summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@chromium.org>2018-03-05 13:10:17 -0500
committerMike Frysinger <vapier@gentoo.org>2018-03-05 13:32:18 -0500
commit0a3af690b27f38bcce7b11f5888cc20ef24009eb (patch)
treea65950f805bf6dcd4c7a428c63b411b063dc1e3e /sys-apps
parentsys-apps/systemd: backports from v237-stable branch (diff)
downloadgentoo-0a3af690b27f38bcce7b11f5888cc20ef24009eb.tar.gz
gentoo-0a3af690b27f38bcce7b11f5888cc20ef24009eb.tar.bz2
gentoo-0a3af690b27f38bcce7b11f5888cc20ef24009eb.zip
sys-apps/gawk: add USE=forced-sandbox to always enable --sandbox
For building locked down systems, it's nice to be able to force all awk scripts into a sane/secure mode.
Diffstat (limited to 'sys-apps')
-rw-r--r--sys-apps/gawk/gawk-4.2.1-r1.ebuild93
-rw-r--r--sys-apps/gawk/metadata.xml1
2 files changed, 94 insertions, 0 deletions
diff --git a/sys-apps/gawk/gawk-4.2.1-r1.ebuild b/sys-apps/gawk/gawk-4.2.1-r1.ebuild
new file mode 100644
index 000000000000..3bf1a7e90d2b
--- /dev/null
+++ b/sys-apps/gawk/gawk-4.2.1-r1.ebuild
@@ -0,0 +1,93 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit toolchain-funcs multilib
+
+DESCRIPTION="GNU awk pattern-matching language"
+HOMEPAGE="https://www.gnu.org/software/gawk/gawk.html"
+SRC_URI="mirror://gnu/gawk/${P}.tar.xz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="forced-sandbox mpfr nls readline"
+
+RDEPEND="
+ dev-libs/gmp:0=
+ mpfr? ( dev-libs/mpfr:0= )
+ readline? ( sys-libs/readline:0= )
+"
+DEPEND="${RDEPEND}
+ nls? ( sys-devel/gettext )"
+
+src_prepare() {
+ default
+
+ # use symlinks rather than hardlinks, and disable version links
+ sed -i \
+ -e '/^LN =/s:=.*:= $(LN_S):' \
+ -e '/install-exec-hook:/s|$|\nfoo:|' \
+ Makefile.in doc/Makefile.in || die
+ sed -i '/^pty1:$/s|$|\n_pty1:|' test/Makefile.in #413327
+ # fix standards conflict on Solaris
+ if [[ ${CHOST} == *-solaris* ]] ; then
+ sed -i \
+ -e '/\<_XOPEN_SOURCE\>/s/1$/600/' \
+ -e '/\<_XOPEN_SOURCE_EXTENDED\>/s/1//' \
+ extension/inplace.c || die
+ fi
+
+ if use forced-sandbox ; then
+ # Upstream doesn't want to add a configure flag for this.
+ # https://lists.gnu.org/archive/html/bug-sed/2018-03/msg00001.html
+ sed -i \
+ -e '/^int do_flags = false;/s:false:DO_SANDBOX:' \
+ main.c || die
+ # Make sure the sed took.
+ grep -q '^int do_flags = DO_SANDBOX;' main.c || die "forcing sandbox failed"
+ fi
+}
+
+src_configure() {
+ export ac_cv_libsigsegv=no
+ local myeconfargs=(
+ --libexec='$(libdir)/misc'
+ $(use_with mpfr)
+ $(use_enable nls)
+ $(use_with readline)
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ rm -rf README_d # automatic dodocs barfs
+ default
+
+ # Install headers
+ insinto /usr/include/awk
+ doins *.h
+ rm "${ED%/}"/usr/include/awk/config.h || die
+}
+
+pkg_postinst() {
+ # symlink creation here as the links do not belong to gawk, but to any awk
+ if has_version app-admin/eselect \
+ && has_version app-eselect/eselect-awk ; then
+ eselect awk update ifunset
+ else
+ local l
+ for l in "${EROOT}"/usr/share/man/man1/gawk.1* "${EROOT}"/usr/bin/gawk; do
+ [[ -e ${l} && ! -e ${l/gawk/awk} ]] && ln -s "${l##*/}" "${l/gawk/awk}"
+ done
+ [[ ! -e ${EROOT}/bin/awk ]] && ln -s "../usr/bin/gawk" "${EROOT}/bin/awk"
+ fi
+}
+
+pkg_postrm() {
+ if has_version app-admin/eselect \
+ && has_version app-eselect/eselect-awk ; then
+ eselect awk update ifunset
+ fi
+}
diff --git a/sys-apps/gawk/metadata.xml b/sys-apps/gawk/metadata.xml
index 3fa1f9889991..58cec04bdcb0 100644
--- a/sys-apps/gawk/metadata.xml
+++ b/sys-apps/gawk/metadata.xml
@@ -6,6 +6,7 @@
<name>Gentoo Base System</name>
</maintainer>
<use>
+ <flag name="forced-sandbox">Always enable --sandbox mode for simpler/secure runtime (disables e/r/w commands)</flag>
<flag name="mpfr">use mpfr for high precision arithmetic (-M / --bignum)</flag>
</use>
</pkgmetadata>