From e37231db767bd5216eec561adc85d0a724070dd1 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sun, 28 Aug 2022 10:29:32 +0800 Subject: selinux-sandbox: upgrade 3.3 -> 3.4 * Backport a patch to fix chcat runtime error. * Refresh patch. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- ...ext-handle-unsupported-languages-properly.patch | 49 ++++++++++++++++++++++ .../selinux-sandbox/sandbox-de-bashify.patch | 6 +-- recipes-security/selinux/selinux-sandbox_3.3.bb | 30 ------------- recipes-security/selinux/selinux-sandbox_3.4.bb | 32 ++++++++++++++ 4 files changed, 84 insertions(+), 33 deletions(-) create mode 100644 recipes-security/selinux/selinux-sandbox/0001-gettext-handle-unsupported-languages-properly.patch delete mode 100644 recipes-security/selinux/selinux-sandbox_3.3.bb create mode 100644 recipes-security/selinux/selinux-sandbox_3.4.bb diff --git a/recipes-security/selinux/selinux-sandbox/0001-gettext-handle-unsupported-languages-properly.patch b/recipes-security/selinux/selinux-sandbox/0001-gettext-handle-unsupported-languages-properly.patch new file mode 100644 index 0000000..f1d8235 --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox/0001-gettext-handle-unsupported-languages-properly.patch @@ -0,0 +1,49 @@ +From 70602601ac1cfc4399430ef8609b96fc224d1e25 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 24 Jun 2022 16:24:25 +0200 +Subject: [PATCH] gettext: handle unsupported languages properly + +With "fallback=True" gettext.translation behaves the same as +gettext.install and uses NullTranslations in case the +translation file for given language was not found (as opposed to +throwing an exception). + +Fixes: + # LANG is set to any "unsupported" language, e.g. en_US.UTF-8 + $ chcat --help + Traceback (most recent call last): + File "/usr/bin/chcat", line 39, in + t = gettext.translation(PROGNAME, + File "/usr/lib64/python3.9/gettext.py", line 592, in translation + raise FileNotFoundError(ENOENT, + FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python' + +Signed-off-by: Vit Mojzis +Reviewed-by: Daniel Burgener +Acked-by: Petr Lautrbach + +Upstream-Status: Backport +[https://github.com/SELinuxProject/selinux/commit/344463076b2a91e1d2c7f5cc3835dc1a53a05e88] + +Signed-off-by: Yi Zhao +--- + sandbox | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sandbox b/sandbox +index cd5709f..789621e 100644 +--- a/sandbox ++++ b/sandbox +@@ -45,7 +45,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +-- +2.25.1 + diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch index e9622f0..6258b7c 100644 --- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch +++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch @@ -1,4 +1,4 @@ -From b92c39f0be5552c19923f75aef4487348a08b7dc Mon Sep 17 00:00:00 2001 +From d592d59eb4e7dbf8ce6dc84b3f4c0026fd7cc60c Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 20 Feb 2015 21:07:47 -0500 Subject: [PATCH] sandbox: de-bashify @@ -6,7 +6,7 @@ Subject: [PATCH] sandbox: de-bashify There's no bashisms apparent in either the sandbox initscript nor the sandboxX script, so point them at /bin/sh instead. -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Joe MacDonald Signed-off-by: Wenzong Fan @@ -37,5 +37,5 @@ index eaa500d..8755d75 100644 context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" -- -2.7.4 +2.25.1 diff --git a/recipes-security/selinux/selinux-sandbox_3.3.bb b/recipes-security/selinux/selinux-sandbox_3.3.bb deleted file mode 100644 index cc9baad..0000000 --- a/recipes-security/selinux/selinux-sandbox_3.3.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Run cmd under an SELinux sandbox" -DESCRIPTION = "\ -Run application within a tightly confined SELinux domain. The default \ -sandbox domain only allows applications the ability to read and write \ -stdin, stdout and any other file descriptors handed to it." -SECTION = "base" -LICENSE = "GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -SRC_URI += "file://sandbox-de-bashify.patch" - -S = "${WORKDIR}/git/sandbox" - -DEPENDS += "libcap-ng libselinux" - -RDEPENDS:${PN} += "\ - python3-core \ - python3-math \ - python3-shell \ - python3-unixadmin \ - libselinux-python \ - selinux-python \ -" - -FILES:${PN} += "\ - ${datadir}/sandbox/sandboxX.sh \ - ${datadir}/sandbox/start \ -" diff --git a/recipes-security/selinux/selinux-sandbox_3.4.bb b/recipes-security/selinux/selinux-sandbox_3.4.bb new file mode 100644 index 0000000..a5a8e13 --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox_3.4.bb @@ -0,0 +1,32 @@ +SUMMARY = "Run cmd under an SELinux sandbox" +DESCRIPTION = "\ +Run application within a tightly confined SELinux domain. The default \ +sandbox domain only allows applications the ability to read and write \ +stdin, stdout and any other file descriptors handed to it." +SECTION = "base" +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +SRC_URI += "file://sandbox-de-bashify.patch \ + file://0001-gettext-handle-unsupported-languages-properly.patch \ + " + +S = "${WORKDIR}/git/sandbox" + +DEPENDS = "libselinux libcap-ng gettext-native" + +RDEPENDS:${PN} = "\ + python3-core \ + python3-math \ + python3-shell \ + python3-unixadmin \ + libselinux-python \ + selinux-python \ +" + +FILES:${PN} += "\ + ${datadir}/sandbox/sandboxX.sh \ + ${datadir}/sandbox/start \ +" -- cgit v1.2.3-54-g00ecf