diff options
| author |   Hank Leininger <hlein@korelogic.com> | 2021-02-08 13:21:30 -0700 |
|---|---|---|
| committer |   Sam James <sam@gentoo.org> | 2021-02-09 07:26:41 +0000 |
| commit | 5c891dd97151555cea24f2793933c85fa0b8e71b (patch) | |
| tree | cb3000275d1c40dcf30476d9443bea63f91b32f3 /sys-apps | |
| parent | profiles/base/package.use.mask: add dev-ml/mtime javascript mask (diff) | |
| download | gentoo-5c891dd97151555cea24f2793933c85fa0b8e71b.tar.gz gentoo-5c891dd97151555cea24f2793933c85fa0b8e71b.tar.bz2 gentoo-5c891dd97151555cea24f2793933c85fa0b8e71b.zip | |
sys-apps/firejail: Version bump, disables overlayfs to fix privesc
New version disables overlayfs, which has a root privesc vuln.
Some new profiles and other minor fixes also included. Disable
overlayfs USE flag in live ebuild as well.
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://bugs.gentoo.org/769230
Bug: https://bugs.gentoo.org/769542
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Closes: https://github.com/gentoo/gentoo/pull/19377
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/firejail/Manifest | 1 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-0.9.64.4.ebuild | 97 | ||||
| -rw-r--r-- | sys-apps/firejail/firejail-9999.ebuild | 5 |
3 files changed, 100 insertions, 3 deletions
diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest index c58b96b657aa..e0b97ae01576 100644 --- a/sys-apps/firejail/Manifest +++ b/sys-apps/firejail/Manifest @@ -1 +1,2 @@ +DIST firejail-0.9.64.4.tar.xz 431116 BLAKE2B 1e64af1459cdbd6e753299796b2521efdc1fe364a66b8f0f40df1adabec32d0673cb9805a2ab385b96b64aca16e038e615ab1e4dc4df1dbcaa0b5b24f54c89d0 SHA512 580a074cb40e7559f6d532418b5e05e042c30306e8507d32ac3c71a51dec6648035ad810d253da02caaa4adc41f773dfdab55528618f5ca30ff30d4e7bbd12c9 DIST firejail-0.9.64.tar.xz 419464 BLAKE2B 9425910bd78739dc628a05247877f3e96065f9eab6be1fa87a70932ff04a53817e03cd67a81b35b0e5a69b5598fc5be9d6191f9c5c2bf511bc76c1edaf0eb22d SHA512 89bab9aee944ebde6221a96f0f028380f607cd49046cad5348d5974efcc92c50a172edf5e50c56606091d2060d1d8f0c50a41f05f63327672a3c3cb48eb93699 diff --git a/sys-apps/firejail/firejail-0.9.64.4.ebuild b/sys-apps/firejail/firejail-0.9.64.4.ebuild new file mode 100644 index 000000000000..1542ba12484b --- /dev/null +++ b/sys-apps/firejail/firejail-0.9.64.4.ebuild @@ -0,0 +1,97 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{7..9} ) + +inherit toolchain-funcs python-single-r1 linux-info + +if [[ ${PV} != 9999 ]]; then + KEYWORDS="~amd64 ~arm64 ~x86" + SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz" +else + inherit git-r3 + EGIT_REPO_URI="https://github.com/netblue30/firejail.git" + EGIT_BRANCH="master" +fi + +DESCRIPTION="Security sandbox for any type of processes" +HOMEPAGE="https://firejail.wordpress.com/" + +LICENSE="GPL-2" +SLOT="0" +IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist" +RESTRICT="!test? ( test )" + +RDEPEND="!sys-apps/firejail-lts + apparmor? ( sys-libs/libapparmor ) + contrib? ( ${PYTHON_DEPS} ) + dbusproxy? ( sys-apps/xdg-dbus-proxy )" + +DEPEND="${RDEPEND} + sys-libs/libseccomp + test? ( dev-tcltk/expect )" + +REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" + +pkg_setup() { + python-single-r1_pkg_setup +} + +src_prepare() { + default + + find -type f -name Makefile.in -exec sed -i -r -e '/^\tinstall .*COPYING /d; /CFLAGS/s: (-O2|-ggdb) : :g' {} + || die + + sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' ./src/common.mk.in || die + + # remove compression of man pages + sed -i -r -e '/rm -f \$\$man.gz; \\/d; /gzip -9n \$\$man; \\/d; s|\*\.([[:digit:]])\) install -m 0644 \$\$man\.gz|\*\.\1\) install -m 0644 \$\$man|g' Makefile.in || die + + if use contrib; then + python_fix_shebang -f contrib/*.py + fi + + # some tests were missing from this release's tarball + if use test; then + sed -i -r -e 's/^(test:.*) test-private-lib (.*)/\1 \2/; s/^(test:.*) test-fnetfilter (.*)/\1 \2/' Makefile.in || die + fi +} + +src_configure() { + econf \ + --disable-firetunnel \ + $(use_enable apparmor) \ + $(use_enable chroot) \ + $(use_enable dbusproxy) \ + $(use_enable file-transfer) \ + $(use_enable globalcfg) \ + $(use_enable network) \ + $(use_enable private-home) \ + $(use_enable suid) \ + $(use_enable userns) \ + $(use_enable whitelist) \ + $(use_enable X x11) +} + +src_compile() { + emake CC="$(tc-getCC)" +} + +src_install() { + default + + if use contrib; then + python_scriptinto /usr/$(get_libdir)/firejail + python_doscript contrib/*.py + insinto /usr/$(get_libdir)/firejail + dobin contrib/*.sh + fi +} + +pkg_postinst() { + CONFIG_CHECK="~SQUASHFS" + local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode" + check_extra_config +} diff --git a/sys-apps/firejail/firejail-9999.ebuild b/sys-apps/firejail/firejail-9999.ebuild index 7a15ae3bdeb6..7c0a516bf0c5 100644 --- a/sys-apps/firejail/firejail-9999.ebuild +++ b/sys-apps/firejail/firejail-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/" LICENSE="GPL-2" SLOT="0" -IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +overlayfs +private-home +suid test +userns +whitelist" +IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist" RESTRICT="!test? ( test )" RDEPEND="!sys-apps/firejail-lts @@ -63,7 +63,6 @@ src_configure() { $(use_enable file-transfer) \ $(use_enable globalcfg) \ $(use_enable network) \ - $(use_enable overlayfs) \ $(use_enable private-home) \ $(use_enable suid) \ $(use_enable userns) \ |