Re: [Libguestfs] regression: file does not understand the -S option

On Wed, Sep 20, 2023 at 11:42:55PM +0200, Olaf Hering wrote: > Recently a commit was added to call 'file -zSb' instead of 'file -zb'. > > This causes a regression on Leap 15 (but not on Tumbleweed), because > file 5.32 does not understand the -S option. > > How can this be fixed properly, to handle both cases either at runtime > or at buildtime? The background to this was: https://github.com/libguestfs/libguestfs/issues/100 It took a while to work out what was going on in the original bug report, but it turned out that Arch (IIRC) enabled the seccomp feature in the 'file' command. This filters what system calls 'file' is allowed to make, which strengthens security as 'file' is often run on untrusted inputs. Unfortunately the seccomp rules for 'file' don't cope with running external programs (ie. 'file -z' which runs zcat). We filed a bug to try to get that fixed: https://bugzilla.redhat.com/show_bug.cgi?id=2148753 https://bugs.astron.com/view.php?id=406 but the fix to seccomp policy was rejected recently in both Fedora & upstream.