sys-apps/man-db: Revump to drop seccomp again. It segfaults.

Might re-add seccomp once 2.8.1 has been released.

Package-Manager: Portage-2.3.24, Repoman-2.3.6

3 files changed, 2 insertions, 251 deletions

diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch
deleted file mode 100644
index 87db57afb9eb..000000000000
--- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Wed, 7 Feb 2018 12:23:15 +0000
-Subject: Refactor do_system_drop_privs
-
-Now that we have pipecmd_pre_exec, this can be simplified quite a bit.
-
-* lib/security.c (drop_privs): New function.
-(do_system_drop_privs_child, do_system_drop_privs): Remove.
-* lib/security.h (drop_privs): Add prototype.
-(do_system_drop_privs): Remove prototype.
-* src/man.c (make_browser): Add drop_privs pre-exec hook to browser
-command.
-(format_display): Call browser using pipeline_run rather than
-do_system_drop_privs, since it now has a pre-exec hook to drop
-privileges.
----
- lib/security.c | 37 +++----------------------------------
- lib/security.h |  2 +-
- src/man.c      |  7 +++++--
- 3 files changed, 9 insertions(+), 37 deletions(-)
-
-diff --git a/lib/security.c b/lib/security.c
-index 6e84de8..c9b365d 100644
---- a/lib/security.c
-+++ b/lib/security.c
-@@ -158,42 +158,11 @@ void regain_effective_privs (void)
- #endif /* MAN_OWNER */
- }
- 
--#ifdef MAN_OWNER
--void do_system_drop_privs_child (void *data)
-+/* Pipeline command pre-exec hook to permanently drop privileges. */
-+void drop_privs (void *data ATTRIBUTE_UNUSED)
- {
--	pipeline *p = data;
--
-+#ifdef MAN_OWNER
- 	if (idpriv_drop ())
- 		gripe_set_euid ();
--	exit (pipeline_run (p));
--}
--#endif /* MAN_OWNER */
--
--/* The safest way to execute a pipeline with no effective privileges is to
-- * fork, permanently drop privileges in the child, run the pipeline from the
-- * child, and wait for it to die.
-- *
-- * It is possible to use saved IDs to avoid the fork, since effective IDs
-- * are copied to saved IDs on execve; we used to do this.  However, forking
-- * is not expensive enough to justify the extra code.
-- *
-- * Note that this frees the supplied pipeline.
-- */
--int do_system_drop_privs (pipeline *p)
--{
--#ifdef MAN_OWNER
--	pipecmd *child_cmd;
--	pipeline *child;
--	int status;
--
--	child_cmd = pipecmd_new_function ("unprivileged child",
--					  do_system_drop_privs_child, NULL, p);
--	child = pipeline_new_commands (child_cmd, NULL);
--	status = pipeline_run (child);
--
--	pipeline_free (p);
--	return status;
--#else  /* !MAN_OWNER */
--	return pipeline_run (p);
- #endif /* MAN_OWNER */
- }
-diff --git a/lib/security.h b/lib/security.h
-index 7545502..851127d 100644
---- a/lib/security.h
-+++ b/lib/security.h
-@@ -27,7 +27,7 @@
- /* security.c */
- extern void drop_effective_privs (void);
- extern void regain_effective_privs (void);
--extern int do_system_drop_privs (struct pipeline *p);
-+extern void drop_privs (void *data);
- extern void init_security (void);
- extern int running_setuid (void);
- extern struct passwd *get_man_owner (void);
-diff --git a/src/man.c b/src/man.c
-index 959d6cc..ff7ebc7 100644
---- a/src/man.c
-+++ b/src/man.c
-@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file,
- static pipeline *make_browser (const char *pattern, const char *file)
- {
- 	pipeline *p;
-+	pipecmd *cmd;
- 	char *browser = xmalloc (1);
- 	int found_percent_s = 0;
- 	char *percent;
-@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file)
- 		free (esc_file);
- 	}
- 
--	p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL);
-+	cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL);
-+	pipecmd_pre_exec (cmd, drop_privs, NULL, NULL);
-+	p = pipeline_new_commands (cmd, NULL);
- 	pipeline_ignore_signals (p, 1);
- 	free (browser);
- 
-@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp,
- 			pipeline *browser;
- 			debug ("Trying browser: %s\n", candidate);
- 			browser = make_browser (candidate, htmlfile);
--			disp_status = do_system_drop_privs (browser);
-+			disp_status = pipeline_run (browser);
- 			if (!disp_status)
- 				break;
- 		}
--- 
-cgit v1.0-41-gc330
-
diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch
deleted file mode 100644
index f513ee8cca67..000000000000
--- a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Wed, 7 Feb 2018 13:44:30 +0000
-Subject: [PATCH] Fix manconv under seccomp when man is setuid
-
-We must drop privileges before loading the sandbox.
-
-Reported by Lars Wendler.
-
-* src/manconv_client.c (manconv_pre_exec): New function.
-(manconv_stdin): Move setuid hack to ...
-(add_manconv): ... here, now implemented using a custom pre-exec hook.
-We no longer have a fall-through if dropping privileges fails, since
-that's now harder to do and wasn't really necessary in the first place.
----
- src/manconv_client.c | 80 +++++++++++++++++++++++++++++-----------------------
- 1 file changed, 45 insertions(+), 35 deletions(-)
-
-diff --git a/src/manconv_client.c b/src/manconv_client.c
-index d6e010b0..41ce4790 100644
---- a/src/manconv_client.c
-+++ b/src/manconv_client.c
-@@ -56,41 +56,6 @@ static void manconv_stdin (void *data)
- 	struct manconv_codes *codes = data;
- 	pipeline *p;
- 
--#ifdef MAN_OWNER
--	/* iconv_open may not work correctly in setuid processes; in GNU
--	 * libc, gconv modules may be linked against other gconv modules and
--	 * rely on RPATH $ORIGIN to load those modules from the correct
--	 * path, but $ORIGIN is disabled in setuid processes.  It is
--	 * impossible to reset libc's idea of setuidness without creating a
--	 * whole new process image.  Therefore, if the calling process is
--	 * setuid, we must drop privileges and execute manconv.
--	 *
--	 * If dropping privileges fails, fall through to the in-process
--	 * code, as in some situations it may actually manage to work.
--	 */
--	if (running_setuid () && !idpriv_drop ()) {
--		char **from_code;
--		char *sources = NULL;
--		pipecmd *cmd;
--
--		for (from_code = codes->from; *from_code; ++from_code) {
--			sources = appendstr (sources, *from_code, NULL);
--			if (*(from_code + 1))
--				sources = appendstr (sources, ":", NULL);
--		}
--
--		cmd = pipecmd_new_args (MANCONV, "-f", sources,
--					"-t", codes->to, NULL);
--		free (sources);
--
--		if (quiet >= 2)
--			pipecmd_arg (cmd, "-q");
--
--		pipecmd_exec (cmd);
--		/* never returns */
--	}
--#endif /* MAN_OWNER */
--
- 	p = decompress_fdopen (dup (STDIN_FILENO));
- 	pipeline_start (p);
- 	manconv (p, codes->from, codes->to);
-@@ -98,6 +63,17 @@ static void manconv_stdin (void *data)
- 	pipeline_free (p);
- }
- 
-+#ifdef MAN_OWNER
-+static void manconv_pre_exec (void *data)
-+{
-+	/* We must drop privileges before loading the sandbox, since our
-+	 * seccomp filter doesn't allow setresuid and friends.
-+	 */
-+	drop_privs (NULL);
-+	sandbox_load (data);
-+}
-+#endif /* MAN_OWNER */
-+
- static void free_manconv_codes (void *data)
- {
- 	struct manconv_codes *codes = data;
-@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target)
- 	name = appendstr (name, " -t ", codes->to, NULL);
- 	if (quiet >= 2)
- 		name = appendstr (name, " -q", NULL);
-+
-+#ifdef MAN_OWNER
-+	/* iconv_open may not work correctly in setuid processes; in GNU
-+	 * libc, gconv modules may be linked against other gconv modules and
-+	 * rely on RPATH $ORIGIN to load those modules from the correct
-+	 * path, but $ORIGIN is disabled in setuid processes.  It is
-+	 * impossible to reset libc's idea of setuidness without creating a
-+	 * whole new process image.  Therefore, if the calling process is
-+	 * setuid, we must drop privileges and execute manconv.
-+	 */
-+	if (running_setuid ()) {
-+		char **from_code;
-+		char *sources = NULL;
-+
-+		cmd = pipecmd_new_args (MANCONV, "-f", NULL);
-+		for (from_code = codes->from; *from_code; ++from_code) {
-+			sources = appendstr (sources, *from_code, NULL);
-+			if (*(from_code + 1))
-+				sources = appendstr (sources, ":", NULL);
-+		}
-+		pipecmd_arg (cmd, sources);
-+		free (sources);
-+		pipecmd_args (cmd, "-t", codes->to, NULL);
-+		if (quiet >= 2)
-+			pipecmd_arg (cmd, "-q");
-+		pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free,
-+				  sandbox);
-+		free (name);
-+		free_manconv_codes (codes);
-+		pipeline_command (p, cmd);
-+		return;
-+	}
-+#endif /* MAN_OWNER */
-+
- 	cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes,
- 				    codes);
- 	free (name);
--- 
-2.16.1
-
diff --git a/sys-apps/man-db/man-db-2.8.0-r1.ebuild b/sys-apps/man-db/man-db-2.8.0-r2.ebuild
index 1ff3ca11d5c7..cb7cf8d1c4e8 100644
--- a/sys-apps/man-db/man-db-2.8.0-r1.ebuild
+++ b/sys-apps/man-db/man-db-2.8.0-r2.ebuild
@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz"
 LICENSE="GPL-3"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux"
-IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib"
+IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib"
 
 CDEPEND="
 	!sys-apps/man
@@ -21,7 +21,6 @@ CDEPEND="
 	berkdb? ( sys-libs/db:= )
 	gdbm? ( sys-libs/gdbm:= )
 	!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) )
-	seccomp? ( sys-libs/libseccomp )
 	zlib? ( sys-libs/zlib )
 "
 DEPEND="
@@ -40,8 +39,6 @@ RDEPEND="
 PDEPEND="manpager? ( app-text/manpager )"
 
 PATCHES=(
-	"${FILESDIR}/${P}-refactor_drop_privs.patch"
-	"${FILESDIR}/${P}-seccomp_suid.patch"
 	"${FILESDIR}/${P}-libseccomp_automagic.patch"
 )
 
@@ -65,7 +62,7 @@ src_configure() {
 		--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x"
 		$(use_enable nls)
 		$(use_enable static-libs static)
-		$(use_with seccomp libseccomp)
+		--without-libseccomp
 		--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm))
 	)
 	econf "${myeconfargs[@]}"