sys-apps/firejail: add 0.9.76

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://bugs.gentoo.org/960936
Closes: https://bugs.gentoo.org/962286
Bug: https://bugs.gentoo.org/961468
Part-of: https://github.com/gentoo/gentoo/pull/43651
Closes: https://github.com/gentoo/gentoo/pull/43651
Signed-off-by: Sam James <sam@gentoo.org>

sys-apps/firejail/Manifest

@@ -1,2 +1,3 @@
 DIST firejail-0.9.72.tar.xz 503192 BLAKE2B 3d57b345476cb62399859622c88f5d6c22842da5894045c09bc7d84229ec2a01c494e4e9393b6fba6c668f73c6b7046f9a014a315baa5bc56d1479b9cad178a7 SHA512 846fa5caf6e68c669f76a07d6321ed365bf3c45f7992e8be3784ed99ef508ea8dffc5d6cc5da75eeb37964ad358d61b7959e8590051950951de8ca904d8a49de
 DIST firejail-0.9.74.tar.xz 527640 BLAKE2B c71c4b9c6e4cc66ccd0884d98599709f59353f0d270ce7c7e056815a9025ae6b558e210a70a2f8fd4f1c0c5cad72cc3c372bb2af8ffef673c0f5cb3819375191 SHA512 abc79c7d76d6da2c93e9cc5b4529f2950a0de8f292bede5b0e38179551c8ec65adf8d61326c7dbbad0d488234211df2266ce6d59eea06b792c0b7e163d83e69f
+DIST firejail-0.9.76.tar.xz 526972 BLAKE2B 17fe271ea96b869651d6981419cf9d6f532d47d68791c621aaf461754386870734f3b7b6fc6cddba2ff12797f36eacdc8cbb6199a7568eb7b3056975d224e276 SHA512 c923bd1ee7d0d9f2bad9e172a785c170fa670c1f7043c234a4632ae1d8f0c51da93b959f43d1562a4eed4634ba12b88b83c9cda1e82a071ccf7ea50bef155783

sys-apps/firejail/files/firejail-0.9.76-hashcat-profile.patch

@@ -0,0 +1,30 @@
+https://github.com/netblue30/firejail/pull/6888/commits/03eac22c108fbafd7dc9b94e2889cfb74bea8874
+From: Hank Leininger <hlein@korelogic.com>
+Date: Tue, 2 Sep 2025 20:44:16 -0600
+Subject: [PATCH] profiles: hashcat: fix runtime errors (#6364)
+
+private-bin messes with hashcat's ability to find its installed
+files under /usr/share/hashcat/.
+
+novideo makes hashcat unable to access /dev/nvidia* (on some distros?)
+
+Signed-off-by: Hank Leininger <hlein@korelogic.com>
+--- a/etc/profile-a-l/hashcat.profile
++++ b/etc/profile-a-l/hashcat.profile
+@@ -32,13 +32,11 @@ noroot
+ nosound
+ notv
+ nou2f
+-novideo
+ protocol unix
+ seccomp
+ x11 none
+ 
+ disable-mnt
+-private-bin hashcat
+ private-cache
+ private-dev
+ private-tmp
+-- 
+2.50.1
+

sys-apps/firejail/firejail-0.9.76.ebuild

@@ -0,0 +1,138 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{11..13} )
+
+inherit flag-o-matic toolchain-funcs python-single-r1 linux-info
+
+DESCRIPTION="Security sandbox for any type of processes"
+HOMEPAGE="https://firejail.wordpress.com/"
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/netblue30/firejail.git"
+	EGIT_BRANCH="master"
+	inherit git-r3
+else
+	SRC_URI="https://github.com/netblue30/${PN}/releases/download/${PV}/${P}.tar.xz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="apparmor +chroot contrib +dbusproxy +file-transfer +globalcfg +network +private-home selinux test +userns X"
+REQUIRED_USE="contrib? ( ${PYTHON_REQUIRED_USE} )"
+# Needs a lot of work to function within sandbox/portage. Can look at the alternative
+# test targets in Makefile too, bug #769731
+RESTRICT="test"
+
+RDEPEND="
+	!sys-apps/firejail-lts
+	apparmor? ( sys-libs/libapparmor )
+	contrib? ( ${PYTHON_DEPS} )
+	dbusproxy? ( sys-apps/xdg-dbus-proxy )
+	selinux? ( sys-libs/libselinux )
+"
+DEPEND="
+	${RDEPEND}
+	sys-libs/libseccomp
+	test? ( dev-tcltk/expect )
+"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-0.9.70-envlimits.patch"
+	"${FILESDIR}/${PN}-0.9.74-firecfg.config.patch"
+	"${FILESDIR}/${PN}-0.9.74-manpage-nocompress.patch"
+	"${FILESDIR}/${PN}-0.9.76-hashcat-profile.patch"
+)
+
+pkg_setup() {
+	CONFIG_CHECK="~SQUASHFS"
+	local ERROR_SQUASHFS="CONFIG_SQUASHFS: required for firejail --appimage mode"
+	check_extra_config
+
+	use contrib && python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# Our toolchain already sets SSP by default but forcing it causes problems
+	# on arches which don't support it. As for F_S, we again set it by defualt
+	# in our toolchain, but forcing F_S=2 is actually a downgrade if 3 is set.
+	sed -i \
+		-e 's:-fstack-protector-all::' \
+		-e 's:-D_FORTIFY_SOURCE=2::' \
+		src/so.mk src/prog.mk || die
+
+	find -type f -name Makefile -exec sed -i -r -e '/CFLAGS/s: (-O2|-ggdb) : :g' {} + || die
+
+	# Fix up hardcoded paths to templates and docs
+	local files=$(grep -E -l -r '/usr/share/doc/firejail([^-]|$)' ./RELNOTES ./src/man/ ./etc/profile*/ ./test/ || die)
+	for file in ${files[@]} ; do
+		sed -i -r -e "s:/usr/share/doc/firejail([^-]|\$):/usr/share/doc/${PF}\1:" "${file}" || die
+	done
+
+	if use contrib; then
+		python_fix_shebang -f contrib/*.py
+	fi
+}
+
+src_configure() {
+	# bug #937374
+	use elibc_musl && append-cppflags -D_LARGEFILE64_SOURCE
+
+	local myeconfargs=(
+		--disable-fatal-warnings
+		--enable-suid
+		$(use_enable apparmor)
+		$(use_enable chroot)
+		$(use_enable dbusproxy)
+		$(use_enable file-transfer)
+		$(use_enable globalcfg)
+		$(use_enable network)
+		$(use_enable private-home)
+		$(use_enable selinux)
+		$(use_enable userns)
+		$(use_enable X x11)
+	)
+
+	econf "${myeconfargs[@]}"
+
+	cat > 99firejail <<-EOF || die
+	SANDBOX_WRITE="/run/firejail"
+	EOF
+}
+
+src_compile() {
+	emake CC="$(tc-getCC)"
+}
+
+src_test() {
+	emake test-utils test-sysutils
+}
+
+src_install() {
+	default
+
+	# Gentoo-specific profile customizations
+	insinto /etc/${PN}
+	local profile_local
+	for profile_local in "${FILESDIR}"/profile_*local ; do
+		newins "${profile_local}" "${profile_local/\/*profile_/}"
+	done
+
+	# Prevent sandbox violations when toolchain is firejailed
+	insinto /etc/sandbox.d
+	doins 99firejail
+
+	rm "${ED}"/usr/share/doc/${PF}/COPYING || die
+
+	if use contrib; then
+		python_scriptinto /usr/$(get_libdir)/firejail
+		python_doscript contrib/*.py
+		insinto /usr/$(get_libdir)/firejail
+		dobin contrib/*.sh
+	fi
+}