From 5c891dd97151555cea24f2793933c85fa0b8e71b Mon Sep 17 00:00:00 2001
From: Hank Leininger <hlein@korelogic.com>
Date: Mon, 8 Feb 2021 13:21:30 -0700
Subject: sys-apps/firejail: Version bump, disables overlayfs to fix privesc

New version disables overlayfs, which has a root privesc vuln.
Some new profiles and other minor fixes also included. Disable
overlayfs USE flag in live ebuild as well.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://bugs.gentoo.org/769230
Bug: https://bugs.gentoo.org/769542
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Closes: https://github.com/gentoo/gentoo/pull/19377
Signed-off-by: Sam James <sam@gentoo.org>
---
 sys-apps/firejail/Manifest                 |  1 +
 sys-apps/firejail/firejail-0.9.64.4.ebuild | 97 ++++++++++++++++++++++++++++++
 sys-apps/firejail/firejail-9999.ebuild     |  5 +-
 3 files changed, 100 insertions(+), 3 deletions(-)
 create mode 100644 sys-apps/firejail/firejail-0.9.64.4.ebuild

(limited to 'sys-apps')

diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest
index c58b96b657aa..e0b97ae01576 100644
--- a/sys-apps/firejail/Manifest
+++ b/sys-apps/firejail/Manifest
@@ -1 +1,2 @@
+DIST firejail-0.9.64.4.tar.xz 431116 BLAKE2B 1e64af1459cdbd6e753299796b2521efdc1fe364a66b8f0f40df1adabec32d0673cb9805a2ab385b96b64aca16e038e615ab1e4dc4df1dbcaa0b5b24f54c89d0 SHA512 580a074cb40e7559f6d532418b5e05e042c30306e8507d32ac3c71a51dec6648035ad810d253da02caaa4adc41f773dfdab55528618f5ca30ff30d4e7bbd12c9
 DIST firejail-0.9.64.tar.xz 419464 BLAKE2B 9425910bd78739dc628a05247877f3e96065f9eab6be1fa87a70932ff04a53817e03cd67a81b35b0e5a69b5598fc5be9d6191f9c5c2bf511bc76c1edaf0eb22d SHA512 89bab9aee944ebde6221a96f0f028380f607cd49046cad5348d5974efcc92c50a172edf5e50c56606091d2060d1d8f0c50a41f05f63327672a3c3cb48eb93699
diff --git a/sys-apps/firejail/firejail-0.9.64.4.ebuild b/sys-apps/firejail/firejail-0.9.64.4.ebuild
new file mode 100644
index 000000000000..1542ba12484b
--- /dev/null
+++ b/sys-apps/firejail/firejail-0.9.64.4.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7..9} )
+
+inherit toolchain-funcs python-single-r1 linux-info
+
+if [[ ${PV} != 9999 ]]; then
+	KEYWORDS="~amd64 ~arm64 ~x86"
+	SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/netblue30/firejail.git"
+	EGIT_BRANCH="master"
+fi
+
+DESCRIPTION="Security sandbox for any type of processes"
+HOMEPAGE="https://firejail.wordpress.com/"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist"
+RESTRICT="!test? ( test )"
+
+RDEPEND="!sys-apps/firejail-lts
+	apparmor? ( sys-libs/libapparmor )
+	contrib? ( ${PYTHON_DEPS} )
+	dbusproxy? ( sys-apps/xdg-dbus-proxy )"
+
+DEPEND="${RDEPEND}
+	sys-libs/libseccomp
+	test? ( dev-tcltk/expect )"
+
+REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )"
+
+pkg_setup() {
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	find -type f -name Makefile.in -exec sed -i -r -e '/^\tinstall .*COPYING /d; /CFLAGS/s: (-O2|-ggdb) : :g' {} + || die
+
+	sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' ./src/common.mk.in || die
+
+	# remove compression of man pages
+	sed -i -r -e '/rm -f \$\$man.gz; \\/d; /gzip -9n \$\$man; \\/d; s|\*\.([[:digit:]])\) install -m 0644 \$\$man\.gz|\*\.\1\) install -m 0644 \$\$man|g' Makefile.in || die
+
+	if use contrib; then
+		python_fix_shebang -f contrib/*.py
+	fi
+
+	# some tests were missing from this release's tarball
+	if use test; then
+		sed -i -r -e 's/^(test:.*) test-private-lib (.*)/\1 \2/; s/^(test:.*) test-fnetfilter (.*)/\1 \2/' Makefile.in || die
+	fi
+}
+
+src_configure() {
+	econf \
+		--disable-firetunnel \
+		$(use_enable apparmor) \
+		$(use_enable chroot) \
+		$(use_enable dbusproxy) \
+		$(use_enable file-transfer) \
+		$(use_enable globalcfg) \
+		$(use_enable network) \
+		$(use_enable private-home) \
+		$(use_enable suid) \
+		$(use_enable userns) \
+		$(use_enable whitelist) \
+		$(use_enable X x11)
+}
+
+src_compile() {
+	emake CC="$(tc-getCC)"
+}
+
+src_install() {
+	default
+
+	if use contrib; then
+		python_scriptinto /usr/$(get_libdir)/firejail
+		python_doscript contrib/*.py
+		insinto /usr/$(get_libdir)/firejail
+		dobin contrib/*.sh
+	fi
+}
+
+pkg_postinst() {
+	CONFIG_CHECK="~SQUASHFS"
+	local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode"
+	check_extra_config
+}
diff --git a/sys-apps/firejail/firejail-9999.ebuild b/sys-apps/firejail/firejail-9999.ebuild
index 7a15ae3bdeb6..7c0a516bf0c5 100644
--- a/sys-apps/firejail/firejail-9999.ebuild
+++ b/sys-apps/firejail/firejail-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -21,7 +21,7 @@ HOMEPAGE="https://firejail.wordpress.com/"
 
 LICENSE="GPL-2"
 SLOT="0"
-IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +overlayfs +private-home +suid test +userns +whitelist"
+IUSE="X apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home +suid test +userns +whitelist"
 RESTRICT="!test? ( test )"
 
 RDEPEND="!sys-apps/firejail-lts
@@ -63,7 +63,6 @@ src_configure() {
 		$(use_enable file-transfer) \
 		$(use_enable globalcfg) \
 		$(use_enable network) \
-		$(use_enable overlayfs) \
 		$(use_enable private-home) \
 		$(use_enable suid) \
 		$(use_enable userns) \
-- 
cgit v1.2.3-65-gdbad