commit: 7f01cbdf444491306d2b8557973f16b48d93ff69 Author: Amadeusz Żołnowski <aidecoe <AT> gentoo <DOT> org> AuthorDate: Sat Jun 4 18:14:12 2016 +0000 Commit: Amadeusz Piotr Żołnowski <aidecoe <AT> gentoo <DOT> org> CommitDate: Sat Jun 4 18:14:26 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f01cbdf
sys-apps/firejail: Allow compile time configuration Networking features and most Linux kernel security features require root privileges during configuration. Firejail (as a SUID binary) opens the access to these features therefore it may be desired to turn off some of the features on compile time. Bump EAPI to 6. Depend on x11-wm/xpra for X11 sandboxing feature. Package-Manager: portage-2.3.0_rc1 sys-apps/firejail/firejail-0.9.40-r1.ebuild | 42 +++++++++++++++++++++++++++++ sys-apps/firejail/metadata.xml | 14 ++++++++++ 2 files changed, 56 insertions(+) diff --git a/sys-apps/firejail/firejail-0.9.40-r1.ebuild b/sys-apps/firejail/firejail-0.9.40-r1.ebuild new file mode 100644 index 0000000..778ced4 --- /dev/null +++ b/sys-apps/firejail/firejail-0.9.40-r1.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 + +inherit eutils + +DESCRIPTION="Security sandbox for any type of processes" +HOMEPAGE="https://firejail.wordpress.com/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64" +IUSE="+bind +chroot +file-transfer +network network-restricted +seccomp + +userns x11" + +RDEPEND="x11? ( x11-wm/xpra )" + +PATCHES=( "${FILESDIR}"/${P}-sysmacros.patch ) + +src_prepare() { + default + find -name Makefile.in -exec sed -i -r \ + -e '/CFLAGS/s: (-O2|-ggdb) : :g' \ + -e '1iCC=@CC@' {} + || die +} + +src_configure() { + local myeconfargs=( + $(use_enable bind) + $(use_enable chroot) + $(use_enable file-transfer) + $(use_enable network) + $(use_enable seccomp) + $(use_enable userns) + $(use_enable x11) + ) + use network-restricted && myeconfargs+=( --enable-network=restricted ) + econf "${myeconfargs[@]}" +} diff --git a/sys-apps/firejail/metadata.xml b/sys-apps/firejail/metadata.xml index 0b1ef01..004a53cb 100644 --- a/sys-apps/firejail/metadata.xml +++ b/sys-apps/firejail/metadata.xml @@ -16,4 +16,18 @@ <upstream> <remote-id type="sourceforge">firejail</remote-id> </upstream> + <use> + <flag name="bind">Enable custom bind mounts</flag> + <flag name="chroot">Enable chrooting to custom directory</flag> + <flag name="file-transfer">Enable file transfers between sandboxes and + the host system</flag> + <flag name="network">Enable networking features</flag> + <flag name="network-restricted">Grant access to --interface, + --net=ethXXX and --netfilter only to root user; regular users are + only allowed --net=none</flag> + <flag name="seccomp">Enable system call filtering</flag> + <flag name="userns">Enable attaching a new user namespace to a + sandbox (--noroot option)</flag> + <flag name="x11">Enable X11 sandboxing</flag> + </use> </pkgmetadata>