1 |
Files being installed by Portage are generally trusted but also the |
2 |
syscalls allowed by file are quite broad anyway. |
3 |
|
4 |
With e.g. new libc or sandbox version (or any number of things...), the |
5 |
syscalls used by file can change which leads to its seccomp filter killing |
6 |
the process. This is an acceptable tradeoff when users are calling file(1), |
7 |
but it makes less sense with trusted input within Portage, especially |
8 |
where it may lead to confusing errors (swallowed within pipes, subshells, |
9 |
etc). |
10 |
|
11 |
Indeed, it might even be the case that file(1) is broken, but the user |
12 |
needs to complete a world upgrade to get a newer file/portage/???, but |
13 |
can't because of various ebuilds (like ones using this eclass) failing. |
14 |
|
15 |
Disable seccomp for these calls to keep working. |
16 |
|
17 |
Bug: https://bugs.gentoo.org/811462 |
18 |
Bug: https://bugs.gentoo.org/815877 |
19 |
Bug: https://bugs.gentoo.org/889046 |
20 |
Signed-off-by: Sam James <sam@g.o> |
21 |
--- |
22 |
eclass/unpacker.eclass | 8 ++++---- |
23 |
1 file changed, 4 insertions(+), 4 deletions(-) |
24 |
|
25 |
diff --git a/eclass/unpacker.eclass b/eclass/unpacker.eclass |
26 |
index 5ce681ebaa0d4..326b2fa675249 100644 |
27 |
--- a/eclass/unpacker.eclass |
28 |
+++ b/eclass/unpacker.eclass |
29 |
@@ -1,4 +1,4 @@ |
30 |
-# Copyright 1999-2022 Gentoo Authors |
31 |
+# Copyright 1999-2023 Gentoo Authors |
32 |
# Distributed under the terms of the GNU General Public License v2 |
33 |
|
34 |
# @ECLASS: unpacker.eclass |
35 |
@@ -122,7 +122,7 @@ unpack_pdv() { |
36 |
local tmpfile="${T}/${FUNCNAME}" |
37 |
tail -c +$((${tailskip}+1)) ${src} 2>/dev/null | head -c 512 > "${tmpfile}" |
38 |
|
39 |
- local iscompressed=$(file -b "${tmpfile}") |
40 |
+ local iscompressed=$(file -S -b "${tmpfile}") |
41 |
if [[ ${iscompressed:0:8} == "compress" ]] ; then |
42 |
iscompressed=1 |
43 |
mv "${tmpfile}"{,.Z} |
44 |
@@ -130,7 +130,7 @@ unpack_pdv() { |
45 |
else |
46 |
iscompressed=0 |
47 |
fi |
48 |
- local istar=$(file -b "${tmpfile}") |
49 |
+ local istar=$(file -S -b "${tmpfile}") |
50 |
if [[ ${istar:0:9} == "POSIX tar" ]] ; then |
51 |
istar=1 |
52 |
else |
53 |
@@ -244,7 +244,7 @@ unpack_makeself() { |
54 |
|
55 |
# lets grab the first few bytes of the file to figure out what kind of archive it is |
56 |
local decomp= filetype suffix |
57 |
- filetype=$("${exe[@]}" 2>/dev/null | head -c 512 | file -b -) || die |
58 |
+ filetype=$("${exe[@]}" 2>/dev/null | head -c 512 | file -S -b -) || die |
59 |
case ${filetype} in |
60 |
*tar\ archive*) |
61 |
decomp=cat |
62 |
-- |
63 |
2.39.0 |