diff options
author | Mike Gilbert <floppym@gentoo.org> | 2020-01-16 16:18:12 -0500 |
---|---|---|
committer | Mike Gilbert <floppym@gentoo.org> | 2020-01-17 11:02:35 -0500 |
commit | 1b0f89267a0f0b1d9d7312efe988aaf8d8f84bd2 (patch) | |
tree | cd570e72011266bab0f2d2c21abb6b120ae7b8a9 /sys-apps | |
parent | sys-apps/mawk: remove old (diff) | |
download | gentoo-1b0f89267a0f0b1d9d7312efe988aaf8d8f84bd2.tar.gz gentoo-1b0f89267a0f0b1d9d7312efe988aaf8d8f84bd2.tar.bz2 gentoo-1b0f89267a0f0b1d9d7312efe988aaf8d8f84bd2.zip |
sys-apps/mawk: remove sandbox patches
We can pick up this feature if/when upstream supports it.
Closes: https://github.com/gentoo/gentoo/pull/14359
Package-Manager: Portage-2.3.84_p2, Repoman-2.3.20_p24
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'sys-apps')
-rw-r--r-- | sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch | 91 | ||||
-rw-r--r-- | sys-apps/mawk/files/mawk-1.3.4-sandbox.patch | 141 | ||||
-rw-r--r-- | sys-apps/mawk/mawk-1.3.4_p20190203-r1.ebuild (renamed from sys-apps/mawk/mawk-1.3.4_p20190203.ebuild) | 10 | ||||
-rw-r--r-- | sys-apps/mawk/mawk-1.3.4_p20200106-r1.ebuild (renamed from sys-apps/mawk/mawk-1.3.4_p20200106.ebuild) | 8 | ||||
-rw-r--r-- | sys-apps/mawk/metadata.xml | 3 |
5 files changed, 3 insertions, 250 deletions
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch deleted file mode 100644 index c3b0fc1c892d..000000000000 --- a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch +++ /dev/null @@ -1,91 +0,0 @@ -https://github.com/ThomasDickey/original-mawk/issues/49 - -Note: We hand modify the configure file here because the version of autotools -used by upstream is very old/finicky, and it's a simple enough change. - -From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier@chromium.org> -Date: Tue, 7 Nov 2017 01:07:47 -0500 -Subject: [PATCH 2/2] add a configure flag to lock sandbox by default - -This lets us deploy systems with the sandbox always enabled. ---- - configure | 23 +++++++++++++++++++++++ - configure.in | 11 +++++++++++ - init.c | 4 ++++ - 3 files changed, 38 insertions(+) - -diff --git a/configure.in b/configure.in -index 8b795fbd264b..770092005386 100644 ---- a/configure.in -+++ b/configure.in -@@ -112,6 +112,17 @@ fi - AC_MSG_RESULT($with_init_srand) - - ############################################################################### -+AC_MSG_CHECKING(if you want mawk to always run in sandbox mode) -+CF_ARG_ENABLE([forced-sandbox], -+[ --enable-forced-sandbox always run in sandbox mode], -+ [with_forced_sandbox=yes], -+ [with_forced_sandbox=no]) -+if test "x${with_forced_sandbox}" != xno; then -+ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX" -+fi -+AC_MSG_RESULT($with_forced_sandbox) -+ -+############################################################################### - - AC_PROG_YACC - CF_PROG_LINT -diff --git a/init.c b/init.c -index f7babb337e04..e035d6ea2fc0 100644 ---- a/init.c -+++ b/init.c -@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv) - - no_more_opts: - -+#ifdef FORCED_SANDBOX -+ sandbox_flag = 1; -+#endif -+ - tail->link = (PFILE *) 0; - pfile_list = dummy.link; - -diff --git a/configure b/configure -index a3bf42fe9245..442875b8e58a 100755 ---- a/configure -+++ b/configure -@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5 - echo "${ECHO_T}$with_init_srand" >&6 - - ############################################################################### -+echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5 -+echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6 -+ -+if test "${enable_forced_sandbox+set}" = set; then -+ enableval="$enable_forced_sandbox" -+ test "$enableval" != yes && enableval=no -+ if test "$enableval" != "no" ; then -+ with_forced_sandbox=yes -+ else -+ with_forced_sandbox=no -+ fi -+else -+ enableval=no -+ with_forced_sandbox=no -+ -+fi; -+if test "x${with_forced_sandbox}" != xno; then -+ CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX" -+fi -+echo "$as_me:4131: result: $with_forced_sandbox" >&5 -+echo "${ECHO_T}$with_forced_sandbox" >&6 -+ -+############################################################################### - - for ac_prog in 'bison -y' byacc - do --- -2.13.5 - diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch deleted file mode 100644 index ae2ccbd50ec1..000000000000 --- a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch +++ /dev/null @@ -1,141 +0,0 @@ -https://github.com/ThomasDickey/original-mawk/issues/49 - -From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier@chromium.org> -Date: Tue, 7 Nov 2017 00:41:36 -0500 -Subject: [PATCH 1/2] add a -W sandbox mode - -This is like gawk's sandbox mode where arbitrary code execution and -file redirection are locked down. This way awk can be a more secure -input/output mode. ---- - bi_funct.c | 3 +++ - init.c | 8 ++++++++ - man/mawk.1 | 4 ++++ - mawk.h | 2 +- - scan.c | 6 ++++++ - 5 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/bi_funct.c b/bi_funct.c -index 7742308c72a5..b524ac8dac8b 100644 ---- a/bi_funct.c -+++ b/bi_funct.c -@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED) - #ifdef HAVE_REAL_PIPES - int ret_val; - -+ if (sandbox_flag) -+ rt_error("'system' function not allowed in sandbox mode"); -+ - TRACE_FUNC("bi_system", sp); - - if (sp->type < C_STRING) -diff --git a/init.c b/init.c -index 0ab17b003f20..f7babb337e04 100644 ---- a/init.c -+++ b/init.c -@@ -40,6 +40,7 @@ typedef enum { - W_RANDOM, - W_SPRINTF, - W_POSIX_SPACE, -+ W_SANDBOX, - W_USAGE - } W_OPTIONS; - -@@ -96,6 +97,7 @@ initialize(int argc, char **argv) - - int dump_code_flag; /* if on dump internal code */ - short posix_space_flag; -+short sandbox_flag; - - #ifdef DEBUG - int dump_RE = 1; /* if on dump compiled REs */ -@@ -153,6 +155,7 @@ usage(void) - " -W random=number set initial random seed.", - " -W sprintf=number adjust size of sprintf buffer.", - " -W posix_space do not consider \"\\n\" a space.", -+ " -W sandbox disable system() and I/O redirection.", - " -W usage show this message and exit.", - }; - size_t n; -@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next) - DATA(RANDOM), - DATA(SPRINTF), - DATA(POSIX_SPACE), -+ DATA(SANDBOX), - DATA(USAGE) - }; - #undef DATA -@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv) - posix_space_flag = 1; - break; - -+ case W_SANDBOX: -+ sandbox_flag = 1; -+ break; -+ - case W_RANDOM: - if (haveValue(optNext)) { - int x = atoi(optNext + 1); -diff --git a/man/mawk.1 b/man/mawk.1 -index a3c794167dc9..0915d9d7ed5d 100644 ---- a/man/mawk.1 -+++ b/man/mawk.1 -@@ -150,6 +150,10 @@ forces - \fB\*n\fP - not to consider '\en' to be space. - .TP -+\-\fBW \fRsandbox -+runs in a restricted mode where system(), input redirection (e.g. getline), -+output redirection (e.g. print and printf), and pipelines are disabled. -+.TP - \-\fBW \fRrandom=\fInum\fR - calls \fBsrand\fP with the given parameter - (and overrides the auto-seeding behavior). -diff --git a/mawk.h b/mawk.h -index 2d04be1adb34..a6ccc0071ecc 100644 ---- a/mawk.h -+++ b/mawk.h -@@ -63,7 +63,7 @@ extern int dump_RE; - #define USE_BINMODE 0 - #endif - --extern short posix_space_flag, interactive_flag; -+extern short posix_space_flag, interactive_flag, sandbox_flag; - - /*---------------- - * GLOBAL VARIABLES -diff --git a/scan.c b/scan.c -index 3a8fc9181ab8..c1833b8b7315 100644 ---- a/scan.c -+++ b/scan.c -@@ -455,6 +455,8 @@ yylex(void) - un_next(); - - if (getline_flag) { -+ if (sandbox_flag) -+ rt_error("redirection not allowed in sandbox mode"); - getline_flag = 0; - ct_ret(IO_IN); - } else -@@ -462,6 +464,8 @@ yylex(void) - - case SC_GT: /* '>' */ - if (print_flag && paren_cnt == 0) { -+ if (sandbox_flag) -+ rt_error("redirection not allowed in sandbox mode"); - print_flag = 0; - /* there are 3 types of IO_OUT - -- build the error string in string_buff */ -@@ -488,6 +492,8 @@ yylex(void) - un_next(); - - if (print_flag && paren_cnt == 0) { -+ if (sandbox_flag) -+ rt_error("pipe execution not allowed in sandbox mode"); - print_flag = 0; - yylval.ival = PIPE_OUT; - string_buff[0] = '|'; --- -2.13.5 - diff --git a/sys-apps/mawk/mawk-1.3.4_p20190203.ebuild b/sys-apps/mawk/mawk-1.3.4_p20190203-r1.ebuild index 84b29b099fcf..110cbc7c9a0f 100644 --- a/sys-apps/mawk/mawk-1.3.4_p20190203.ebuild +++ b/sys-apps/mawk/mawk-1.3.4_p20190203-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -13,7 +13,6 @@ SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz" LICENSE="GPL-2" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos" -IUSE="forced-sandbox" RDEPEND="app-eselect/eselect-awk" DEPEND="${RDEPEND}" @@ -22,14 +21,9 @@ S="${WORKDIR}/${MY_P}" DOCS=( ACKNOWLEDGMENT CHANGES README ) -PATCHES=( - "${FILESDIR}"/${PN}-1.3.4-sandbox.patch - "${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch -) - src_configure() { tc-export BUILD_CC - econf $(use_enable forced-sandbox) + econf } src_install() { diff --git a/sys-apps/mawk/mawk-1.3.4_p20200106.ebuild b/sys-apps/mawk/mawk-1.3.4_p20200106-r1.ebuild index c0ef9e890ec4..7645505ca1f2 100644 --- a/sys-apps/mawk/mawk-1.3.4_p20200106.ebuild +++ b/sys-apps/mawk/mawk-1.3.4_p20200106-r1.ebuild @@ -13,7 +13,6 @@ SRC_URI="https://invisible-mirror.net/archives/${PN}/${MY_P}.tgz" LICENSE="GPL-2" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos" -IUSE="forced-sandbox" RDEPEND="app-eselect/eselect-awk" DEPEND="${RDEPEND}" @@ -22,14 +21,9 @@ S="${WORKDIR}/${MY_P}" DOCS=( ACKNOWLEDGMENT CHANGES README ) -PATCHES=( - "${FILESDIR}"/${PN}-1.3.4-sandbox.patch - "${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch -) - src_configure() { tc-export BUILD_CC - econf $(use_enable forced-sandbox) + econf } src_install() { diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml index fb5ddc9df936..56c124413057 100644 --- a/sys-apps/mawk/metadata.xml +++ b/sys-apps/mawk/metadata.xml @@ -5,7 +5,4 @@ <email>base-system@gentoo.org</email> <name>Gentoo Base System</name> </maintainer> -<use> - <flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag> -</use> </pkgmetadata> |