sys-apps/sandbox: Fix opendir sandbox abort with long paths

Shell globbing code could end up calling opendir on a whole command line
with arguments, exceeding 8k characters - for example when libtool gets
passed an -export-symbols-regex with a wildcard.
Due to the length exceeding sandbox internal SB_PATH_MAX, it gets trimmed
internally in sandbox syscall checks (even though opendir isn't an actual
syscall), gets confused and throws an ISE abort.
Fix it by adding a precheck that simply fails early with ENAMETOOLONG on
too long paths, as the real glibc function would do the same.

Fixes large projects hitting sandbox abort inside the driving POSIX shell
globbing function due to a long list of linker arguments (such as many object
files) being passed to libtool together with an -export-symbols-regex with
a wildcard. Known affected packages include graphicsmagick and newer
gnome-builder.

p.masked for a short time as a maintainer timeout, seeking independent
validation as a critical packages non-maintainer revbump.

Gentoo-Bug: 553092
Package-Manager: portage-2.3.3
Signed-off-by: Mart Raudsepp <leio@gentoo.org>

1 files changed, 4 insertions, 0 deletions

diff --git a/profiles/package.mask b/profiles/package.mask
index 438ba4fc28f0..979a78599b59 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -30,6 +30,10 @@
 
 #--- END OF EXAMPLES ---
 
+# Mart Raudsepp <leio@gentoo.org> (30 Dec 2016)
+# Temporary testing mask for non-maintainer commit of a bugfix, #553092
+=sys-apps/sandbox-2.10-r3
+
 # David Seifert <soap@gentoo.org> (29 Dec 2016)
 # Ancient codebase, maintenance nightmare, dead
 # upstream, games-emulation/vbam is spiritual successor