From a5b5f5b328fa7f059fbfe8480bd107379bfe8d21 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 4 Sep 2017 22:59:48 -0700
Subject: selinux-sandbox: add package 2.7 (20170804)

Move policycoreutils/sandbox to sandbox:

* Move and rebase patch:
  - policycoreutils-sandbox-de-bashify.patch

* Cleanup policycoreutils.inc

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 recipes-security/selinux/policycoreutils.inc       | 17 ---------
 .../policycoreutils-sandbox-de-bashify.patch       | 39 ---------------------
 recipes-security/selinux/selinux-sandbox.inc       | 28 +++++++++++++++
 .../selinux-sandbox/sandbox-de-bashify.patch       | 40 ++++++++++++++++++++++
 recipes-security/selinux/selinux-sandbox_2.7.bb    |  7 ++++
 5 files changed, 75 insertions(+), 56 deletions(-)
 delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
 create mode 100644 recipes-security/selinux/selinux-sandbox.inc
 create mode 100644 recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
 create mode 100644 recipes-security/selinux/selinux-sandbox_2.7.bb

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index e8f6e5f..9e45e0c 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -9,7 +9,6 @@ LICENSE = "GPLv2+"
 
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
             file://policycoreutils-fixfiles-de-bashify.patch \
-            file://policycoreutils-sandbox-de-bashify.patch \
            "
 
 PAM_SRC_URI = "file://pam.d/newrole \
@@ -64,15 +63,6 @@ RDEPENDS_${BPN}-python += "\
 	libsemanage-python \
 "
 RDEPENDS_${BPN}-runinit += "libselinux"
-RDEPENDS_${BPN}-sandbox += "\
-	python-math \
-	python-shell \
-	python-subprocess \
-	python-textutils \
-	python-unixadmin \
-	libselinux-python \
-	${BPN}-python \
-"
 RDEPENDS_${BPN}-secon += "libselinux"
 RDEPENDS_${BPN}-semanage = "\
 	python-core \
@@ -128,7 +118,6 @@ PACKAGES =+ "\
 	${PN}-newrole \
 	${PN}-python \
 	${PN}-runinit \
-	${PN}-sandbox \
 	${PN}-secon \
 	${PN}-semanage \
 	${PN}-semodule \
@@ -171,12 +160,6 @@ FILES_${PN}-runinit += "\
 	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
 "
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug"
-FILES_${PN}-sandbox += "\
-	${datadir}/sandbox/* \
-	${bindir}/sandbox \
-	${sbindir}/seunshare \
-	${sysconfdir}/sysconfig/sandbox \
-"
 FILES_${PN}-secon += "${bindir}/secon"
 FILES_${PN}-semanage = "\
 	${sbindir}/semanage \
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
deleted file mode 100644
index c078ef6..0000000
--- a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
-From: Joe MacDonald <joe_macdonald@mentor.com>
-Date: Fri, 20 Feb 2015 21:07:47 -0500
-Subject: [PATCH] sandbox: de-bashify
-
-There's no bashisms apparent in either the sandbox initscript nor the
-sandboxX script, so point them at /bin/sh instead.
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
----
- sandbox/sandbox.init | 2 +-
- sandbox/sandboxX.sh  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
-index b3979bf..1893dc8 100644
---- a/sandbox/sandbox.init
-+++ b/sandbox/sandbox.init
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/bin/sh
- ## BEGIN INIT INFO
- # Provides: sandbox
- # Default-Start: 3 4 5
-diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
-index eaa500d..8755d75 100644
---- a/sandbox/sandboxX.sh
-+++ b/sandbox/sandboxX.sh
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/bin/sh
- trap "" TERM
- context=`id -Z | secon -t -l -P`
- export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
--- 
-1.9.1
-
diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc
new file mode 100644
index 0000000..8616dd7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -0,0 +1,28 @@
+SUMMARY = "Run cmd under an SELinux sandbox"
+DESCRIPTION = "\
+Run application within a tightly confined SELinux domain. The default \
+sandbox domain only allows applications the ability to read and write \
+stdin, stdout and any other file descriptors handed to it."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://sandbox-de-bashify.patch \
+"
+
+DEPENDS += "libcap-ng libselinux"
+
+RDEPENDS_${PN} += "\
+        python-math \
+        python-shell \
+        python-subprocess \
+        python-textutils \
+        python-unixadmin \
+        libselinux-python \
+        selinux-python \
+"
+
+FILES_${PN} += "\
+        ${datadir}/sandbox/sandboxX.sh \
+        ${datadir}/sandbox/start \
+"
diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
new file mode 100644
index 0000000..18cef4b
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -0,0 +1,40 @@
+From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 20 Feb 2015 21:07:47 -0500
+Subject: [PATCH] sandbox: de-bashify
+
+There's no bashisms apparent in either the sandbox initscript nor the
+sandboxX script, so point them at /bin/sh instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ sandbox/sandbox.init | 2 +-
+ sandbox/sandboxX.sh  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox.init b/sandbox.init
+index b3979bf..1893dc8 100644
+--- a/sandbox.init
++++ b/sandbox.init
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ ## BEGIN INIT INFO
+ # Provides: sandbox
+ # Default-Start: 3 4 5
+diff --git a/sandboxX.sh b/sandboxX.sh
+index eaa500d..8755d75 100644
+--- a/sandboxX.sh
++++ b/sandboxX.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ trap "" TERM
+ context=`id -Z | secon -t -l -P`
+ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+-- 
+1.9.1
+
diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb b/recipes-security/selinux/selinux-sandbox_2.7.bb
new file mode 100644
index 0000000..1307ce7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.7.bb
@@ -0,0 +1,7 @@
+include selinux_20170804.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa"
+SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541"
-- 
cgit v1.2.3-54-g00ecf