| 1 |
Files being installed by Portage are generally trusted but also the |
| 2 |
syscalls allowed by file are quite broad anyway. |
| 3 |
|
| 4 |
With e.g. new libc or sandbox version (or any number of things...), the |
| 5 |
syscalls used by file can change which leads to its seccomp filter killing |
| 6 |
the process. This is an acceptable tradeoff when users are calling file(1), |
| 7 |
but it makes less sense with trusted input within Portage, especially |
| 8 |
where it may lead to confusing errors (swallowed within pipes, subshells, |
| 9 |
etc). |
| 10 |
|
| 11 |
Indeed, it might even be the case that file(1) is broken, but the user |
| 12 |
needs to complete a world upgrade to get a newer file/portage/???, but |
| 13 |
can't because of various ebuilds (like ones using this eclass) failing. |
| 14 |
|
| 15 |
Disable seccomp for these calls to keep working. |
| 16 |
|
| 17 |
Bug: https://bugs.gentoo.org/811462 |
| 18 |
Bug: https://bugs.gentoo.org/815877 |
| 19 |
Bug: https://bugs.gentoo.org/889046 |
| 20 |
Signed-off-by: Sam James <sam@g.o> |
| 21 |
--- |
| 22 |
eclass/dotnet.eclass | 4 ++-- |
| 23 |
1 file changed, 2 insertions(+), 2 deletions(-) |
| 24 |
|
| 25 |
diff --git a/eclass/dotnet.eclass b/eclass/dotnet.eclass |
| 26 |
index b92b9c1b40549..1fb288dd10942 100644 |
| 27 |
--- a/eclass/dotnet.eclass |
| 28 |
+++ b/eclass/dotnet.eclass |
| 29 |
@@ -1,4 +1,4 @@ |
| 30 |
-# Copyright 1999-2022 Gentoo Authors |
| 31 |
+# Copyright 1999-2023 Gentoo Authors |
| 32 |
# Distributed under the terms of the GNU General Public License v2 |
| 33 |
|
| 34 |
# @ECLASS: dotnet.eclass |
| 35 |
@@ -131,7 +131,7 @@ dotnet_multilib_comply() { |
| 36 |
then |
| 37 |
for exe in "${ED}/usr/bin"/* |
| 38 |
do |
| 39 |
- if [[ "$(file "${exe}")" == *"shell script text"* ]] |
| 40 |
+ if [[ "$(file -S "${exe}")" == *"shell script text"* ]] |
| 41 |
then |
| 42 |
sed -r -i -e ":/lib(/|$): s:/lib(/|$):/$(get_libdir)\1:" \ |
| 43 |
"${exe}" || die "Sedding some sense into ${exe} failed" |
| 44 |
-- |
| 45 |
2.39.0 |
Archives