diff options
author | Lars Wendler <polynomial-c@gentoo.org> | 2018-02-08 12:56:06 +0100 |
---|---|---|
committer | Lars Wendler <polynomial-c@gentoo.org> | 2018-02-08 12:56:55 +0100 |
commit | 8607cad379185ee6b427dc78dcf7c5fcd90de541 (patch) | |
tree | 057dac492556745fbf8852abf0f9598144a76647 /sys-apps/man-db | |
parent | app-shells/rrs: [QA] apply PATCHES (diff) | |
download | gentoo-8607cad379185ee6b427dc78dcf7c5fcd90de541.tar.gz gentoo-8607cad379185ee6b427dc78dcf7c5fcd90de541.tar.bz2 gentoo-8607cad379185ee6b427dc78dcf7c5fcd90de541.zip |
sys-apps/man-db: Revump to drop seccomp again. It segfaults.
Might re-add seccomp once 2.8.1 has been released.
Package-Manager: Portage-2.3.24, Repoman-2.3.6
Diffstat (limited to 'sys-apps/man-db')
-rw-r--r-- | sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch | 120 | ||||
-rw-r--r-- | sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 | ||||
-rw-r--r-- | sys-apps/man-db/man-db-2.8.0-r2.ebuild (renamed from sys-apps/man-db/man-db-2.8.0-r1.ebuild) | 7 |
3 files changed, 2 insertions, 251 deletions
diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch deleted file mode 100644 index 87db57afb9eb..000000000000 --- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@debian.org> -Date: Wed, 7 Feb 2018 12:23:15 +0000 -Subject: Refactor do_system_drop_privs - -Now that we have pipecmd_pre_exec, this can be simplified quite a bit. - -* lib/security.c (drop_privs): New function. -(do_system_drop_privs_child, do_system_drop_privs): Remove. -* lib/security.h (drop_privs): Add prototype. -(do_system_drop_privs): Remove prototype. -* src/man.c (make_browser): Add drop_privs pre-exec hook to browser -command. -(format_display): Call browser using pipeline_run rather than -do_system_drop_privs, since it now has a pre-exec hook to drop -privileges. ---- - lib/security.c | 37 +++---------------------------------- - lib/security.h | 2 +- - src/man.c | 7 +++++-- - 3 files changed, 9 insertions(+), 37 deletions(-) - -diff --git a/lib/security.c b/lib/security.c -index 6e84de8..c9b365d 100644 ---- a/lib/security.c -+++ b/lib/security.c -@@ -158,42 +158,11 @@ void regain_effective_privs (void) - #endif /* MAN_OWNER */ - } - --#ifdef MAN_OWNER --void do_system_drop_privs_child (void *data) -+/* Pipeline command pre-exec hook to permanently drop privileges. */ -+void drop_privs (void *data ATTRIBUTE_UNUSED) - { -- pipeline *p = data; -- -+#ifdef MAN_OWNER - if (idpriv_drop ()) - gripe_set_euid (); -- exit (pipeline_run (p)); --} --#endif /* MAN_OWNER */ -- --/* The safest way to execute a pipeline with no effective privileges is to -- * fork, permanently drop privileges in the child, run the pipeline from the -- * child, and wait for it to die. -- * -- * It is possible to use saved IDs to avoid the fork, since effective IDs -- * are copied to saved IDs on execve; we used to do this. However, forking -- * is not expensive enough to justify the extra code. -- * -- * Note that this frees the supplied pipeline. -- */ --int do_system_drop_privs (pipeline *p) --{ --#ifdef MAN_OWNER -- pipecmd *child_cmd; -- pipeline *child; -- int status; -- -- child_cmd = pipecmd_new_function ("unprivileged child", -- do_system_drop_privs_child, NULL, p); -- child = pipeline_new_commands (child_cmd, NULL); -- status = pipeline_run (child); -- -- pipeline_free (p); -- return status; --#else /* !MAN_OWNER */ -- return pipeline_run (p); - #endif /* MAN_OWNER */ - } -diff --git a/lib/security.h b/lib/security.h -index 7545502..851127d 100644 ---- a/lib/security.h -+++ b/lib/security.h -@@ -27,7 +27,7 @@ - /* security.c */ - extern void drop_effective_privs (void); - extern void regain_effective_privs (void); --extern int do_system_drop_privs (struct pipeline *p); -+extern void drop_privs (void *data); - extern void init_security (void); - extern int running_setuid (void); - extern struct passwd *get_man_owner (void); -diff --git a/src/man.c b/src/man.c -index 959d6cc..ff7ebc7 100644 ---- a/src/man.c -+++ b/src/man.c -@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, - static pipeline *make_browser (const char *pattern, const char *file) - { - pipeline *p; -+ pipecmd *cmd; - char *browser = xmalloc (1); - int found_percent_s = 0; - char *percent; -@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) - free (esc_file); - } - -- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); -+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); -+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); -+ p = pipeline_new_commands (cmd, NULL); - pipeline_ignore_signals (p, 1); - free (browser); - -@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, - pipeline *browser; - debug ("Trying browser: %s\n", candidate); - browser = make_browser (candidate, htmlfile); -- disp_status = do_system_drop_privs (browser); -+ disp_status = pipeline_run (browser); - if (!disp_status) - break; - } --- -cgit v1.0-41-gc330 - diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch deleted file mode 100644 index f513ee8cca67..000000000000 --- a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 -From: Colin Watson <cjwatson@debian.org> -Date: Wed, 7 Feb 2018 13:44:30 +0000 -Subject: [PATCH] Fix manconv under seccomp when man is setuid - -We must drop privileges before loading the sandbox. - -Reported by Lars Wendler. - -* src/manconv_client.c (manconv_pre_exec): New function. -(manconv_stdin): Move setuid hack to ... -(add_manconv): ... here, now implemented using a custom pre-exec hook. -We no longer have a fall-through if dropping privileges fails, since -that's now harder to do and wasn't really necessary in the first place. ---- - src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- - 1 file changed, 45 insertions(+), 35 deletions(-) - -diff --git a/src/manconv_client.c b/src/manconv_client.c -index d6e010b0..41ce4790 100644 ---- a/src/manconv_client.c -+++ b/src/manconv_client.c -@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) - struct manconv_codes *codes = data; - pipeline *p; - --#ifdef MAN_OWNER -- /* iconv_open may not work correctly in setuid processes; in GNU -- * libc, gconv modules may be linked against other gconv modules and -- * rely on RPATH $ORIGIN to load those modules from the correct -- * path, but $ORIGIN is disabled in setuid processes. It is -- * impossible to reset libc's idea of setuidness without creating a -- * whole new process image. Therefore, if the calling process is -- * setuid, we must drop privileges and execute manconv. -- * -- * If dropping privileges fails, fall through to the in-process -- * code, as in some situations it may actually manage to work. -- */ -- if (running_setuid () && !idpriv_drop ()) { -- char **from_code; -- char *sources = NULL; -- pipecmd *cmd; -- -- for (from_code = codes->from; *from_code; ++from_code) { -- sources = appendstr (sources, *from_code, NULL); -- if (*(from_code + 1)) -- sources = appendstr (sources, ":", NULL); -- } -- -- cmd = pipecmd_new_args (MANCONV, "-f", sources, -- "-t", codes->to, NULL); -- free (sources); -- -- if (quiet >= 2) -- pipecmd_arg (cmd, "-q"); -- -- pipecmd_exec (cmd); -- /* never returns */ -- } --#endif /* MAN_OWNER */ -- - p = decompress_fdopen (dup (STDIN_FILENO)); - pipeline_start (p); - manconv (p, codes->from, codes->to); -@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) - pipeline_free (p); - } - -+#ifdef MAN_OWNER -+static void manconv_pre_exec (void *data) -+{ -+ /* We must drop privileges before loading the sandbox, since our -+ * seccomp filter doesn't allow setresuid and friends. -+ */ -+ drop_privs (NULL); -+ sandbox_load (data); -+} -+#endif /* MAN_OWNER */ -+ - static void free_manconv_codes (void *data) - { - struct manconv_codes *codes = data; -@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) - name = appendstr (name, " -t ", codes->to, NULL); - if (quiet >= 2) - name = appendstr (name, " -q", NULL); -+ -+#ifdef MAN_OWNER -+ /* iconv_open may not work correctly in setuid processes; in GNU -+ * libc, gconv modules may be linked against other gconv modules and -+ * rely on RPATH $ORIGIN to load those modules from the correct -+ * path, but $ORIGIN is disabled in setuid processes. It is -+ * impossible to reset libc's idea of setuidness without creating a -+ * whole new process image. Therefore, if the calling process is -+ * setuid, we must drop privileges and execute manconv. -+ */ -+ if (running_setuid ()) { -+ char **from_code; -+ char *sources = NULL; -+ -+ cmd = pipecmd_new_args (MANCONV, "-f", NULL); -+ for (from_code = codes->from; *from_code; ++from_code) { -+ sources = appendstr (sources, *from_code, NULL); -+ if (*(from_code + 1)) -+ sources = appendstr (sources, ":", NULL); -+ } -+ pipecmd_arg (cmd, sources); -+ free (sources); -+ pipecmd_args (cmd, "-t", codes->to, NULL); -+ if (quiet >= 2) -+ pipecmd_arg (cmd, "-q"); -+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, -+ sandbox); -+ free (name); -+ free_manconv_codes (codes); -+ pipeline_command (p, cmd); -+ return; -+ } -+#endif /* MAN_OWNER */ -+ - cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, - codes); - free (name); --- -2.16.1 - diff --git a/sys-apps/man-db/man-db-2.8.0-r1.ebuild b/sys-apps/man-db/man-db-2.8.0-r2.ebuild index 1ff3ca11d5c7..cb7cf8d1c4e8 100644 --- a/sys-apps/man-db/man-db-2.8.0-r1.ebuild +++ b/sys-apps/man-db/man-db-2.8.0-r2.ebuild @@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" LICENSE="GPL-3" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" -IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib" +IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" CDEPEND=" !sys-apps/man @@ -21,7 +21,6 @@ CDEPEND=" berkdb? ( sys-libs/db:= ) gdbm? ( sys-libs/gdbm:= ) !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) - seccomp? ( sys-libs/libseccomp ) zlib? ( sys-libs/zlib ) " DEPEND=" @@ -40,8 +39,6 @@ RDEPEND=" PDEPEND="manpager? ( app-text/manpager )" PATCHES=( - "${FILESDIR}/${P}-refactor_drop_privs.patch" - "${FILESDIR}/${P}-seccomp_suid.patch" "${FILESDIR}/${P}-libseccomp_automagic.patch" ) @@ -65,7 +62,7 @@ src_configure() { --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" $(use_enable nls) $(use_enable static-libs static) - $(use_with seccomp libseccomp) + --without-libseccomp --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) ) econf "${myeconfargs[@]}" |