commit: 0a43a1114f05d985cef96402cab1451580a6339b Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Dec 31 12:51:36 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Dec 31 12:52:10 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a43a111
sys-apps/file: allow faccessat2 syscall in seccomp for sandbox-2.30 Closes: https://bugs.gentoo.org/889046 Signed-off-by: Sam James <sam <AT> gentoo.org> .../{file-5.43-r1.ebuild => file-5.43-r2.ebuild} | 4 ++-- .../file/{file-5.44.ebuild => file-5.44-r1.ebuild} | 5 ++-- sys-apps/file/file-9999.ebuild | 6 ++--- .../file/files/file-5.43-portage-sandbox.patch | 28 ++++++++++++++++++++++ .../files/file-5.43-seccomp-fstatat64-musl.patch | 22 +++++++++++++++++ sys-apps/file/files/file-5.44-seccomp-utimes.patch | 18 ++++++++++++++ 6 files changed, 76 insertions(+), 7 deletions(-) diff --git a/sys-apps/file/file-5.43-r1.ebuild b/sys-apps/file/file-5.43-r2.ebuild similarity index 96% rename from sys-apps/file/file-5.43-r1.ebuild rename to sys-apps/file/file-5.43-r2.ebuild index 10bf50a18e4f..610753073aa6 100644 --- a/sys-apps/file/file-5.43-r1.ebuild +++ b/sys-apps/file/file-5.43-r2.ebuild @@ -49,8 +49,8 @@ BDEPEND+=" )" PATCHES=( - "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 - "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.43-portage-sandbox.patch" #713710 #728978 + "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet "${FILESDIR}/${P}-configure-clang16.patch" ) diff --git a/sys-apps/file/file-5.44.ebuild b/sys-apps/file/file-5.44-r1.ebuild similarity index 95% rename from sys-apps/file/file-5.44.ebuild rename to sys-apps/file/file-5.44-r1.ebuild index 99d5b362b9c5..c29778951f51 100644 --- a/sys-apps/file/file-5.44.ebuild +++ b/sys-apps/file/file-5.44-r1.ebuild @@ -52,9 +52,10 @@ BDEPEND+=" )" PATCHES=( - "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 - "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 "${FILESDIR}/file-5.44-limits-solaris.patch" # applied upstream + "${FILESDIR}/file-5.44-seccomp-utimes.patch" # upstream ) src_prepare() { diff --git a/sys-apps/file/file-9999.ebuild b/sys-apps/file/file-9999.ebuild index 81f60050024c..c83ce4f71f81 100644 --- a/sys-apps/file/file-9999.ebuild +++ b/sys-apps/file/file-9999.ebuild @@ -18,7 +18,7 @@ else SRC_URI="ftp://ftp.astron.com/pub/file/${P}.tar.gz"; SRC_URI+=" verify-sig? ( ftp://ftp.astron.com/pub/file/${P}.tar.gz.asc )" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" BDEPEND="verify-sig? ( sec-keys/openpgp-keys-file )" fi @@ -52,8 +52,8 @@ BDEPEND+=" )" PATCHES=( - "${FILESDIR}/file-5.39-portage-sandbox.patch" #713710 #728978 - "${FILESDIR}/file-5.40-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 ) src_prepare() { diff --git a/sys-apps/file/files/file-5.43-portage-sandbox.patch b/sys-apps/file/files/file-5.43-portage-sandbox.patch new file mode 100644 index 000000000000..f9e715cc366f --- /dev/null +++ b/sys-apps/file/files/file-5.43-portage-sandbox.patch @@ -0,0 +1,28 @@ +Allow syscalls for Gentoo's portage sandbox + +- Add getcwd (bug #728978) +- Add faccessat2 (bug #889046) + +Bug: https://bugs.gentoo.org/728978 +Bug: https://bugs.gentoo.org/889046 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -174,6 +174,9 @@ enable_sandbox_full(void) + ALLOW_RULE(exit_group); + #ifdef __NR_faccessat + ALLOW_RULE(faccessat); ++#endif ++#ifdef __NR_faccessat2 ++ ALLOW_RULE(faccessat2); + #endif + ALLOW_RULE(fcntl); + ALLOW_RULE(fcntl64); +@@ -237,6 +240,8 @@ enable_sandbox_full(void) + ALLOW_RULE(write); + ALLOW_RULE(writev); + ++ // needed by Gentoo's portage sandbox ++ ALLOW_RULE(getcwd); + + #if 0 + // needed by valgrind diff --git a/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch new file mode 100644 index 000000000000..a039882ac8d7 --- /dev/null +++ b/sys-apps/file/files/file-5.43-seccomp-fstatat64-musl.patch @@ -0,0 +1,22 @@ +From 8c13923a8e17a02be0989649b2edc20124816729 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <flop...@gentoo.org> +Date: Tue, 15 Jun 2021 16:08:22 -0400 +Subject: [PATCH] seccomp: undef fstatat64 to avoid build failure on musl + +sys/stat.h in musl does this: + + #define fstatat64 fstatat + +Counteract this with an #undef. + +Bug: https://bugs.gentoo.org/789336 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -182,6 +182,7 @@ enable_sandbox_full(void) + #endif + ALLOW_RULE(fstat64); + #ifdef __NR_fstatat64 ++#undef fstatat64 + ALLOW_RULE(fstatat64); + #endif + ALLOW_RULE(futex); diff --git a/sys-apps/file/files/file-5.44-seccomp-utimes.patch b/sys-apps/file/files/file-5.44-seccomp-utimes.patch new file mode 100644 index 000000000000..49f1c2e4b739 --- /dev/null +++ b/sys-apps/file/files/file-5.44-seccomp-utimes.patch @@ -0,0 +1,18 @@ +https://github.com/file/file/commit/1590a653b520123d47070a47436abfba42d4c943 + +From 1590a653b520123d47070a47436abfba42d4c943 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <chris...@zoulas.com> +Date: Mon, 26 Dec 2022 18:57:29 +0000 +Subject: [PATCH] PR/408: SpraxDev: Add utimes to the allow list for -p + +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -233,6 +233,7 @@ enable_sandbox_full(void) + ALLOW_RULE(umask); // Used in file_pipe2file() + ALLOW_RULE(getpid); // Used by glibc in file_pipe2file() + ALLOW_RULE(unlink); ++ ALLOW_RULE(utimes); + ALLOW_RULE(write); + ALLOW_RULE(writev); + +
