Provide generic sandbox status functions

The function alpm_option_set_disable_sandbox() was removed in favour of
the vairants that can enable/disable specific parts of the sandbox. This
removal was undocumented in the release notes, and the continued
inclusion of the more generic sandbox control functions is still useful.

Readd alpm_option_set_disable_sandbox() which now is a shortcut for
doing the combined alpm_option_set_disable_sandbox-{filesystem,syscalls}.
The alpm_option_get_disable_sandbox() function was readded, but adjusted
to return 0 if the sandbox is fully enabled, 1 if any component of the
sandbox is disabled, and 2 if all components are disabled.

Give the libalpm soname a minor level bump to indicated these interfaces
have been added since release, as this commit will be backorted to the
release branch.

Signed-off-by: Allan McRae <allan@archlinux.org>

NEWS

@@ -1,7 +1,7 @@
 VERSION         DESCRIPTION
 -----------------------------------------------------------------------------
 7.1.0         - Set default SigLevel for databases and packages to Required
-              - Various improvements to the downloader sandbox
+              - Various improvements to the downloader sandbox:
                 - Restrict syscalls
                 - Use NO_NEW_PRIVS flag
                 - Provide fine-grained control of sandboxing with options in
@@ -780,7 +780,7 @@ VERSION         DESCRIPTION
                 - add zsh completion
 4.0.3         - frontend database cleanup enhancements (FS#28714)
               - frontend package cleanup enhancements (FS#25166)
-              - back out changes related to SyncFirst in 4.0.0
+              - back out changes related to SyncFirst in 4.0.0:
                 - remove recursive/needed automatic flags on SyncFirst
                 - remove poorly implemented `-S --recursive` option
               - improve error messages on database locking failures
@@ -859,7 +859,7 @@ VERSION         DESCRIPTION
               - fix selection entry for long values (FS#25253)
               - make config parsing two-pass process, enhance error messages
               - print helpful tips on -Qi <filename> or -S <filename>
-              - replace libfetch with libcurl for backend download library
+              - replace libfetch with libcurl for backend download library:
                 - timeout when mirror is not responding (FS#15369)
                 - full HTTPS protocol support (FS#22435)
                 - support of non-traditional/redirected URLs (FS#22645)
@@ -965,24 +965,24 @@ VERSION         DESCRIPTION
               - build system: ensure libtool respects LDFLAGS (FS#23325)
 3.5.0         - sync DBs read directly from the database tarball
                 (FS#8586, FS#20233)
-              - local DB "depends" file has been merged into the "desc" file
+              - local DB "depends" file has been merged into the "desc" file:
                 - pacman-db-upgrade script provided to update the local
                   database format
-              - sync database extension is .db (without compression suffix)
+              - sync database extension is .db (without compression suffix):
                 - requires repo-add from pacman-3.4+
               - package versions can have an 'epoch' value defined that will
-                overrule any version comparison
+                overrule any version comparison:
                 - this replaces the use of the "force" option in allowing for
                   package updates with versions that do not conform to the
                   default version comparison operations
                 - package versions have the format [epoch:]pkgver-pkgrel
-              - check available disk space before installing packages (FS#11639)
+              - check available disk space before installing packages (FS#11639):
                 - enabled by the "CheckSpace" option in pacman.conf
                 - attempt to stop install if we hit an extraction issue
                   (FS#7692, FS#22034)
               - improved interactive selection for groups/provides
                 (FS#19704, FS#19853)
-              - finer grained control of ignoring dependency resolution
+              - finer grained control of ignoring dependency resolution:
                 - -Sd to ignore dependency versions only
                 - -Sdd to ignore all dependency information
               - clean-up of --help output (FS#19526)
@@ -994,7 +994,7 @@ VERSION         DESCRIPTION
               - use OpenSSL crypto functions if available
               - makepkg:
                 - add support for running testsuites in a check() function
-                  (FS#15145)
+                  (FS#15145):
                   - controlled by BUILDENV option 'check' in makepkg.conf
                     which may be overridden by --check/--nocheck on the
                     command-line
@@ -1099,7 +1099,7 @@ VERSION         DESCRIPTION
                 - add --skipinteg option (FS#15830)
                 - fix .PKGINFO creation with -R option (FS#15851)
                 - always keep symlinks to sources when unpacking
-3.3.0         - xdelta: many fixes and improvements
+3.3.0         - xdelta: many fixes and improvements:
                 - new pkgdelta script to create deltas
                 - repo-add can add both deltas and packages to a database
               - xz archive format supported for packages and databases
@@ -1135,7 +1135,7 @@ VERSION         DESCRIPTION
                 - check PKGBUILD for CRLF line endings
                 - fix reading PKGBUILD from pipe
                 - increase compatibility with BSDs & Mac OSX
-              - contrib
+              - contrib:
                 - pacdiff - improvements and new -l flag for using locate
                 - pacscripts - print install scripts for a package
 3.2.2         - log pacsave warnings to pacman.log (FS#12531)
@@ -1323,7 +1323,7 @@ VERSION         DESCRIPTION
               - allow multiple pacman cache directories
               - all manpages are now generated using Asciidoc (FS#7312)
               - moved parseconfig from backend library to frontend
-              - clean up and refactoring of the ENTIRE codebase
+              - clean up and refactoring of the ENTIRE codebase:
                 - remove many useless #ifdefs
                 - split many too-long functions
                 - portability updates: compiles and passes tests on BSD and
@@ -1516,7 +1516,7 @@ VERSION         DESCRIPTION
               - Added checks for additional hyphens in package versions
               - mktemp was failing if %pmo_root%/tmp was missing -- fixed
 2.8.4         - Added updatesync script from Jason Chu
-              - Changed the pacman binary to be dynamically linked
+              - Changed the pacman binary to be dynamically linked:
                 - Included a pacman.static binary as well
                 - Added fakeroot checks when seeing if we're root
               - Fixed makepkg to use 'tail -n 1' instead of 'tail -1'
@@ -1577,10 +1577,10 @@ VERSION         DESCRIPTION
               - cleaned up the download progress bar a bit
               - added %o parameter to XferCommand so wget can resume properly
               - fixed a segfault in downloadfiles() (FS#787)
-              - patches from Oliver Burnett-Hall
+              - patches from Oliver Burnett-Hall:
                 - gensync uses a better temp dir (FS#774)
                 - PKGDEST can be set in makepkg.conf (FS#783)
-              - patches from Aurelien Foret
+              - patches from Aurelien Foret:
                 - segfault fix, couple memory leaks
                 - more sanity checks in "provides" searches
                 - fixed a little display bug in the progress bar

README

@@ -754,7 +754,7 @@ API CHANGES BETWEEN 7.0 AND 7.1
 ===============================
 
 [ADDED]
-Fine-grained sandbox controls:
+- Fine-grained sandbox controls:
   - alpm_option_get_disable_sandbox_filesystem()
   - alpm_option_set_disable_sandbox_filesystem()
   - alpm_option_get_disable_sandbox_syscalls()
@@ -769,3 +769,5 @@ Fine-grained sandbox controls:
     PM_ERR_TRANS_COMMITING renamed to PM_ERR_TRANS_COMMITTING
 - alpm_pubkey_t - removed pubkey_algo member
 - alpm_sandbox_setup_child() - added parameter to restrict syscalls
+- alpm_option_get_disable_standbox() - returns 1 if any component is
+  disabled, 2 if all components are disabled.

doc/alpm-hooks.5.asciidoc

@@ -55,15 +55,15 @@ defined the hook will run if the transaction matches *any* of the triggers.
 
 *Type =* Path|Package::
 	Select whether targets are matched against transaction packages or files.
-	See CAVEATS for special notes regarding Path triggers. 'File' is a deprecated
-	alias for 'Path' and will be removed in a future release.  Required.
+	See CAVEATS for special notes regarding Path triggers. Required.
 
 *Target =* <path|package>::
 	The path or package name to match against the active transaction.
 	Paths refer to the files in the package archive; the installation root
 	should *not* be included in the path.  Shell-style glob patterns are
 	allowed. It is possible to invert matches by prepending a target with an
-	exclamation mark. May be specified multiple times. Required.
+	exclamation mark. May be specified multiple times, with subsequent
+	matches overriding previous ones. Required.
 
 ACTIONS
 -------

lib/libalpm/add.c

@@ -412,6 +412,29 @@ static int extract_single_file(alpm_handle_t *handle, struct archive *archive,
 	return errors;
 }
 
+static time_t get_install_time(void)
+{
+	time_t now;
+	char *source_date_epoch;
+	unsigned long long sde;
+	char *endptr;
+
+	source_date_epoch = getenv("SOURCE_DATE_EPOCH");
+	if (source_date_epoch) {
+		errno = 0;
+		sde = strtoull(source_date_epoch, &endptr, 10);
+		if (source_date_epoch == endptr || *endptr != '\0' || errno != 0) {
+			now = time(NULL);
+		} else {
+			now = sde;
+		}
+	} else {
+		now = time(NULL);
+	}
+
+	return now;
+}
+
 static int commit_single_pkg(alpm_handle_t *handle, alpm_pkg_t *newpkg,
 		size_t pkg_current, size_t pkg_count)
 {
@@ -591,7 +614,7 @@ static int commit_single_pkg(alpm_handle_t *handle, alpm_pkg_t *newpkg,
 	}
 
 	/* make an install date (in UTC) */
-	newpkg->installdate = time(NULL);
+	newpkg->installdate = get_install_time();
 
 	_alpm_log(handle, ALPM_LOG_DEBUG, "updating database\n");
 	_alpm_log(handle, ALPM_LOG_DEBUG, "adding database entry '%s'\n", newpkg->name);

lib/libalpm/alpm.h

@@ -2307,6 +2307,19 @@ int alpm_option_set_parallel_downloads(alpm_handle_t *handle, unsigned int num_s
  * @{
  */
 
+/** Get the state of the sandbox
+ * @param handle the context handle
+ * @return 0 for enabled, 1 if any component is disabled, 2 if completely disabled
+ */
+int alpm_option_get_disable_sandbox(alpm_handle_t *handle);
+
+/** Enables/disables all components of the sandbox.
+ * @param handle the context handle
+ * @param disable_sandbox 0 for enabled, 1 for disabled
+ * @return 0 on success, -1 on error (pm_errno is set accordingly)
+ */
+int alpm_option_set_disable_sandbox(alpm_handle_t *handle, unsigned short disable_sandbox);
+
 /** Get the state of the filesystem part of the sandbox
  * @param handle the context handle
  * @return 0 for enabled, 1 for disabled

lib/libalpm/handle.c

@@ -968,6 +968,26 @@ int SYMEXPORT alpm_option_set_parallel_downloads(alpm_handle_t *handle,
 	return 0;
 }
 
+int alpm_option_get_disable_sandbox(alpm_handle_t *handle)
+{
+	CHECK_HANDLE(handle, return -1);
+
+	if(handle->disable_sandbox_filesystem && handle->disable_sandbox_syscalls) {
+		return 2;
+	} else if (handle->disable_sandbox_filesystem || handle->disable_sandbox_syscalls) {
+		return 1;
+	}
+
+	return 0;
+}
+
+int alpm_option_set_disable_sandbox(alpm_handle_t *handle, unsigned short disable_sandbox) {
+	CHECK_HANDLE(handle, return -1);
+	handle->disable_sandbox_filesystem = disable_sandbox;
+	handle->disable_sandbox_syscalls = disable_sandbox;
+	return 0;
+}
+
 int SYMEXPORT alpm_option_get_disable_sandbox_filesystem(alpm_handle_t *handle)
 {
 	CHECK_HANDLE(handle, return -1);

lib/libalpm/hook.c

@@ -189,10 +189,6 @@ static int _alpm_hook_parse_cb(const char *file, int line,
 			}
 			if(strcmp(value, "Package") == 0) {
 				t->type = ALPM_HOOK_TYPE_PACKAGE;
-			} else if(strcmp(value, "File") == 0) {
-				_alpm_log(handle, ALPM_LOG_DEBUG,
-						"File targets are deprecated, use Path instead\n");
-				t->type = ALPM_HOOK_TYPE_PATH;
 			} else if(strcmp(value, "Path") == 0) {
 				t->type = ALPM_HOOK_TYPE_PATH;
 			} else {

meson.build

@@ -10,7 +10,7 @@ project('pacman',
         ],
         meson_version : '>= 0.61')
 
-libalpm_version = '16.0.0'
+libalpm_version = '16.0.1'
 
 cc = meson.get_compiler('c')
 

src/pacman/package.c

@@ -56,7 +56,6 @@ enum {
 	T_INSTALL_SCRIPT,
 	T_INSTALLED_SIZE,
 	T_LICENSES,
-	T_MD5_SUM,
 	T_NAME,
 	T_OPTIONAL_DEPS,
 	T_OPTIONAL_FOR,
@@ -110,7 +109,6 @@ static void make_aligned_titles(void)
 	buf[T_INSTALL_SCRIPT] = _("Install Script");
 	buf[T_INSTALLED_SIZE] = _("Installed Size");
 	buf[T_LICENSES] = _("Licenses");
-	buf[T_MD5_SUM] = _("MD5 Sum");
 	buf[T_NAME] = _("Name");
 	buf[T_OPTIONAL_DEPS] = _("Optional Deps");
 	buf[T_OPTIONAL_FOR] = _("Optional For");
@@ -235,9 +233,6 @@ void dump_pkg_full(alpm_pkg_t *pkg, int extra)
 		if(v & ALPM_PKG_VALIDATION_NONE) {
 			validation = alpm_list_add(validation, _("None"));
 		} else {
-			if(v & ALPM_PKG_VALIDATION_MD5SUM) {
-				validation = alpm_list_add(validation, _("MD5 Sum"));
-			}
 			if(v & ALPM_PKG_VALIDATION_SHA256SUM) {
 				validation = alpm_list_add(validation, _("SHA-256 Sum"));
 			}
@@ -321,7 +316,6 @@ void dump_pkg_full(alpm_pkg_t *pkg, int extra)
 			keys = alpm_list_add(keys, _("None"));
 		}
 
-		string_display(titles[T_MD5_SUM], alpm_pkg_get_md5sum(pkg), cols);
 		string_display(titles[T_SHA_256_SUM], alpm_pkg_get_sha256sum(pkg), cols);
 		list_display(titles[T_SIGNATURES], keys, cols);
 

test/pacman/README

@@ -294,6 +294,7 @@ Possible rules are:
   PKG_REASON=name|intvalue
   PKG_FILES=name|filename
   PKG_BACKUP=name|backupname
+  PKG_INSTALLDATE=name|epoch
 
 Example:
 	PKG_DEPENDS=ncurses|glibc

test/pacman/meson.build

@@ -277,6 +277,7 @@ pacman_tests = [
   'tests/sync992.py',
   'tests/sync993.py',
   'tests/sync999.py',
+  'tests/source_date_epoch_install.py',
   'tests/trans001.py',
   'tests/type001.py',
   'tests/unresolvable001.py',

test/pacman/pmrule.py

@@ -108,6 +108,9 @@ class pmrule(object):
                         if f.startswith(value + "\t"):
                             success = 1
                             break;
+                elif case == "INSTALLDATE":
+                    if newpkg.installdate != value:
+                        success = 0
                 else:
                     tap.diag("PKG rule '%s' not found" % case)
                     success = -1

test/pacman/pmtest.py

@@ -92,6 +92,7 @@ class pmtest(object):
             "fail": 0
         }
         self.args = ""
+        self.env = {}
         self.retcode = 0
         self.db = {
             "local": pmdb.pmdb("local", self.root)
@@ -299,7 +300,7 @@ class pmtest(object):
         # archives are made available more easily.
         time_start = time.time()
         self.retcode = subprocess.call(cmd, stdout=output, stderr=output,
-                cwd=os.path.join(self.root, util.TMPDIR), env={'LC_ALL': 'C'})
+                cwd=os.path.join(self.root, util.TMPDIR), env={'LC_ALL': 'C', **self.env})
         time_end = time.time()
         vprint("\ttime elapsed: %.2fs" % (time_end - time_start))
 

test/pacman/tests/source_date_epoch_install.py

@@ -0,0 +1,12 @@
+self.description = "Check that installing a package retains INSTALL DATE with SOURCE_DATE_EPOCH"
+
+p = pmpkg("pkg1")
+p.files = ["foo/file1",
+           "foo/file2"]
+self.addpkg(p)
+
+self.args = "-U %s" % p.filename()
+self.env = {"SOURCE_DATE_EPOCH": "1662046009"}
+
+self.addrule("PACMAN_RETCODE=0")
+self.addrule("PKG_INSTALLDATE=pkg1|1662046009")