sys-apps/mawk: add support for -W sandbox mode

admnd · Jan 2, 2018 · 7675026 · 7675026
1 parent b1aaea5
commit 7675026
Show file tree

Hide file tree

Showing 4 changed files with 284 additions and 0 deletions.
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox-default.patch
@@ -0,0 +1,91 @@
+https://github.com/ThomasDickey/original-mawk/issues/49
+
+Note: We hand modify the configure file here because the version of autotools
+used by upstream is very old/finicky, and it's a simple enough change.
+
+From 1ac333b97615c451d7a4743b4724edd46d37a8b2 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <[email protected]>
+Date: Tue, 7 Nov 2017 01:07:47 -0500
+Subject: [PATCH 2/2] add a configure flag to lock sandbox by default
+
+This lets us deploy systems with the sandbox always enabled.
+---
+ configure    | 23 +++++++++++++++++++++++
+ configure.in | 11 +++++++++++
+ init.c       |  4 ++++
+ 3 files changed, 38 insertions(+)
+
+diff --git a/configure.in b/configure.in
+index 8b795fbd264b..770092005386 100644
+--- a/configure.in
++++ b/configure.in
+@@ -112,6 +112,17 @@ fi
+ AC_MSG_RESULT($with_init_srand)
+
+ ###############################################################################
++AC_MSG_CHECKING(if you want mawk to always run in sandbox mode)
++CF_ARG_ENABLE([forced-sandbox],
++[  --enable-forced-sandbox always run in sandbox mode],
++	[with_forced_sandbox=yes],
++	[with_forced_sandbox=no])
++if test "x${with_forced_sandbox}" != xno; then
++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
++fi
++AC_MSG_RESULT($with_forced_sandbox)
++
++###############################################################################
+
+ AC_PROG_YACC
+ CF_PROG_LINT
+diff --git a/init.c b/init.c
+index f7babb337e04..e035d6ea2fc0 100644
+--- a/init.c
++++ b/init.c
+@@ -492,6 +492,10 @@ process_cmdline(int argc, char **argv)
+
+   no_more_opts:
+
++#ifdef FORCED_SANDBOX
++    sandbox_flag = 1;
++#endif
++
+     tail->link = (PFILE *) 0;
+     pfile_list = dummy.link;
+
+diff --git a/configure b/configure
+index a3bf42fe9245..442875b8e58a 100755
+--- a/configure
++++ b/configure
+@@ -4132,6 +4132,29 @@ echo "$as_me:4131: result: $with_init_srand" >&5
+ echo "${ECHO_T}$with_init_srand" >&6
+
+ ###############################################################################
++echo "$as_me:4109: checking if you want mawk to always run in sandbox mode" >&5
++echo $ECHO_N "checking if you want mawk to always run in sandbox mode... $ECHO_C" >&6
++
++if test "${enable_forced_sandbox+set}" = set; then
++  enableval="$enable_forced_sandbox"
++  test "$enableval" != yes && enableval=no
++	if test "$enableval" != "no" ; then
++    with_forced_sandbox=yes
++	else
++		with_forced_sandbox=no
++	fi
++else
++  enableval=no
++	with_forced_sandbox=no
++
++fi;
++if test "x${with_forced_sandbox}" != xno; then
++	CPPFLAGS="$CPPFLAGS -DFORCED_SANDBOX"
++fi
++echo "$as_me:4131: result: $with_forced_sandbox" >&5
++echo "${ECHO_T}$with_forced_sandbox" >&6
++
++###############################################################################
+
+ for ac_prog in 'bison -y' byacc
+ do
+-- 
+2.13.5
+
diff --git a/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch b/sys-apps/mawk/files/mawk-1.3.4-sandbox.patch
@@ -0,0 +1,141 @@
+https://github.com/ThomasDickey/original-mawk/issues/49
+
+From ae3a324a5af1350aa1a6f648e10b9d6656d9fde4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <[email protected]>
+Date: Tue, 7 Nov 2017 00:41:36 -0500
+Subject: [PATCH 1/2] add a -W sandbox mode
+
+This is like gawk's sandbox mode where arbitrary code execution and
+file redirection are locked down.  This way awk can be a more secure
+input/output mode.
+---
+ bi_funct.c | 3 +++
+ init.c     | 8 ++++++++
+ man/mawk.1 | 4 ++++
+ mawk.h     | 2 +-
+ scan.c     | 6 ++++++
+ 5 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/bi_funct.c b/bi_funct.c
+index 7742308c72a5..b524ac8dac8b 100644
+--- a/bi_funct.c
++++ b/bi_funct.c
+@@ -908,6 +908,9 @@ bi_system(CELL *sp GCC_UNUSED)
+ #ifdef HAVE_REAL_PIPES
+     int ret_val;
+
++    if (sandbox_flag)
++	rt_error("'system' function not allowed in sandbox mode");
++
+     TRACE_FUNC("bi_system", sp);
+
+     if (sp->type < C_STRING)
+diff --git a/init.c b/init.c
+index 0ab17b003f20..f7babb337e04 100644
+--- a/init.c
++++ b/init.c
+@@ -40,6 +40,7 @@ typedef enum {
+     W_RANDOM,
+     W_SPRINTF,
+     W_POSIX_SPACE,
++    W_SANDBOX,
+     W_USAGE
+ } W_OPTIONS;
+
+@@ -96,6 +97,7 @@ initialize(int argc, char **argv)
+
+ int dump_code_flag;		/* if on dump internal code */
+ short posix_space_flag;
++short sandbox_flag;
+
+ #ifdef	 DEBUG
+ int dump_RE = 1;		/* if on dump compiled REs  */
+@@ -153,6 +155,7 @@ usage(void)
+ 	"    -W random=number set initial random seed.",
+ 	"    -W sprintf=number adjust size of sprintf buffer.",
+ 	"    -W posix_space   do not consider \"\\n\" a space.",
++	"    -W sandbox       disable system() and I/O redirection.",
+ 	"    -W usage         show this message and exit.",
+     };
+     size_t n;
+@@ -255,6 +258,7 @@ parse_w_opt(char *source, char **next)
+ 	    DATA(RANDOM),
+ 	    DATA(SPRINTF),
+ 	    DATA(POSIX_SPACE),
++	    DATA(SANDBOX),
+ 	    DATA(USAGE)
+     };
+ #undef DATA
+@@ -389,6 +393,10 @@ process_cmdline(int argc, char **argv)
+ 		    posix_space_flag = 1;
+ 		    break;
+
++		case W_SANDBOX:
++		    sandbox_flag = 1;
++		    break;
++
+ 		case W_RANDOM:
+ 		    if (haveValue(optNext)) {
+ 			int x = atoi(optNext + 1);
+diff --git a/man/mawk.1 b/man/mawk.1
+index a3c794167dc9..0915d9d7ed5d 100644
+--- a/man/mawk.1
++++ b/man/mawk.1
+@@ -150,6 +150,10 @@ forces
+ \fB\*n\fP
+ not to consider '\en' to be space.
+ .TP
++\-\fBW \fRsandbox
++runs in a restricted mode where system(), input redirection (e.g. getline),
++output redirection (e.g. print and printf), and pipelines are disabled.
++.TP
+ \-\fBW \fRrandom=\fInum\fR
+ calls \fBsrand\fP with the given parameter
+ (and overrides the auto-seeding behavior).
+diff --git a/mawk.h b/mawk.h
+index 2d04be1adb34..a6ccc0071ecc 100644
+--- a/mawk.h
++++ b/mawk.h
+@@ -63,7 +63,7 @@ extern int dump_RE;
+ #define USE_BINMODE 0
+ #endif
+
+-extern short posix_space_flag, interactive_flag;
++extern short posix_space_flag, interactive_flag, sandbox_flag;
+
+ /*----------------
+  *  GLOBAL VARIABLES
+diff --git a/scan.c b/scan.c
+index 3a8fc9181ab8..c1833b8b7315 100644
+--- a/scan.c
++++ b/scan.c
+@@ -455,6 +455,8 @@ yylex(void)
+ 	    un_next();
+
+ 	if (getline_flag) {
++	    if (sandbox_flag)
++		rt_error("redirection not allowed in sandbox mode");
+ 	    getline_flag = 0;
+ 	    ct_ret(IO_IN);
+ 	} else
+@@ -462,6 +464,8 @@ yylex(void)
+
+     case SC_GT:		/* '>' */
+ 	if (print_flag && paren_cnt == 0) {
++	    if (sandbox_flag)
++		rt_error("redirection not allowed in sandbox mode");
+ 	    print_flag = 0;
+ 	    /* there are 3 types of IO_OUT
+ 	       -- build the error string in string_buff */
+@@ -488,6 +492,8 @@ yylex(void)
+ 	    un_next();
+
+ 	    if (print_flag && paren_cnt == 0) {
++		if (sandbox_flag)
++		    rt_error("pipe execution not allowed in sandbox mode");
+ 		print_flag = 0;
+ 		yylval.ival = PIPE_OUT;
+ 		string_buff[0] = '|';
+-- 
+2.13.5
+
diff --git a/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild b/sys-apps/mawk/mawk-1.3.4_p20171017-r1.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit toolchain-funcs
+
+MY_P=${P/_p/-}
+DESCRIPTION="an (often faster than gawk) awk-interpreter"
+HOMEPAGE="https://invisible-island.net/mawk/mawk.html"
+SRC_URI="ftp://ftp.invisible-island.net/mawk/${MY_P}.tgz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+IUSE="forced-sandbox"
+
+RDEPEND="app-eselect/eselect-awk"
+DEPEND="${RDEPEND}"
+
+S=${WORKDIR}/${MY_P}
+
+DOCS=( ACKNOWLEDGMENT CHANGES README )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.3.4-sandbox.patch
+	"${FILESDIR}"/${PN}-1.3.4-sandbox-default.patch
+)
+
+src_configure() {
+	tc-export BUILD_CC
+	econf $(use_enable forced-sandbox)
+}
+
+src_install() {
+	default
+
+	exeinto /usr/share/doc/${PF}/examples
+	doexe examples/*
+	docompress -x /usr/share/doc/${PF}/examples
+}
+
+pkg_postinst() {
+	eselect awk update ifunset
+}
+
+pkg_postrm() {
+	eselect awk update ifunset
+}
diff --git a/sys-apps/mawk/metadata.xml b/sys-apps/mawk/metadata.xml
@@ -5,4 +5,7 @@
 	<email>[email protected]</email>
 	<name>Gentoo Base System</name>
 </maintainer>
+<use>
+	<flag name="forced-sandbox">Always enable -W sandbox mode for simpler/secure runtime</flag>
+</use>
 </pkgmetadata>