From e490601874fe785c7632e6571a3a1d8f43404622 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Mon, 17 Sep 2018 19:19:15 -0400 Subject: sys-devel/bc: add support for --sandbox & USE=forced-sandbox The dc tool has an ! command which allows for arbitrary system() calls which is not ideal for processing arbitrary user scripts. First add support for a --sandbox flag at runtime (like sed/gawk gnu tools), then add a USE=forced-sandbox option so people can lock it down. The patches have been sent to upstream, but considering how slow the bc project tends to move, and their lack of a project site/git repo, going to merge this now and just wait for upstream feedback. --- sys-devel/bc/bc-1.07.1-r2.ebuild | 65 ++++++++++++++++ sys-devel/bc/files/bc-1.07.1-sandbox.patch | 121 +++++++++++++++++++++++++++++ sys-devel/bc/metadata.xml | 3 + 3 files changed, 189 insertions(+) create mode 100644 sys-devel/bc/bc-1.07.1-r2.ebuild create mode 100644 sys-devel/bc/files/bc-1.07.1-sandbox.patch (limited to 'sys-devel/bc') diff --git a/sys-devel/bc/bc-1.07.1-r2.ebuild b/sys-devel/bc/bc-1.07.1-r2.ebuild new file mode 100644 index 000000000000..78cc0f0805f4 --- /dev/null +++ b/sys-devel/bc/bc-1.07.1-r2.ebuild @@ -0,0 +1,65 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit flag-o-matic toolchain-funcs + +DESCRIPTION="Handy console-based calculator utility" +HOMEPAGE="https://www.gnu.org/software/bc/bc.html" +SRC_URI="mirror://gnu/bc/${P}.tar.gz" + +LICENSE="GPL-2 LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="forced-sandbox libedit readline static" + +RDEPEND=" + !readline? ( libedit? ( dev-libs/libedit:= ) ) + readline? ( + >=sys-libs/readline-4.1:0= + >=sys-libs/ncurses-5.2:= + ) +" +DEPEND=" + ${RDEPEND} + sys-apps/ed + sys-devel/flex + virtual/yacc +" + +PATCHES=( + "${FILESDIR}/${PN}-1.07.1-sandbox.patch" +) + +src_prepare() { + default + + # A patch to make this into a configure option has been sent upstream, + # but lets avoid regenerating all the autotools just for this. + if use forced-sandbox ; then + sed -i '/dc_sandbox_enabled = 0/s:0:1:' dc/dc.c || die + fi +} + +src_configure() { + local myconf=( + $(use_with readline) + ) + if use readline ; then + myconf+=( --without-libedit ) + else + myconf+=( $(use_with libedit) ) + fi + use static && append-ldflags -static + + econf "${myconf[@]}" + + # Do not regen docs -- configure produces a small fragment that includes + # the version info which causes all pages to regen (newer file). #554774 + touch -r doc doc/* +} + +src_compile() { + emake AR="$(tc-getAR)" +} diff --git a/sys-devel/bc/files/bc-1.07.1-sandbox.patch b/sys-devel/bc/files/bc-1.07.1-sandbox.patch new file mode 100644 index 000000000000..ec5c406645b2 --- /dev/null +++ b/sys-devel/bc/files/bc-1.07.1-sandbox.patch @@ -0,0 +1,121 @@ +this has been sent upstream, but they don't have a mailing list or project site +to link to. oh well. + +From e641584767c3c7cc1ff544805acc2562fc56cda9 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 17 Sep 2018 18:57:57 -0400 +Subject: [PATCH 1/2] dc: add a --sandbox option + +Other GNU projects (like sed & gawk) have a --sandbox flag whereby +access to files and system() are disabled. This allows people to +run arbitrary scripts without worrying about them "escaping" and +executing arbitrary commands on the system. +--- + dc/dc.c | 9 ++++++++- + dc/dc.h | 3 +++ + dc/misc.c | 6 ++++++ + doc/dc.1 | 5 +++++ + doc/dc.texi | 4 ++++ + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/dc/dc.c b/dc/dc.c +index 6a2bb2639235..592a76be71da 100644 +--- a/dc/dc.c ++++ b/dc/dc.c +@@ -54,6 +54,7 @@ + #endif + + const char *progname; /* basename of program invocation */ ++int dc_sandbox_enabled; /* whether sandbox mode is enabled */ + + static void + bug_report_info DC_DECLVOID() +@@ -80,6 +81,7 @@ usage DC_DECLARG((f)) + Usage: %s [OPTION] [file ...]\n\ + -e, --expression=EXPR evaluate expression\n\ + -f, --file=FILE evaluate contents of file\n\ ++ -S, --sandbox disable the ! (system) command\n\ + -h, --help display this help and exit\n\ + -V, --version output version information and exit\n\ + \n\ +@@ -252,6 +254,7 @@ main DC_DECLARG((argc, argv)) + static struct option const long_opts[] = { + {"expression", required_argument, NULL, 'e'}, + {"file", required_argument, NULL, 'f'}, ++ {"sandbox", no_argument, NULL, 'S'}, + {"help", no_argument, NULL, 'h'}, + {"version", no_argument, NULL, 'V'}, + {NULL, 0, NULL, 0} +@@ -260,12 +263,13 @@ main DC_DECLARG((argc, argv)) + int c; + + progname = r1bindex(*argv, '/'); ++ dc_sandbox_enabled = 0; + dc_math_init(); + dc_string_init(); + dc_register_init(); + dc_array_init(); + +- while ((c = getopt_long(argc, argv, "hVe:f:", long_opts, (int *)0)) != EOF) { ++ while ((c = getopt_long(argc, argv, "hVe:f:S", long_opts, (int *)0)) != EOF) { + switch (c) { + case 'e': + { dc_data string = dc_makestring(optarg, strlen(optarg)); +@@ -279,6 +283,9 @@ main DC_DECLARG((argc, argv)) + try_file(optarg); + did_eval = 1; + break; ++ case 'S': ++ dc_sandbox_enabled = 1; ++ break; + case 'h': + usage(stdout); + return flush_okay(); +diff --git a/dc/dc.h b/dc/dc.h +index 6a871ad612a5..a148df467a92 100644 +--- a/dc/dc.h ++++ b/dc/dc.h +@@ -76,4 +76,7 @@ typedef struct { + /* This is dc's only global variable: */ + extern const char *progname; /* basename of program invocation */ + ++/* Whether to run in sandbox mode. */ ++extern int dc_sandbox_enabled; ++ + #endif /* not DC_DEFS_H */ +diff --git a/dc/misc.c b/dc/misc.c +index cd23602fce32..115be90b03bf 100644 +--- a/dc/misc.c ++++ b/dc/misc.c +@@ -131,6 +131,12 @@ dc_system DC_DECLARG((s)) + char *tmpstr; + size_t len; + ++ if (dc_sandbox_enabled) { ++ fprintf(stderr, "%s: ! command disabled in sandbox mode\n", ++ progname); ++ exit(EXIT_FAILURE); ++ } ++ + p = strchr(s, '\n'); + if (p != NULL) { + len = (size_t) (p - s); +diff --git a/doc/dc.1 b/doc/dc.1 +index 1c666493e00a..7c4b6fffd616 100644 +--- a/doc/dc.1 ++++ b/doc/dc.1 +@@ -84,6 +84,11 @@ to the set of commands to be run while processing the input. + Add the commands contained in the file + .I script-file + to the set of commands to be run while processing the input. ++.TP ++.B -S ++.TP ++.B --sandbox ++Run in sandbox mode where access to \fB!\fR for the system function. + .PP + If any command-line parameters remain after processing the above, + these parameters are interpreted as the names of input files to +-- +2.17.1 + diff --git a/sys-devel/bc/metadata.xml b/sys-devel/bc/metadata.xml index 56c124413057..5bdfef6846f9 100644 --- a/sys-devel/bc/metadata.xml +++ b/sys-devel/bc/metadata.xml @@ -5,4 +5,7 @@ base-system@gentoo.org Gentoo Base System + + Always enable --sandbox mode for simpler/secure runtime (disables the ! command in dc) + -- cgit v1.2.3-65-gdbad