diff options
| author |   Hank Leininger <hlein@korelogic.com> | 2022-02-06 21:40:48 -0700 |
|---|---|---|
| committer |   Sam James <sam@gentoo.org> | 2022-02-18 02:38:46 +0000 |
| commit | f83326db36c6215b3fb69cf9630c5e3b53d32c43 (patch) | |
| tree | c0e182a73fcb8ac7944aa8877ad39881778bd2bf /sys-apps/firejail | |
| parent | kicad packages: Drop 6.0.1 (diff) | |
| download | gentoo-f83326db36c6215b3fb69cf9630c5e3b53d32c43.tar.gz gentoo-f83326db36c6215b3fb69cf9630c5e3b53d32c43.tar.bz2 gentoo-f83326db36c6215b3fb69cf9630c5e3b53d32c43.zip | |
sys-apps/firejail: version bump, remove old, Gentoo compat tweaks
Upstream released a security bump. Also, added some fixes and
workarounds for bits & configs that break on Gentoo.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://bugs.gentoo.org/832819
Closes: https://bugs.gentoo.org/694966
Closes: https://bugs.gentoo.org/663784
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Closes: https://github.com/gentoo/gentoo/pull/24102
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'sys-apps/firejail')
| -rw-r--r-- | sys-apps/firejail/Manifest | 3 | ||||
| -rw-r--r-- | sys-apps/firejail/files/firecfg.config.patch | 71 | ||||
| -rw-r--r-- | sys-apps/firejail/files/firejail-0.9.68-envlimits.patch | 12 | ||||
| -rw-r--r-- | sys-apps/firejail/files/profile_display.local | 2 | ||||
| -rw-r--r-- | sys-apps/firejail/files/profile_patch.local | 8 | ||||
| -rw-r--r-- | sys-apps/firejail/files/profile_pdftotext.local | 2 | ||||
| -rw-r--r-- | sys-apps/firejail/files/profile_wget.local | 5 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-0.9.64.4.ebuild | 99 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-0.9.68.ebuild (renamed from sys-apps/firejail/firejail-0.9.66.ebuild) | 27 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-9999.ebuild | 8 |
10 files changed, 128 insertions, 109 deletions
diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest index 9a245e9aeda3..ae81ea9d7be4 100644 --- a/sys-apps/firejail/Manifest +++ b/sys-apps/firejail/Manifest @@ -1,2 +1 @@ -DIST firejail-0.9.64.4.tar.xz 431116 BLAKE2B 1e64af1459cdbd6e753299796b2521efdc1fe364a66b8f0f40df1adabec32d0673cb9805a2ab385b96b64aca16e038e615ab1e4dc4df1dbcaa0b5b24f54c89d0 SHA512 580a074cb40e7559f6d532418b5e05e042c30306e8507d32ac3c71a51dec6648035ad810d253da02caaa4adc41f773dfdab55528618f5ca30ff30d4e7bbd12c9 -DIST firejail-0.9.66.tar.xz 449992 BLAKE2B 43243e4d2773f007c9a7ce4e63b009b63113055baaffa5125d279124967f5c07d510edf431b568bbf5d6cf04501f5645accb5756af80298750d8f0ef35f9a88b SHA512 c00222f975df9832940b7e3ef71dc2d2bbab3540db259f8d3011fb6198f1b66d9191dff4609163a2cfe0e2a1f739e144b496260a457ea92601f163675735cbe7 +DIST firejail-0.9.68.tar.xz 477332 BLAKE2B 4d995715caa81b69bb9a16f604a2463b2db48fad5ba869bb5f353973ce8ec273dbabe07ee340b40094d6fe15bcef7e356cd07e7e7dfd0491d2d1632f64878a0e SHA512 8c03c145bb91fe696407052968bd1069defc44d274bd74d33fccebb28324121d259973fccc1d1cdc38fb2902bb842e921adc9440596a92a4aa13c4e06963e354 diff --git a/sys-apps/firejail/files/firecfg.config.patch b/sys-apps/firejail/files/firecfg.config.patch new file mode 100644 index 000000000000..f4f5f34a196a --- /dev/null +++ b/sys-apps/firejail/files/firecfg.config.patch @@ -0,0 +1,71 @@ +--- firecfg.config.orig 2021-11-05 20:30:20.451017470 -0600 ++++ firecfg.config 2022-02-06 20:53:53.948407229 -0700 +@@ -207,7 +207,8 @@ + electron-mail + electrum + element-desktop +-elinks ++# Breaks emerge/portage on Gentoo: 'too many environment variables' ++#elinks + empathy + enchant + enchant-2 +@@ -254,7 +255,8 @@ + flashpeak-slimjet + flowblade + font-manager +-fontforge ++# Breaks emerge/portage on Gentoo ++#fontforge + fossamail + four-in-a-row + fractal +@@ -478,11 +480,16 @@ + luminance-hdr + lximage-qt + lxmusic +-lynx ++# Breaks emerge/portage on Gentoo: 'too many environment variables' ++#lynx + lyx + macrofusion + magicor +-man ++# Breaks: $ man chromium-browser ++# WARNING: terminal is not fully functional ++# Press RETURN to continue ++# Manual page chromium-browser(1) byte 0/0 (END) (press h for help or q to quit) ++#man + manaplus + marker + masterpdfeditor +@@ -558,7 +565,8 @@ + musictube + musixmatch + mutool +-mutt ++# Breaks when configs are under ~/.mutt/ ++#mutt + mypaint + mypaint-ora-thumbnailer + natron +@@ -616,7 +624,8 @@ + palemoon + #pandoc + parole +-patch ++# Breaks emerge/portage on Gentoo: 'too many environment variables' ++#patch + pavucontrol + pavucontrol-qt + pcsxr +@@ -736,7 +745,8 @@ + stellarium + strawberry + straw-viewer +-strings ++# Breaks emerge/portage on Gentoo ++#strings + studio.sh + subdownloader + supertux2 diff --git a/sys-apps/firejail/files/firejail-0.9.68-envlimits.patch b/sys-apps/firejail/files/firejail-0.9.68-envlimits.patch new file mode 100644 index 000000000000..4b306342e532 --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.68-envlimits.patch @@ -0,0 +1,12 @@ +diff -urP firejail-0.9.68.orig/src/firejail/firejail.h firejail-0.9.68/src/firejail/firejail.h +--- firejail-0.9.68.orig/src/firejail/firejail.h 2022-02-03 07:53:47.000000000 -0700 ++++ firejail-0.9.68/src/firejail/firejail.h 2022-02-06 21:09:35.279071101 -0700 +@@ -689,7 +689,7 @@ + int check_kernel_procs(void); + void run_no_sandbox(int argc, char **argv) __attribute__((noreturn)); + +-#define MAX_ENVS 256 // some sane maximum number of environment variables ++#define MAX_ENVS 2048 // some sane maximum number of environment variables + #define MAX_ENV_LEN (PATH_MAX + 32) // FOOBAR=SOME_PATH, only applied to Firejail's own sandboxed apps + // env.c + typedef enum { diff --git a/sys-apps/firejail/files/profile_display.local b/sys-apps/firejail/files/profile_display.local new file mode 100644 index 000000000000..edf025c4720d --- /dev/null +++ b/sys-apps/firejail/files/profile_display.local @@ -0,0 +1,2 @@ +private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libfreetype.so.*,libXext.so.*,libltdl.so.*,ImageMagick* +private-etc ImageMagick-7 diff --git a/sys-apps/firejail/files/profile_patch.local b/sys-apps/firejail/files/profile_patch.local new file mode 100644 index 000000000000..24fe0c43b516 --- /dev/null +++ b/sys-apps/firejail/files/profile_patch.local @@ -0,0 +1,8 @@ +private-bin /usr/bin/patch,red +ignore private-bin +# Needed so patch can write under /var/tmp/portage/ +writable-var +read-write /var/tmp/portage +whitelist /var/tmp/portage + +private-lib libsandbox.so* diff --git a/sys-apps/firejail/files/profile_pdftotext.local b/sys-apps/firejail/files/profile_pdftotext.local new file mode 100644 index 000000000000..449e4787d5a8 --- /dev/null +++ b/sys-apps/firejail/files/profile_pdftotext.local @@ -0,0 +1,2 @@ +private-etc alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload +private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.* diff --git a/sys-apps/firejail/files/profile_wget.local b/sys-apps/firejail/files/profile_wget.local new file mode 100644 index 000000000000..4b1d5b50a2b7 --- /dev/null +++ b/sys-apps/firejail/files/profile_wget.local @@ -0,0 +1,5 @@ +# Needed so that portage can wget into the distfile dir. +writable-var +whitelist /var/cache/distfiles + +private-bin /usr/bin/wget diff --git a/sys-apps/firejail/firejail-0.9.64.4.ebuild b/sys-apps/firejail/firejail-0.9.64.4.ebuild deleted file mode 100644 index 77f8fb130dd8..000000000000 --- a/sys-apps/firejail/firejail-0.9.64.4.ebuild +++ /dev/null @@ -1,99 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -PYTHON_COMPAT=( python3_{7..9} ) - -inherit toolchain-funcs python-single-r1 linux-info - -if [[ ${PV} != 9999 ]]; then - KEYWORDS="amd64 ~arm ~arm64 ~x86" - SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz" -else - inherit git-r3 - EGIT_REPO_URI="https://github.com/netblue30/firejail.git" - EGIT_BRANCH="master" -fi - -DESCRIPTION="Security sandbox for any type of processes" -HOMEPAGE="https://firejail.wordpress.com/" - -LICENSE="GPL-2" -SLOT="0" -IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist" -# Needs a lot of work to function within sandbox/portage -# bug #769731 -RESTRICT="test" - -RDEPEND="!sys-apps/firejail-lts - apparmor? ( sys-libs/libapparmor ) - contrib? ( ${PYTHON_DEPS} ) - dbusproxy? ( sys-apps/xdg-dbus-proxy )" - -DEPEND="${RDEPEND} - sys-libs/libseccomp - test? ( dev-tcltk/expect )" - -REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" - -pkg_setup() { - python-single-r1_pkg_setup -} - -src_prepare() { - default - - find -type f -name Makefile.in -exec sed -i -r -e '/^\tinstall .*COPYING /d; /CFLAGS/s: (-O2|-ggdb) : :g' {} + || die - - sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' ./src/common.mk.in || die - - # remove compression of man pages - sed -i -r -e '/rm -f \$\$man.gz; \\/d; /gzip -9n \$\$man; \\/d; s|\*\.([[:digit:]])\) install -m 0644 \$\$man\.gz|\*\.\1\) install -m 0644 \$\$man|g' Makefile.in || die - - if use contrib; then - python_fix_shebang -f contrib/*.py - fi - - # some tests were missing from this release's tarball - if use test; then - sed -i -r -e 's/^(test:.*) test-private-lib (.*)/\1 \2/; s/^(test:.*) test-fnetfilter (.*)/\1 \2/' Makefile.in || die - fi -} - -src_configure() { - econf \ - --disable-firetunnel \ - $(use_enable apparmor) \ - $(use_enable chroot) \ - $(use_enable dbusproxy) \ - $(use_enable file-transfer) \ - $(use_enable globalcfg) \ - $(use_enable network) \ - $(use_enable private-home) \ - $(use_enable suid) \ - $(use_enable userns) \ - $(use_enable whitelist) \ - $(use_enable X x11) -} - -src_compile() { - emake CC="$(tc-getCC)" -} - -src_install() { - default - - if use contrib; then - python_scriptinto /usr/$(get_libdir)/firejail - python_doscript contrib/*.py - insinto /usr/$(get_libdir)/firejail - dobin contrib/*.sh - fi -} - -pkg_postinst() { - CONFIG_CHECK="~SQUASHFS" - local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode" - check_extra_config -} diff --git a/sys-apps/firejail/firejail-0.9.66.ebuild b/sys-apps/firejail/firejail-0.9.68.ebuild index e3bf15c00bbd..4ed3c5698d55 100644 --- a/sys-apps/firejail/firejail-0.9.66.ebuild +++ b/sys-apps/firejail/firejail-0.9.68.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{8,9} ) +PYTHON_COMPAT=( python3_{8..10} ) inherit toolchain-funcs python-single-r1 linux-info @@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/" LICENSE="GPL-2" SLOT="0" -IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist X" +IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X" # Needs a lot of work to function within sandbox/portage # bug #769731 RESTRICT="test" @@ -37,6 +37,10 @@ DEPEND="${RDEPEND} REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" +PATCHES=( + "${FILESDIR}/${P}-envlimits.patch" + ) + pkg_setup() { CONFIG_CHECK="~SQUASHFS" local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode" @@ -68,6 +72,7 @@ src_prepare() { src_configure() { econf \ --disable-firetunnel \ + --enable-suid \ $(use_enable apparmor) \ $(use_enable chroot) \ $(use_enable dbusproxy) \ @@ -75,10 +80,13 @@ src_configure() { $(use_enable globalcfg) \ $(use_enable network) \ $(use_enable private-home) \ - $(use_enable suid) \ $(use_enable userns) \ $(use_enable whitelist) \ $(use_enable X x11) + + cat > 99firejail <<-EOF || die + SANDBOX_WRITE="/run/firejail" + EOF } src_compile() { @@ -88,6 +96,17 @@ src_compile() { src_install() { default + # Gentoo-specific profile customizations + insinto /etc/${PN} + local profile_local + for profile_local in "${FILESDIR}"/profile_*local ; do + newins "${profile_local}" "${profile_local/\/*profile_/}" + done + + # Prevent sandbox violations when toolchain is firejailed + insinto /etc/sandbox.d + doins 99firejail + rm "${ED}"/usr/share/doc/${PF}/COPYING || die if use contrib; then diff --git a/sys-apps/firejail/firejail-9999.ebuild b/sys-apps/firejail/firejail-9999.ebuild index e3bf15c00bbd..440d20af51ec 100644 --- a/sys-apps/firejail/firejail-9999.ebuild +++ b/sys-apps/firejail/firejail-9999.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{8,9} ) +PYTHON_COMPAT=( python3_{8..10} ) inherit toolchain-funcs python-single-r1 linux-info @@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/" LICENSE="GPL-2" SLOT="0" -IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist X" +IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home test +userns +whitelist X" # Needs a lot of work to function within sandbox/portage # bug #769731 RESTRICT="test" @@ -68,6 +68,7 @@ src_prepare() { src_configure() { econf \ --disable-firetunnel \ + --enable-suid \ $(use_enable apparmor) \ $(use_enable chroot) \ $(use_enable dbusproxy) \ @@ -75,7 +76,6 @@ src_configure() { $(use_enable globalcfg) \ $(use_enable network) \ $(use_enable private-home) \ - $(use_enable suid) \ $(use_enable userns) \ $(use_enable whitelist) \ $(use_enable X x11) |