[gentoo-commits] repo/gentoo:master commit in: sys-apps/sed/

Mon, 05 Mar 2018 10:38:03 -0800 

commit:     61acdcd13e97339d20c3058a211ee5599831748d
Author:     Mike Frysinger <vapier <AT> chromium <DOT> org>
AuthorDate: Mon Mar  5 18:28:50 2018 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Mon Mar  5 18:32:18 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61acdcd1

sys-apps/sed: add USE=forced-sandbox to always enable --sandbox

For building locked down systems, it's nice to be able to force all
awk scripts into a sane/secure mode.

 sys-apps/sed/metadata.xml      |  3 ++
 sys-apps/sed/sed-4.4-r1.ebuild | 66 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

diff --git a/sys-apps/sed/metadata.xml b/sys-apps/sed/metadata.xml
index b738f8c54a0..ea2a7bdbf75 100644
--- a/sys-apps/sed/metadata.xml
+++ b/sys-apps/sed/metadata.xml
@@ -8,4 +8,7 @@
 <upstream>
        <remote-id type="sourceforge">sed</remote-id>
 </upstream>
+<use>
+       <flag name="forced-sandbox">Always enable --sandbox mode for 
simpler/secure runtime (disables e/r/w commands)</flag>
+</use>
 </pkgmetadata>

diff --git a/sys-apps/sed/sed-4.4-r1.ebuild b/sys-apps/sed/sed-4.4-r1.ebuild
new file mode 100644
index 00000000000..26c3858da53
--- /dev/null
+++ b/sys-apps/sed/sed-4.4-r1.ebuild
@@ -0,0 +1,66 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Super-useful stream editor"
+HOMEPAGE="http://sed.sourceforge.net/";
+SRC_URI="mirror://gnu/sed/${P}.tar.xz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="acl forced-sandbox nls selinux static"
+
+RDEPEND="acl? ( virtual/acl )
+       nls? ( virtual/libintl )
+       selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+       nls? ( sys-devel/gettext )"
+
+src_bootstrap_sed() {
+       # make sure system-sed works #40786
+       export NO_SYS_SED=""
+       if ! type -p sed > /dev/null ; then
+               NO_SYS_SED="!!!"
+               ./bootstrap.sh || die "couldnt bootstrap"
+               cp sed/sed "${T}"/ || die "couldnt copy"
+               export PATH="${PATH}:${T}"
+               emake clean
+       fi
+}
+
+src_prepare() {
+       # Don't use sed before bootstrap if we have to recover a broken host 
sed.
+       src_bootstrap_sed
+
+       if use forced-sandbox ; then
+               # Upstream doesn't want to add a configure flag for this.
+               # 
https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html
+               sed -i \
+                       -e '/^bool sandbox = false;/s:false:true:' \
+                       sed/sed.c || die
+               # Make sure the sed took.
+               grep -q '^bool sandbox = true;' sed/sed.c || die "forcing 
sandbox failed"
+       fi
+}
+
+src_configure() {
+       local myconf=()
+       if use userland_GNU; then
+               myconf+=( --exec-prefix="${EPREFIX}" )
+       else
+               myconf+=( --program-prefix=g )
+       fi
+
+       export ac_cv_search_setfilecon=$(usex selinux -lselinux)
+       export ac_cv_header_selinux_{context,selinux}_h=$(usex selinux)
+       use static && append-ldflags -static
+       myconf+=(
+               $(use_enable acl)
+               $(use_enable nls)
+       )
+       econf "${myconf[@]}"
+}

Reply via email to