diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2008-06-27 16:44:42 +0000 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2008-06-27 16:44:42 +0000 |
| commit | 3e556643e891b30c284904cbdfac4363c3fecc83 (patch) | |
| tree | cf837378725e7384eb3fab920ac04ff535f8490f /sys-apps | |
| parent | Version bump. (diff) | |
| download | gentoo-2-3e556643e891b30c284904cbdfac4363c3fecc83.tar.gz gentoo-2-3e556643e891b30c284904cbdfac4363c3fecc83.tar.bz2 gentoo-2-3e556643e891b30c284904cbdfac4363c3fecc83.zip | |
Fix for bug #206678. Variations of it have been running on infra boxes for two months now, we seem to have traced it down to RTLD_NEXT not always having a usable value under hardened on new libc.
(Portage version: 2.2_rc1/cvs/Linux 2.6.26-rc4-00103-g1beee8d x86_64)
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/sandbox/ChangeLog | 13 | ||||
| -rw-r--r-- | sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch | 43 | ||||
| -rw-r--r-- | sys-apps/sandbox/sandbox-1.2.18.1-r3.ebuild | 122 |
3 files changed, 176 insertions, 2 deletions
diff --git a/sys-apps/sandbox/ChangeLog b/sys-apps/sandbox/ChangeLog index 3e66ff29b0e1..f3d7b4f8a649 100644 --- a/sys-apps/sandbox/ChangeLog +++ b/sys-apps/sandbox/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for sys-apps/sandbox -# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/ChangeLog,v 1.88 2007/11/04 18:18:49 flameeyes Exp $ +# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/ChangeLog,v 1.89 2008/06/27 16:44:42 robbat2 Exp $ + +*sandbox-1.2.18.1-r3 (27 Jun 2008) + + 27 Jun 2008; Robin H. Johnson <robbat2@gentoo.org> + +files/sandbox-1.2.18.1-rtld-validation.patch, + +sandbox-1.2.18.1-r3.ebuild: + Fix for bug #206678. Variations of it have been running on infra boxes for + two months now, we seem to have traced it down to RTLD_NEXT not always + having a usable value under hardened on new libc. *sandbox-1.2.20_alpha2-r1 (04 Nov 2007) diff --git a/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch b/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch new file mode 100644 index 000000000000..36e96f5779c9 --- /dev/null +++ b/sys-apps/sandbox/files/sandbox-1.2.18.1-rtld-validation.patch @@ -0,0 +1,43 @@ +From: Robin H. Johnson <robbat2@gentoo.org> +Gentoo-Bug: 206678 +X-Gentoo-URL: http://bugs.gentoo.org/show_bug.cgi?id=206678 +Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> + +Based on a previous revision by solar@gentoo.org. +It seems that on hardened systems, USE_RTLD_NEXT is not always usable, and this +trips up sandbox. + +diff -Nuar sandbox-1.2.18.1.orig/src/libsandbox.c sandbox-1.2.18.1/src/libsandbox.c +--- sandbox-1.2.18.1.orig/src/libsandbox.c 2008-06-27 16:15:53.000000000 +0000 ++++ sandbox-1.2.18.1/src/libsandbox.c 2008-06-27 16:20:26.000000000 +0000 +@@ -192,18 +192,24 @@ + { + void *symaddr = NULL; + +- if (NULL == libc_handle) { +-#if !defined(USE_RTLD_NEXT) ++#if defined(USE_RTLD_NEXT) ++ libc_handle = RTLD_NEXT; ++#endif ++ ++ /* Checking for -1UL is significent on hardened! ++ * USE_RTLD_NEXT returns it as a sign of being unusable. ++ * However using !x or NULL checks does NOT pick it up! ++ */ ++#define INVALID_LIBC_HANDLE(x) (!x || NULL == x || -1UL == x) ++ if (INVALID_LIBC_HANDLE(libc_handle)) { + libc_handle = dlopen(LIBC_VERSION, RTLD_LAZY); +- if (!libc_handle) { ++ if (INVALID_LIBC_HANDLE(libc_handle)) { + fprintf(stderr, "libsandbox: Can't dlopen libc: %s\n", + dlerror()); + exit(EXIT_FAILURE); + } +-#else +- libc_handle = RTLD_NEXT; +-#endif + } ++#undef INVALID_LIBC_HANDLE + + if (NULL == symver) + symaddr = dlsym(libc_handle, symname); diff --git a/sys-apps/sandbox/sandbox-1.2.18.1-r3.ebuild b/sys-apps/sandbox/sandbox-1.2.18.1-r3.ebuild new file mode 100644 index 000000000000..713a56ec0425 --- /dev/null +++ b/sys-apps/sandbox/sandbox-1.2.18.1-r3.ebuild @@ -0,0 +1,122 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sandbox/sandbox-1.2.18.1-r3.ebuild,v 1.1 2008/06/27 16:44:42 robbat2 Exp $ + +# +# don't monkey with this ebuild unless contacting portage devs. +# period. +# + +inherit eutils flag-o-matic eutils toolchain-funcs multilib + +DESCRIPTION="sandbox'd LD_PRELOAD hack" +HOMEPAGE="http://www.gentoo.org/" +SRC_URI="mirror://gentoo/${P}.tar.bz2 + http://dev.gentoo.org/~azarah/sandbox/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="" + +DEPEND="" + +EMULTILIB_PKG="true" + +setup_multilib() { + if use amd64 && has_m32 && [[ ${CONF_MULTILIBDIR} == "lib32" ]]; then + export DEFAULT_ABI="amd64" + export MULTILIB_ABIS="x86 amd64" + export CFLAGS_amd64=${CFLAGS_amd64:-"-m64"} + export CFLAGS_x86=${CFLAGS_x86-"-m32 -L/emul/linux/x86/lib -L/emul/linux/x86/usr/lib"} + export CHOST_amd64="x86_64-pc-linux-gnu" + export CHOST_x86="i686-pc-linux-gnu" + export LIBDIR_amd64=${LIBDIR_amd64-${CONF_LIBDIR}} + export LIBDIR_x86=${LIBDIR_x86-${CONF_MULTILIBDIR}} + fi +} + +src_unpack() { + unpack ${A} + cd "${S}" + epatch "${FILESDIR}"/${P}-open-normal-fail.patch #135745 + epatch "${FILESDIR}"/${P}-open-cloexec.patch #196720 + epatch "${FILESDIR}"/${P}-rtld-validation.patch #206678 +} + +abi_fail_check() { + local ABI=$1 + if [[ ${ABI} == "x86" ]] ; then + echo + eerror "Building failed for ABI=x86!. This usually means a broken" + eerror "multilib setup. Please fix that before filling a bugreport" + eerror "against sandbox." + echo + fi +} + +src_compile() { + local myconf + local iscross=0 + + setup_multilib + + filter-lfs-flags #90228 + + has_multilib_profile && myconf="--enable-multilib" + + ewarn "If configure fails with a 'cannot run C compiled programs' error, try this:" + ewarn "FEATURES=-sandbox emerge sandbox" + + [[ -n ${CBUILD} && ${CBUILD} != ${CHOST} ]] && iscross=1 + + OABI=${ABI} + OCHOST=${CHOST} + for ABI in $(get_install_abis); do + mkdir "${WORKDIR}/build-${ABI}-${OCHOST}" + cd "${WORKDIR}/build-${ABI}-${OCHOST}" + + # Needed for older broken portage versions (bug #109036) + has_version '<sys-apps/portage-2.0.51.22' && \ + unset EXTRA_ECONF + + export ABI + export CHOST=$(get_abi_CHOST) + [[ ${iscross} == 0 ]] && export CBUILD=${CHOST} + + einfo "Configuring sandbox for ABI=${ABI}..." + ECONF_SOURCE="../${P}/" \ + econf --libdir="/usr/$(get_libdir)" ${myconf} + einfo "Building sandbox for ABI=${ABI}..." + emake || { + abi_fail_check "${ABI}" + die "emake failed for ${ABI}" + } + done + ABI=${OABI} + CHOST=${OCHOST} +} + +src_install() { + setup_multilib + + OABI=${ABI} + for ABI in $(get_install_abis); do + cd "${WORKDIR}/build-${ABI}-${CHOST}" + einfo "Installing sandbox for ABI=${ABI}..." + make DESTDIR="${D}" install || die "make install failed for ${ABI}" + done + ABI=${OABI} + + keepdir /var/log/sandbox + fowners root:portage /var/log/sandbox + fperms 0770 /var/log/sandbox + + cd "${S}" + dodoc AUTHORS ChangeLog NEWS README +} + +pkg_preinst() { + chown root:portage "${D}"/var/log/sandbox + chmod 0770 "${D}"/var/log/sandbox +} |