From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 18E421581FD for ; Wed, 03 Sep 2025 04:37:30 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 00DCC33BE26 for ; Wed, 03 Sep 2025 04:37:30 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id E90661102AF; Wed, 03 Sep 2025 04:37:28 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id E0BBA1102AF for ; Wed, 03 Sep 2025 04:37:28 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 95994340834 for ; Wed, 03 Sep 2025 04:37:28 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3451138A3 for ; Wed, 03 Sep 2025 04:37:27 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1756874210.f9ca6eb3abcf9298a6330ffb8c7552fa2511772d.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/firejail/, sys-apps/firejail/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-apps/firejail/Manifest sys-apps/firejail/files/firejail-0.9.76-hashcat-profile.patch sys-apps/firejail/firejail-0.9.76.ebuild X-VCS-Directories: sys-apps/firejail/ sys-apps/firejail/files/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: f9ca6eb3abcf9298a6330ffb8c7552fa2511772d X-VCS-Branch: master Date: Wed, 03 Sep 2025 04:37:27 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 054c3473-029e-4732-9ac0-cf285f603e2e X-Archives-Hash: caeba95193a219491c2b26bb882dd461 commit: f9ca6eb3abcf9298a6330ffb8c7552fa2511772d Author: Hank Leininger korelogic com> AuthorDate: Wed Sep 3 03:13:22 2025 +0000 Commit: Sam James gentoo org> CommitDate: Wed Sep 3 04:36:50 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9ca6eb3 sys-apps/firejail: add 0.9.76 Signed-off-by: Hank Leininger korelogic.com> Closes: https://bugs.gentoo.org/960936 Closes: https://bugs.gentoo.org/962286 Bug: https://bugs.gentoo.org/961468 Part-of: https://github.com/gentoo/gentoo/pull/43651 Closes: https://github.com/gentoo/gentoo/pull/43651 Signed-off-by: Sam James gentoo.org> sys-apps/firejail/Manifest | 1 + .../files/firejail-0.9.76-hashcat-profile.patch | 30 +++++ sys-apps/firejail/firejail-0.9.76.ebuild | 138 +++++++++++++++++++++ 3 files changed, 169 insertions(+) diff --git a/sys-apps/firejail/Manifest b/sys-apps/firejail/Manifest index 7fcd9e9db685..6d5fbf824176 100644 --- a/sys-apps/firejail/Manifest +++ b/sys-apps/firejail/Manifest @@ -1,2 +1,3 @@ DIST firejail-0.9.72.tar.xz 503192 BLAKE2B 3d57b345476cb62399859622c88f5d6c22842da5894045c09bc7d84229ec2a01c494e4e9393b6fba6c668f73c6b7046f9a014a315baa5bc56d1479b9cad178a7 SHA512 846fa5caf6e68c669f76a07d6321ed365bf3c45f7992e8be3784ed99ef508ea8dffc5d6cc5da75eeb37964ad358d61b7959e8590051950951de8ca904d8a49de DIST firejail-0.9.74.tar.xz 527640 BLAKE2B c71c4b9c6e4cc66ccd0884d98599709f59353f0d270ce7c7e056815a9025ae6b558e210a70a2f8fd4f1c0c5cad72cc3c372bb2af8ffef673c0f5cb3819375191 SHA512 abc79c7d76d6da2c93e9cc5b4529f2950a0de8f292bede5b0e38179551c8ec65adf8d61326c7dbbad0d488234211df2266ce6d59eea06b792c0b7e163d83e69f +DIST firejail-0.9.76.tar.xz 526972 BLAKE2B 17fe271ea96b869651d6981419cf9d6f532d47d68791c621aaf461754386870734f3b7b6fc6cddba2ff12797f36eacdc8cbb6199a7568eb7b3056975d224e276 SHA512 c923bd1ee7d0d9f2bad9e172a785c170fa670c1f7043c234a4632ae1d8f0c51da93b959f43d1562a4eed4634ba12b88b83c9cda1e82a071ccf7ea50bef155783 diff --git a/sys-apps/firejail/files/firejail-0.9.76-hashcat-profile.patch b/sys-apps/firejail/files/firejail-0.9.76-hashcat-profile.patch new file mode 100644 index 000000000000..7c25d8fc8bb5 --- /dev/null +++ b/sys-apps/firejail/files/firejail-0.9.76-hashcat-profile.patch @@ -0,0 +1,30 @@ +https://github.com/netblue30/firejail/pull/6888/commits/03eac22c108fbafd7dc9b94e2889cfb74bea8874 +From: Hank Leininger +Date: Tue, 2 Sep 2025 20:44:16 -0600 +Subject: [PATCH] profiles: hashcat: fix runtime errors (#6364) + +private-bin messes with hashcat's ability to find its installed +files under /usr/share/hashcat/. + +novideo makes hashcat unable to access /dev/nvidia* (on some distros?) + +Signed-off-by: Hank Leininger +--- a/etc/profile-a-l/hashcat.profile ++++ b/etc/profile-a-l/hashcat.profile +@@ -32,13 +32,11 @@ noroot + nosound + notv + nou2f +-novideo + protocol unix + seccomp + x11 none + + disable-mnt +-private-bin hashcat + private-cache + private-dev + private-tmp +-- +2.50.1 + diff --git a/sys-apps/firejail/firejail-0.9.76.ebuild b/sys-apps/firejail/firejail-0.9.76.ebuild new file mode 100644 index 000000000000..e076cef962bd --- /dev/null +++ b/sys-apps/firejail/firejail-0.9.76.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..13} ) + +inherit flag-o-matic toolchain-funcs python-single-r1 linux-info + +DESCRIPTION="Security sandbox for any type of processes" +HOMEPAGE="https://firejail.wordpress.com/" + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/netblue30/firejail.git" + EGIT_BRANCH="master" + inherit git-r3 +else + SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz" + KEYWORDS="~amd64 ~arm ~arm64 ~x86" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home selinux test +userns X" +REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )" +# Needs a lot of work to function within sandbox/portage. Can look at the alternative +# test targets in Makefile too, bug #769731 +RESTRICT="test" + +RDEPEND=" + !sys-apps/firejail-lts + apparmor? ( sys-libs/libapparmor ) + contrib? ( ${PYTHON_DEPS} ) + dbusproxy? ( sys-apps/xdg-dbus-proxy ) + selinux? ( sys-libs/libselinux ) +" +DEPEND=" + ${RDEPEND} + sys-libs/libseccomp + test? ( dev-tcltk/expect ) +" + +PATCHES=( + "${FILESDIR}/${PN}-0.9.70-envlimits.patch" + "${FILESDIR}/${PN}-0.9.74-firecfg.config.patch" + "${FILESDIR}/${PN}-0.9.74-manpage-nocompress.patch" + "${FILESDIR}/${PN}-0.9.76-hashcat-profile.patch" +) + +pkg_setup() { + CONFIG_CHECK="~SQUASHFS" + local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode" + check_extra_config + + use contrib && python-single-r1_pkg_setup +} + +src_prepare() { + default + + # Our toolchain already sets SSP by default but forcing it causes problems + # on arches which don't support it. As for F_S, we again set it by defualt + # in our toolchain, but forcing F_S=2 is actually a downgrade if 3 is set. + sed -i \ + -e 's:-fstack-protector-all::' \ + -e 's:-D_FORTIFY_SOURCE=2::' \ + src/so.mk src/prog.mk || die + + find -type f -name Makefile -exec sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' {} + || die + + # Fix up hardcoded paths to templates and docs + local files=$(grep -E -l -r '/usr/share/doc/firejail([^-]|$)' ./RELNOTES ./src/man/ ./etc/profile*/ ./test/ || die) + for file in ${files[@]} ; do + sed -i -r -e "s:/usr/share/doc/firejail([^-]|\$):/usr/share/doc/${PF}\1:" "${file}" || die + done + + if use contrib; then + python_fix_shebang -f contrib/*.py + fi +} + +src_configure() { + # bug #937374 + use elibc_musl && append-cppflags -D_LARGEFILE64_SOURCE + + local myeconfargs=( + --disable-fatal-warnings + --enable-suid + $(use_enable apparmor) + $(use_enable chroot) + $(use_enable dbusproxy) + $(use_enable file-transfer) + $(use_enable globalcfg) + $(use_enable network) + $(use_enable private-home) + $(use_enable selinux) + $(use_enable userns) + $(use_enable X x11) + ) + + econf "${myeconfargs[@]}" + + cat > 99firejail <<-EOF || die + SANDBOX_WRITE="/run/firejail" + EOF +} + +src_compile() { + emake CC="$(tc-getCC)" +} + +src_test() { + emake test-utils test-sysutils +} + +src_install() { + default + + # Gentoo-specific profile customizations + insinto /etc/${PN} + local profile_local + for profile_local in "${FILESDIR}"/profile_*local ; do + newins "${profile_local}" "${profile_local/\/*profile_/}" + done + + # Prevent sandbox violations when toolchain is firejailed + insinto /etc/sandbox.d + doins 99firejail + + rm "${ED}"/usr/share/doc/${PF}/COPYING || die + + if use contrib; then + python_scriptinto /usr/$(get_libdir)/firejail + python_doscript contrib/*.py + insinto /usr/$(get_libdir)/firejail + dobin contrib/*.sh + fi +}