On Thu, Sep 21, 2023 at 12:25:21PM +0100, Richard W.M. Jones wrote:
On Wed, Sep 20, 2023 at 11:42:55PM +0200, Olaf Hering wrote:
> Recently a commit was added to call 'file -zSb' instead of 'file
-zb'.
>
> This causes a regression on Leap 15 (but not on Tumbleweed), because
> file 5.32 does not understand the -S option.
>
> How can this be fixed properly, to handle both cases either at runtime
> or at buildtime?
The background to this was:
https://github.com/libguestfs/libguestfs/issues/100
It took a while to work out what was going on in the original bug
report, but it turned out that Arch (IIRC) enabled the seccomp feature
in the 'file' command. This filters what system calls 'file' is
allowed to make, which strengthens security as 'file' is often run on
untrusted inputs.
Unfortunately the seccomp rules for 'file' don't cope with running
external programs (ie. 'file -z' which runs zcat). We filed a bug to
try to get that fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=2148753
https://bugs.astron.com/view.php?id=406
but the fix to seccomp policy was rejected recently in both Fedora &
upstream.
Their rationale in that bug makes no sense.
Not allowing 'clone+execve' etc is correct when '-z' is NOT specified
by the user. No argument there.
If '-z' is specified then adding clone+execve etc is the only way it
can work. They should apply a different seccomp filter for '-z' only
which includes clone+execve, etc. Telling people to turn off seccomp
entirely in order to use '-z' is even worse for security than just
allowing clone+execve.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|