1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • [gentoo-dev] [PATCH 1/3] dotnet.eclass: pass -S to file to disable secc

    From Sam James@21:1/5 to All on Tue Jan 3 05:10:01 2023
    Files being installed by Portage are generally trusted but also the
    syscalls allowed by file are quite broad anyway.

    With e.g. new libc or sandbox version (or any number of things...), the syscalls used by file can change which leads to its seccomp filter killing
    the process. This is an acceptable tradeoff when users are calling file(1),
    but it makes less sense with trusted input within Portage, especially
    where it may lead to confusing errors (swallowed within pipes, subshells,
    etc).

    Indeed, it might even be the case that file(1) is broken, but the user
    needs to complete a world upgrade to get a newer file/portage/???, but
    can't because of various ebuilds (like ones using this eclass) failing.

    Disable seccomp for these calls to keep working.

    Bug: https://bugs.gentoo.org/811462
    Bug: https://bugs.gentoo.org/815877
    Bug: https://bugs.gentoo.org/889046
    Signed-off-by: Sam James <sam@gentoo.org>
    ---
    eclass/dotnet.eclass | 4 ++--
    1 file changed, 2 insertions(+), 2 deletions(-)

    diff --git a/eclass/dotnet.eclass b/eclass/dotnet.eclass
    index b92b9c1b40549..1fb288dd10942 100644
    --- a/eclass/dotnet.eclass
    +++ b/eclass/dotnet.eclass
    @@ -1,4 +1,4 @@
    -# Copyright 1999-2022 Gentoo Authors
    +# Copyright 1999-2023 Gentoo Authors
    # Distributed under the terms of the GNU General Public License v2

    # @ECLASS: dotnet.eclass
    @@ -131,7 +131,7 @@ dotnet_multilib_comply() {
    then
    for exe in "${ED}/usr/bin"/*
    do
    - if [[ "$(file "${exe}")" == *"shell script text"* ]]
    + if [[ "$(file -S "${exe}")" == *"shell script text"* ]]
    then
    sed -r -i -e ":/lib(/|$): s:/lib(/|$):/$(get_libdir)\1:" \
    "${exe}" || die "Sedding some sense into ${exe} failed"
    --
    2.39.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam James@21:1/5 to All on Tue Jan 3 05:10:01 2023
    Files being installed by Portage are generally trusted but also the
    syscalls allowed by file are quite broad anyway.

    With e.g. new libc or sandbox version (or any number of things...), the syscalls used by file can change which leads to its seccomp filter killing
    the process. This is an acceptable tradeoff when users are calling file(1),
    but it makes less sense with trusted input within Portage, especially
    where it may lead to confusing errors (swallowed within pipes, subshells,
    etc).

    Indeed, it might even be the case that file(1) is broken, but the user
    needs to complete a world upgrade to get a newer file/portage/???, but
    can't because of various ebuilds (like ones using this eclass) failing.

    Disable seccomp for these calls to keep working.

    Bug: https://bugs.gentoo.org/811462
    Bug: https://bugs.gentoo.org/815877
    Bug: https://bugs.gentoo.org/889046
    Signed-off-by: Sam James <sam@gentoo.org>
    ---
    eclass/mono.eclass | 4 ++--
    1 file changed, 2 insertions(+), 2 deletions(-)

    diff --git a/eclass/mono.eclass b/eclass/mono.eclass
    index ddea2d4b9c641..c096acc8c40ee 100644
    --- a/eclass/mono.eclass
    +++ b/eclass/mono.eclass
    @@ -1,4 +1,4 @@
    -# Copyright 1999-2022 Gentoo Authors
    +# Copyright 1999-2023 Gentoo Authors
    # Distributed under the terms of the GNU General Public License v2

    # @ECLASS: mono.eclass
    @@ -76,7 +76,7 @@ mono_multilib_comply() {
    then
    for exe in "${ED}/usr/bin"/*
    do
    - if [[ "$(file "${exe}")" == *"shell script text"* ]]
    + if [[ "$(file -S "${exe}")" == *"shell script text"* ]]
    then
    sed -r -i -e ":/lib(/|$): s:/lib(/|$):/$(get_libdir)\1:" \
    "${exe}" || die "Sedding some sense into ${exe} failed"
    --
    2.39.0

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ulrich Mueller@21:1/5 to All on Tue Jan 3 12:50:01 2023
    On Tue, 03 Jan 2023, Sam James wrote:

    - if [[ "$(file "${exe}")" == *"shell script text"* ]]
    + if [[ "$(file -S "${exe}")" == *"shell script text"* ]]

    POSIX file doesn't know the -S option. Could that cause any problems,
    e.g. on prefix systems?

    -----BEGIN PGP SIGNATURE-----

    iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmO0FesPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4uuwMH/RSXAZb/Qk50dCAWCm5xMwG4n4ldHit0QjwG bUeozTjRKRnEBn1vHgz3juqD01YDcXc1JTBfBdOQwNiWWlwzHX3/W4PnEaw8zNCc zhg773SkIWYjB1jyo9Q+B7wbp6BH+saUD0t4SmSGVInXEOiyXy5+GzaYmfDsan2Q w8VVigE1GP8ezSVG8e6EoIKHJdNsXxw52/2ANKyLXzblgfOjO7pcuWvA0v9BkWqL 7sD0c+scNKf7gXn+N+JuQD2/VWHjh1Z1ayA36WoQdtNTwZUvfAKZ7/RYXUhIHd39 obZVeen9m39Wez1hscSlzDNGNtf5CXZk4R51O/n9sUwC97IGpvA=
    =TCvp
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sam James@21:1/5 to All on Thu Jan 5 01:40:01 2023
    On 3 Jan 2023, at 11:47, Ulrich Mueller <ulm@gentoo.org> wrote:

    On Tue, 03 Jan 2023, Sam James wrote:

    - if [[ "$(file "${exe}")" == *"shell script text"* ]]
    + if [[ "$(file -S "${exe}")" == *"shell script text"* ]]

    POSIX file doesn't know the -S option. Could that cause any problems,
    e.g. on prefix systems?

    I think it should be okay as we add our own PATH first. But it's a fair point.

    -----BEGIN PGP SIGNATURE-----

    iNUEARYKAH0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCY7YapF8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MAAKCRBzhAn1IN+R kHumAQC7sNL21s0NIqVAD9d0laFAEEK8SoY+UOANTsGDH9nGrQEA9A6pGICrmzG/ KDdCkOsoJieb5Djwq0cKAeYksS1EcgU=
    =WU8n
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)