renameat.at | 2 ++
tests/symlinkat-2.sh | 10 ++++++++++
tests/symlinkat-3.sh | 9 +++++++++
tests/symlinkat.at | 2 ++
7 files changed, 49 insertions(+), 1 deletion(-)
create mode 100755 tests/renameat-2.sh
create mode 100755 tests/renameat-3.sh
create mode 100755 tests/symlinkat-2.sh
create mode 100755 tests/symlinkat-3.sh
diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index e809308d717d..de48bd79ba53 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -650,8 +650,10 @@ static bool symlink_func(int sb_nr, int flags, const char *abs_path)
sb_nr == SB_NR_LCHOWN ||
sb_nr == SB_NR_REMOVE ||
sb_nr == SB_NR_RENAME ||
+ sb_nr == SB_NR_RENAMEAT ||
sb_nr == SB_NR_RMDIR ||
- sb_nr == SB_NR_SYMLINK))
+ sb_nr == SB_NR_SYMLINK ||
+ sb_nr == SB_NR_SYMLINKAT))
{
/* These funcs sometimes operate on symlinks */
if (!((sb_nr == SB_NR_FCHOWNAT ||
diff --git a/tests/renameat-2.sh b/tests/renameat-2.sh
new file mode 100755
index 000000000000..d0fbe8ae4574
--- /dev/null
+++ b/tests/renameat-2.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# make sure we can clobber symlinks #612202
+
+addwrite $PWD
+
+ln -s /asdf sym || exit 1
+touch file
+renameat-0 0 AT_FDCWD file AT_FDCWD sym || exit 1
+[ ! -e file ]
+[ ! -L sym ]
+[ -e sym ]
+test ! -s "${SANDBOX_LOG}"
diff --git a/tests/renameat-3.sh b/tests/renameat-3.sh
new file mode 100755
index 000000000000..9ae5c9a6511a
--- /dev/null
+++ b/tests/renameat-3.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+# make sure we reject bad renames #612202
+
+addwrite $PWD
+mkdir deny
+adddeny $PWD/deny
+
+touch file
+renameat-0 -1,EACCES AT_FDCWD file AT_FDCWD deny/file || exit 1
+[ -e file ]
+test -s "${SANDBOX_LOG}"
diff --git a/tests/renameat.at b/tests/renameat.at
index 081d7d20277e..eec4638deeaa 100644
--- a/tests/renameat.at
+++ b/tests/renameat.at
@@ -1 +1,3 @@
SB_CHECK(1)
+SB_CHECK(2)
+SB_CHECK(3)
diff --git a/tests/symlinkat-2.sh b/tests/symlinkat-2.sh
new file mode 100755
index 000000000000..168362e8806f
--- /dev/null
+++ b/tests/symlinkat-2.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+# make sure we can clobber symlinks #612202
+
+addwrite $PWD
+
+symlinkat-0 0 /asdf AT_FDCWD ./sym || exit 1
+[ -L sym ]
+symlinkat-0 -1,EEXIST /asdf AT_FDCWD ./sym || exit 1
+[ -L sym ]
+test ! -s "${SANDBOX_LOG}"
diff --git a/tests/symlinkat-3.sh b/tests/symlinkat-3.sh
new file mode 100755
index 000000000000..a01c750dd2b6
--- /dev/null
+++ b/tests/symlinkat-3.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# make sure we reject bad symlinks #612202
+
+addwrite $PWD
+mkdir deny
+adddeny $PWD/deny
+
+symlinkat-0 -1,EACCES ./ AT_FDCWD deny/sym || exit 1
+test -s "${SANDBOX_LOG}"
diff --git a/tests/symlinkat.at b/tests/symlinkat.at
index 081d7d20277e..eec4638deeaa 100644
--- a/tests/symlinkat.at
+++ b/tests/symlinkat.at
@@ -1 +1,3 @@
SB_CHECK(1)
+SB_CHECK(2)
+SB_CHECK(3)
--
2.12.0

41
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/files/sandbox-3.1-label-decl.patch vendored Normal file
View File

@ -0,0 +1,41 @@
From 82f6d876660ba1132d75ccfef5c4301d123ea505 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Wed, 3 Nov 2021 12:25:10 -0400
Subject: [PATCH] libsandbox: tweak label/decl code for some compiler settings
Looks like gcc is inconsistent in when it chokes on this code:
> a label can only be part of a statement and a declaration is not a statement
Hoist the decl up to the top of scope to avoid the issue.
Bug: https://bugs.gentoo.org/821433
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
libsandbox/trace.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsandbox/trace.c b/libsandbox/trace.c
index f3390d99822e..d2899b743048 100644
--- a/libsandbox/trace.c
+++ b/libsandbox/trace.c
@@ -704,6 +704,8 @@ static char *flatten_args(char *const argv[])
bool trace_possible(const char *filename, char *const argv[], const void *data)
{
+ char *args;
+
/* If YAMA ptrace_scope is very high, then we can't trace at all. #771360 */
int yama = trace_yama_level();
if (yama >= 2) {
@@ -721,7 +723,7 @@ bool trace_possible(const char *filename, char *const argv[], const void *data)
}
fail:
- char *args = flatten_args(argv);
+ args = flatten_args(argv);
sb_eqawarn("Unable to trace static ELF: %s: %s\n", filename, args);
free(args);
return false;
--
2.33.0

5
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/metadata.xml vendored
View File

@ -1,8 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>sandbox@gentoo.org</email>
<name>Sandbox Maintainers</name>
</maintainer>
<use>
<flag name="nnp">Enable NO_NEW_PRIVS which blocks set*id programs from gaining privileges (e.g. sudo)</flag>
</use>
</pkgmetadata>

84
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r3.ebuild vendored
View File

@ -1,84 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# don't monkey with this ebuild unless contacting portage devs.
# period.
#
EAPI="5"
inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
SRC_URI="mirror://gentoo/${P}.tar.xz
https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
epatch "${FILESDIR}"/${P}-disable-same.patch
epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
epatch_user
}
multilib_src_configure() {
filter-lfs-flags #90228
local myconf=()
host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
ECONF_SOURCE="${S}" \
econf "${myconf[@]}"
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
cd "${S}"
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_preinst() {
chown root:portage "${ED}"/var/log/sandbox
chmod 0770 "${ED}"/var/log/sandbox
if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
if [[ -n ${old} ]] ; then
elog "Removing old sandbox libraries for you:"
find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
fi
fi
}
pkg_postinst() {
if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
chmod 0755 "${EROOT}"/etc/sandbox.d #265376
fi
}

85
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.10-r4.ebuild vendored
View File

@ -1,85 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# don't monkey with this ebuild unless contacting portage devs.
# period.
#
EAPI="5"
inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
SRC_URI="mirror://gentoo/${P}.tar.xz
https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
epatch "${FILESDIR}"/${P}-memory-corruption.patch #568714
epatch "${FILESDIR}"/${P}-disable-same.patch
epatch "${FILESDIR}"/${P}-fix-opendir.patch #553092
epatch "${FILESDIR}"/${PN}-2.11-symlinkat-renameat.patch #612202
epatch_user
}
multilib_src_configure() {
filter-lfs-flags #90228
local myconf=()
host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
ECONF_SOURCE="${S}" \
econf "${myconf[@]}"
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
cd "${S}"
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_preinst() {
chown root:portage "${ED}"/var/log/sandbox
chmod 0770 "${ED}"/var/log/sandbox
if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
if [[ -n ${old} ]] ; then
elog "Removing old sandbox libraries for you:"
find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
fi
fi
}
pkg_postinst() {
if [[ ${REPLACING_VERSIONS} == 1.* ]] ; then
chmod 0755 "${EROOT}"/etc/sandbox.d #265376
fi
}

76
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.12.ebuild vendored
View File

@ -1,76 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
multilib_src_configure() {
filter-lfs-flags #90228
local myconf=()
host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
ECONF_SOURCE="${S}" \
econf "${myconf[@]}"
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_preinst() {
chown root:portage "${ED}"/var/log/sandbox
chmod 0770 "${ED}"/var/log/sandbox
local v
for v in ${REPLACING_VERSIONS}; do
if [[ ${v} == 1.* ]] ; then
local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
if [[ -n ${old} ]] ; then
elog "Removing old sandbox libraries for you:"
find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
fi
fi
done
}
pkg_postinst() {
local v
for v in ${REPLACING_VERSIONS}; do
if [[ ${v} == 1.* ]] ; then
chmod 0755 "${EROOT}"/etc/sandbox.d #265376
fi
done
}

76
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.13.ebuild vendored
View File

@ -1,76 +0,0 @@
# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit eutils flag-o-matic multilib-minimal multiprocessing pax-utils
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://www.gentoo.org/proj/en/portage/sandbox/"
SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
multilib_src_configure() {
filter-lfs-flags #90228
local myconf=()
host-is-pax && myconf+=( --disable-pch ) #301299 #425524 #572092
ECONF_SOURCE="${S}" \
econf "${myconf[@]}"
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_preinst() {
chown root:portage "${ED}"/var/log/sandbox
chmod 0770 "${ED}"/var/log/sandbox
local v
for v in ${REPLACING_VERSIONS}; do
if [[ ${v} == 1.* ]] ; then
local old=$(find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*')
if [[ -n ${old} ]] ; then
elog "Removing old sandbox libraries for you:"
find "${EROOT}"/lib* -maxdepth 1 -name 'libsandbox*' -print -delete
fi
fi
done
}
pkg_postinst() {
local v
for v in ${REPLACING_VERSIONS}; do
if [[ ${v} == 1.* ]] ; then
chmod 0755 "${EROOT}"/etc/sandbox.d #265376
fi
done
}

63
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.24.ebuild vendored Normal file
View File

@ -0,0 +1,63 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~sam/distfiles/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
# -j1 to prevent test faiures caused by file descriptor
# injection GNU make does.
emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_postinst() {
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

63
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.25.ebuild vendored Normal file
View File

@ -0,0 +1,63 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS="${EBUILD_DEATH_HOOKS} sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
# -j1 to prevent test faiures caused by file descriptor
# injection GNU make does.
emake -j1 check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
keepdir /var/log/sandbox
fowners root:portage /var/log/sandbox
fperms 0770 /var/log/sandbox
dodoc AUTHORS ChangeLog* NEWS README
}
pkg_postinst() {
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

58
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.26.ebuild vendored Normal file
View File

@ -0,0 +1,58 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE=""
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

62
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.27.ebuild vendored Normal file
View File

@ -0,0 +1,62 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="+nnp"
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
if ! use nnp ; then
sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
fi
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

62
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.28.ebuild vendored Normal file
View File

@ -0,0 +1,62 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="+nnp"
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
if ! use nnp ; then
sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
fi
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

62
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-2.29.ebuild vendored Normal file
View File

@ -0,0 +1,62 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="+nnp"
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
if ! use nnp ; then
sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
fi
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

62
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.0.ebuild vendored Normal file
View File

@ -0,0 +1,62 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="+nnp"
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
if ! use nnp ; then
sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
fi
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}

66
sdk_container/src/third_party/portage-stable/sys-apps/sandbox/sandbox-3.1.ebuild vendored Normal file
View File

@ -0,0 +1,66 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic multilib-minimal multiprocessing
DESCRIPTION="sandbox'd LD_PRELOAD hack"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:Sandbox"
SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="+nnp"
DEPEND="app-arch/xz-utils
>=app-misc/pax-utils-0.1.19" #265376
RDEPEND=""
PATCHES=(
"${FILESDIR}"/${P}-label-decl.patch #821433
)
has sandbox_death_notice ${EBUILD_DEATH_HOOKS} || EBUILD_DEATH_HOOKS+=" sandbox_death_notice"
sandbox_death_notice() {
ewarn "If configure failed with a 'cannot run C compiled programs' error, try this:"
ewarn "FEATURES='-sandbox -usersandbox' emerge sandbox"
}
src_prepare() {
default
if ! use nnp ; then
sed -i 's:PR_SET_NO_NEW_PRIVS:___disable_nnp_hack:' src/sandbox.c || die
fi
# sandbox uses `__asm__ (".symver "...` which does
# not play well with gcc's LTO: https://gcc.gnu.org/PR48200
append-flags -fno-lto
append-ldflags -fno-lto
}
multilib_src_configure() {
filter-lfs-flags #90228
ECONF_SOURCE="${S}" econf
}
multilib_src_test() {
# Default sandbox build will run with --jobs set to # cpus.
emake check TESTSUITEFLAGS="--jobs=$(makeopts_jobs)"
}
multilib_src_install_all() {
doenvd "${FILESDIR}"/09sandbox
dodoc AUTHORS ChangeLog* README.md
}
pkg_postinst() {
mkdir -p "${EROOT}"/var/log/sandbox
chown root:portage "${EROOT}"/var/log/sandbox
chmod 0770 "${EROOT}"/var/log/sandbox
}