On Wed, Sep 20, 2023 at 11:42:55PM +0200, Olaf Hering wrote:
Recently a commit was added to call 'file -zSb' instead of
'file -zb'.
This causes a regression on Leap 15 (but not on Tumbleweed), because
file 5.32 does not understand the -S option.
How can this be fixed properly, to handle both cases either at runtime
or at buildtime?
The background to this was:
https://github.com/libguestfs/libguestfs/issues/100
It took a while to work out what was going on in the original bug
report, but it turned out that Arch (IIRC) enabled the seccomp feature
in the 'file' command. This filters what system calls 'file' is
allowed to make, which strengthens security as 'file' is often run on
untrusted inputs.
Unfortunately the seccomp rules for 'file' don't cope with running
external programs (ie. 'file -z' which runs zcat). We filed a bug to
try to get that fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=2148753
https://bugs.astron.com/view.php?id=406
but the fix to seccomp policy was rejected recently in both Fedora &
upstream.
The patch we added to libguestfs turns off seccomp sandboxing, both
because it's broken (see above) and because we don't really need it as
we run stuff in a virtual machine already:
https://github.com/libguestfs/libguestfs/commit/23986d3c4f4d1f9cbac44cc74...
I didn't realise there were distros that lack support for the
'file -S' option.
So I guess the fix is to detect if 'file' has the -S option ...
I think we can just grep 'file --help' for the -S / --no-sandbox
option. Let me try for a patch now.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW