rpm/file
SHA256
1
0
Fork 0
forked from pool/file
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory
rpm:devel
pool:factory
pool:devel
...
pull from: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory
rpm:devel

3 Commits
factory ... factory

Author SHA256 Message Date
Dominique Leuenberger
0b7b1ceaf6 Accepting request 1222654 from Base:System 
- file-seccomp.patch: glibc uses getrandom in malloc, rseq and prctl
  in various other places, allow these syscalls in seccomp filter.

OBS-URL: https://build.opensuse.org/request/show/1222654
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/file?expand=0&rev=138
 2024-11-09 19:52:41 +00:00
Dr. Werner Fink
8712bcc924 . 
OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=281
 2024-11-08 07:34:20 +00:00
Dr. Werner Fink
fdbc4a0048 - file-seccomp.patch: glibc uses getrandom in malloc, rseq and prctl 
in various other places, allow these syscalls in seccomp filter.

OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=280
 2024-11-08 07:22:14 +00:00
3 changed files with 46 additions and 0 deletions
Show Stats Expand all files Collapse all files

35
file-seccomp.patch Normal file
View File

@ -0,0 +1,35 @@
From 3cb58bb51d47b8e61611350324b751eaa46166a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
Date: Fri, 8 Nov 2024 08:28:12 +0100
Subject: [PATCH] Allow getrandom, rseq, and prctl for glibc malloc
glibc uses getrandom in malloc, rseq, and prctl in various other
places, allow these syscalls in seccomp filter.
```
export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
make check
```
Signed-off-by: Werner Fink <werner@suse.de>
---
src/seccomp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/seccomp.c b/src/seccomp.c
index ce824330..8a2c8a4c 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -80,6 +80,9 @@ enable_sandbox(void)
if (ctx == NULL)
return -1;
+ ALLOW_RULE(prctl);
+ ALLOW_RULE(getrandom);
+ ALLOW_RULE(rseq);
ALLOW_RULE(access);
ALLOW_RULE(brk);
ALLOW_RULE(close);
--
2.43.0

6
file.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Nov 7 20:11:48 UTC 2024 - Cristian Rodríguez <crrodriguez@opensuse.org>
- file-seccomp.patch: glibc uses getrandom in malloc, rseq and prctl
in various other places, allow these syscalls in seccomp filter.
-------------------------------------------------------------------
Mon Feb 26 09:11:40 UTC 2024 - Dr. Werner Fink <werner@suse.de>

5
file.spec
View File

@ -65,6 +65,7 @@ Patch37: file-secure_getenv.patch
Patch39: file-5.28-btrfs-image.dif
# PATCH-FIX-UPSTREAM: Support max time_t on 32bit
Patch42: file-5.45-type_t.dif
Patch43: file-seccomp.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%global _sysconfdir /etc
%global magicdir %{_datadir}/file
@ -129,6 +130,7 @@ to develop applications that require the magic "file" interface.
%patch -P 37 -p1 -b .getenv
%patch -P 39 -p1 -b .btrfs
%patch -P 0 -b .0
%patch -P 43 -p1 -b .seccomp
test -s src/magic.h.in || cp -p src/magic.h src/magic.h.in
rm -fv src/magic.h
@ -162,6 +164,8 @@ install -s dcore %{buildroot}%{_bindir}
rm -f %{buildroot}%{_libdir}/*.la
%check
# Test if prctl is still allowed by the seccomp filter.
export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
# Standard checks
make check
# Check out that the binary does not bail out:
@ -174,6 +178,7 @@ for dir in %{_bindir} /%{_lib} %{_libdir} ; do
xargs %{buildroot}%{_bindir}/file -m %{buildroot}%{_miscdir}/magic
done
unset LD_LIBRARY_PATH
unset GLIBC_TUNABLES
%post -n %libname -p /sbin/ldconfig