commit: 0813d843cb2a43c748fdf6c9d5ac6dc882104dcf Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Fri Apr 23 19:10:09 2021 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Fri Apr 23 19:10:09 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0813d843
sys-apps/file: allow faccessat and fstatat64 syscalls Closes: https://bugs.gentoo.org/784857 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> .../{file-5.40-r1.ebuild => file-5.40-r2.ebuild} | 2 ++ .../file/files/file-5.40-seccomp-faccessat.patch | 34 ++++++++++++++++++++++ .../file/files/file-5.40-seccomp-fstatat64.patch | 29 ++++++++++++++++++ 3 files changed, 65 insertions(+) diff --git a/sys-apps/file/file-5.40-r1.ebuild b/sys-apps/file/file-5.40-r2.ebuild similarity index 96% rename from sys-apps/file/file-5.40-r1.ebuild rename to sys-apps/file/file-5.40-r2.ebuild index a901c2a4003..f46a59bccfa 100644 --- a/sys-apps/file/file-5.40-r1.ebuild +++ b/sys-apps/file/file-5.40-r2.ebuild @@ -39,6 +39,8 @@ RDEPEND="${DEPEND} PATCHES=( "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 "${FILESDIR}/file-5.40-xz_magic.patch" #784773 + "${FILESDIR}/file-5.40-seccomp-faccessat.patch" + "${FILESDIR}/file-5.40-seccomp-fstatat64.patch" #784857 ) src_prepare() { diff --git a/sys-apps/file/files/file-5.40-seccomp-faccessat.patch b/sys-apps/file/files/file-5.40-seccomp-faccessat.patch new file mode 100644 index 00000000000..4aeb88cfe87 --- /dev/null +++ b/sys-apps/file/files/file-5.40-seccomp-faccessat.patch @@ -0,0 +1,34 @@ +From abcd583135bb0762e6bfd0f2e06c50bea1fb3cd0 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <chris...@zoulas.com> +Date: Tue, 6 Apr 2021 22:02:17 +0000 +Subject: [PATCH] On ARM64 Linux access() syscall is no longer a real syscall + to the kernel. Instead it's emulated by glibc with a new faccessat() syscall. + (Icenowy Zheng) + +--- + src/seccomp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 0da907ff7..81842cf5c 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.18 2021/03/14 17:01:58 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.19 2021/04/06 22:02:17 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -171,6 +171,9 @@ enable_sandbox_full(void) + ALLOW_RULE(dup2); + ALLOW_RULE(exit); + ALLOW_RULE(exit_group); ++#ifdef __NR_faccessat ++ ALLOW_RULE(faccessat); ++#endif + ALLOW_RULE(fcntl); + ALLOW_RULE(fcntl64); + ALLOW_RULE(fstat); diff --git a/sys-apps/file/files/file-5.40-seccomp-fstatat64.patch b/sys-apps/file/files/file-5.40-seccomp-fstatat64.patch new file mode 100644 index 00000000000..57d04e5f40c --- /dev/null +++ b/sys-apps/file/files/file-5.40-seccomp-fstatat64.patch @@ -0,0 +1,29 @@ +From e3d0265a147878b6c2903bcc83b9842dff68ceb4 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <flop...@gentoo.org> +Date: Fri, 23 Apr 2021 15:00:42 -0400 +Subject: [PATCH] seccomp: allow fstatat64 + +This is needed for the libsandbox LD_PRELOAD wrapper on Gentoo Linux. + +Bug: https://bugs.gentoo.org/784857 +--- + src/seccomp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 81842cf5..43abc684 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -178,6 +178,9 @@ enable_sandbox_full(void) + ALLOW_RULE(fcntl64); + ALLOW_RULE(fstat); + ALLOW_RULE(fstat64); ++#ifdef __NR_fstatat64 ++ ALLOW_RULE(fstatat64); ++#endif + ALLOW_RULE(futex); + ALLOW_RULE(getdents); + #ifdef __NR_getdents64 +-- +2.31.1 +