sys-apps/sandbox/files/sandbox-2.6-open-nofollow.patch

From 45fa8714a1d35e6555083d88a71851ada2aacac4 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Mon, 24 Dec 2012 18:46:29 -0500
Subject: [PATCH] libsandbox: handle open(O_NOFOLLOW)

We don't check for O_NOFOLLOW in the open wrappers, so we end up
returning the wrong error when operating on broken symlinks.

URL: https://bugs.gentoo.org/413441
Reported-by: Marien Zwart <marienz@gentoo.org>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
 libsandbox/wrapper-funcs/__64_post.h        |  1 +
 libsandbox/wrapper-funcs/__64_pre.h         |  1 +
 libsandbox/wrapper-funcs/openat_pre_check.c |  2 +-
 tests/open-2.sh                             | 10 ++++++++++
 tests/open.at                               |  1 +
 5 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100755 tests/open-2.sh

diff --git a/libsandbox/wrapper-funcs/__64_post.h b/libsandbox/wrapper-funcs/__64_post.h
index 2fd2182..82d2a16 100644
--- a/libsandbox/wrapper-funcs/__64_post.h
+++ b/libsandbox/wrapper-funcs/__64_post.h
@@ -1,3 +1,4 @@
 #undef SB64
 #undef stat
+#undef lstat
 #undef off_t
diff --git a/libsandbox/wrapper-funcs/__64_pre.h b/libsandbox/wrapper-funcs/__64_pre.h
index 2132110..0b34b25 100644
--- a/libsandbox/wrapper-funcs/__64_pre.h
+++ b/libsandbox/wrapper-funcs/__64_pre.h
@@ -1,3 +1,4 @@
 #define SB64
 #define stat stat64
+#define lstat lstat64
 #define off_t off64_t
diff --git a/libsandbox/wrapper-funcs/openat_pre_check.c b/libsandbox/wrapper-funcs/openat_pre_check.c
index c827ee6..0127708 100644
--- a/libsandbox/wrapper-funcs/openat_pre_check.c
+++ b/libsandbox/wrapper-funcs/openat_pre_check.c
@@ -29,7 +29,7 @@ bool sb_openat_pre_check(const char *func, const char *pathname, int dirfd, int
 
 	/* Doesn't exist -> skip permission checks */
 	struct stat st;
-	if (-1 == stat(pathname, &st)) {
+	if (((flags & O_NOFOLLOW) ? lstat(pathname, &st) : stat(pathname, &st)) == -1) {
 		sb_debug_dyn("EARLY FAIL: %s(%s): %s\n",
 			func, pathname, strerror(errno));
 		return false;
-- 
1.8.1.2