From 7e4c4e79793f0f5fcf99e069ab1418bee92f4310e3dd7df7cc09e2be23bf7b42 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Tue, 7 Jan 2020 11:24:32 +0000 Subject: [PATCH 1/6] Disable sandboxing on aarch64 OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=203 --- file.changes | 6 ++++++ file.spec | 9 +++++++-- python-magic.spec | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/file.changes b/file.changes index 2d01df1..693c8ff 100644 --- a/file.changes +++ b/file.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jan 7 11:22:04 UTC 2020 - Dr. Werner Fink + +- Currently file command receives SIGSYS/31 with sandboxing enabled + via libseccomp + ------------------------------------------------------------------- Fri Dec 20 14:00:22 UTC 2019 - Dr. Werner Fink diff --git a/file.spec b/file.spec index 3df9bcc..06cd62c 100644 --- a/file.spec +++ b/file.spec @@ -1,7 +1,7 @@ # # spec file for package file # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -140,7 +140,12 @@ rm -f Magdir/*,v Magdir/*~ rm -f ltcf-c.sh ltconfig ltmain.sh autoreconf -fiv export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflags)" -%configure --disable-silent-rules --datadir=%{_miscdir} --disable-static --enable-fsect-man5 +%configure --disable-silent-rules --datadir=%{_miscdir} \ + --disable-static \ +%ifarch aarch64 + --disable-libseccomp \ +%endif + --enable-fsect-man5 \ make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" %install diff --git a/python-magic.spec b/python-magic.spec index 637466f..e1a2e55 100644 --- a/python-magic.spec +++ b/python-magic.spec @@ -1,7 +1,7 @@ # # spec file for package python-magic # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From dd1cee3902939bb56042a64b705803c53d8fd2b8cd5744cca1eb75129a313a49 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Tue, 7 Jan 2020 11:41:37 +0000 Subject: [PATCH 2/6] Disable sandboxing on aarch64, second try OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=204 --- file.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file.spec b/file.spec index 06cd62c..635cd14 100644 --- a/file.spec +++ b/file.spec @@ -145,7 +145,7 @@ export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflag %ifarch aarch64 --disable-libseccomp \ %endif - --enable-fsect-man5 \ + --enable-fsect-man5 make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" %install From dec5a56b7fee36913457a018db6683b0d3649917d2e7a1e6601da1396b3ef398 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 8 Jan 2020 11:06:16 +0000 Subject: [PATCH 3/6] Test libseccomp OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=205 --- file.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/file.spec b/file.spec index 635cd14..ba65045 100644 --- a/file.spec +++ b/file.spec @@ -142,9 +142,6 @@ autoreconf -fiv export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflags)" %configure --disable-silent-rules --datadir=%{_miscdir} \ --disable-static \ -%ifarch aarch64 - --disable-libseccomp \ -%endif --enable-fsect-man5 make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" From 1257782b9df50f41d0f114988e2885e69d403463772eed90fbb398139ad6acc2 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 8 Jan 2020 11:17:35 +0000 Subject: [PATCH 4/6] Restore diabled libseccomp on aarch64 OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=206 --- file.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/file.spec b/file.spec index ba65045..635cd14 100644 --- a/file.spec +++ b/file.spec @@ -142,6 +142,9 @@ autoreconf -fiv export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflags)" %configure --disable-silent-rules --datadir=%{_miscdir} \ --disable-static \ +%ifarch aarch64 + --disable-libseccomp \ +%endif --enable-fsect-man5 make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" From 22ee42da7441a3ca883fae885545b6a00d38f52a4e512e6f4cbe8ca7ce0bc55c Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Sun, 12 Jan 2020 16:03:11 +0000 Subject: [PATCH 5/6] Accepting request 761855 from home:msmeissn:branches:Base:System - file-5.38-allow-readlinkat.dif: allow readlinkat() systemcall, reenable sandboxing. (bsc#1160303) OBS-URL: https://build.opensuse.org/request/show/761855 OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=207 --- file-5.38-allow-readlinkat.dif | 14 ++++++++++++++ file.changes | 6 ++++++ file.spec | 7 +++---- python-magic.spec | 2 +- 4 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 file-5.38-allow-readlinkat.dif diff --git a/file-5.38-allow-readlinkat.dif b/file-5.38-allow-readlinkat.dif new file mode 100644 index 0000000..d36886c --- /dev/null +++ b/file-5.38-allow-readlinkat.dif @@ -0,0 +1,14 @@ +Index: file-5.38/src/seccomp.c +=================================================================== +--- file-5.38.orig/src/seccomp.c ++++ file-5.38/src/seccomp.c +@@ -202,6 +202,9 @@ enable_sandbox_full(void) + #ifdef __NR_newfstatat + ALLOW_RULE(newfstatat); + #endif ++#ifdef __NR_readlinkat ++ ALLOW_RULE(readlinkat); ++#endif + ALLOW_RULE(open); + ALLOW_RULE(openat); + ALLOW_RULE(pread64); diff --git a/file.changes b/file.changes index 693c8ff..9b04074 100644 --- a/file.changes +++ b/file.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 8 13:55:46 UTC 2020 - Marcus Meissner + +- file-5.38-allow-readlinkat.dif: allow readlinkat() systemcall, + reenable sandboxing. (bsc#1160303) + ------------------------------------------------------------------- Tue Jan 7 11:22:04 UTC 2020 - Dr. Werner Fink diff --git a/file.spec b/file.spec index 635cd14..9bc6d7e 100644 --- a/file.spec +++ b/file.spec @@ -1,7 +1,7 @@ # # spec file for package file # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -64,6 +64,7 @@ Patch34: file-5.23-endian.patch Patch35: file-5.24-nitpick.dif Patch37: file-secure_getenv.patch Patch39: file-5.28-btrfs-image.dif +Patch40: file-5.38-allow-readlinkat.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %global _sysconfdir /etc %global _miscdir %{_datadir}/misc @@ -129,6 +130,7 @@ to develop applications that require the magic "file" interface. %patch35 -p0 -b .nitpick %patch37 -p1 -b .getenv %patch39 -p1 -b .btrfs +%patch40 -p1 -b .readlinkat %patch -b .0 test -s src/magic.h.in || cp -p src/magic.h src/magic.h.in rm -fv src/magic.h @@ -142,9 +144,6 @@ autoreconf -fiv export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflags)" %configure --disable-silent-rules --datadir=%{_miscdir} \ --disable-static \ -%ifarch aarch64 - --disable-libseccomp \ -%endif --enable-fsect-man5 make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" diff --git a/python-magic.spec b/python-magic.spec index e1a2e55..8107d49 100644 --- a/python-magic.spec +++ b/python-magic.spec @@ -1,7 +1,7 @@ # # spec file for package python-magic # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From 43b5158f065548aa87e3522e01d662d86875defed8aa61349a16c74576a9f775 Mon Sep 17 00:00:00 2001 From: "Dr. Werner Fink" Date: Wed, 15 Jan 2020 09:20:20 +0000 Subject: [PATCH 6/6] Disable libseccomp OBS-URL: https://build.opensuse.org/package/show/Base:System/file?expand=0&rev=208 --- file.changes | 7 +++++++ file.spec | 5 ++++- python-magic.spec | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/file.changes b/file.changes index 9b04074..7b40c5f 100644 --- a/file.changes +++ b/file.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Jan 15 09:17:43 UTC 2020 - Dr. Werner Fink + +- Looks like libseccomp filter stumble over decompressors like + xz (without liblmza) or zstd hence disable it (boo#1160649) +- Require at build devel packages for liblzma and libbz2 + ------------------------------------------------------------------- Wed Jan 8 13:55:46 UTC 2020 - Marcus Meissner diff --git a/file.spec b/file.spec index 9bc6d7e..7ef10fd 100644 --- a/file.spec +++ b/file.spec @@ -1,7 +1,7 @@ # # spec file for package file # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,6 +23,8 @@ Name: file BuildRequires: bash >= 4.0 BuildRequires: libtool BuildRequires: zlib-devel +BuildRequires: pkgconfig(bzip2) +BuildRequires: pkgconfig(liblzma) BuildRequires: pkgconfig(libseccomp) URL: http://www.darwinsys.com/file/ # bug437293 @@ -144,6 +146,7 @@ autoreconf -fiv export CFLAGS="%{optflags} -DHOWMANY=69632 -fPIE $(pkg-config libseccomp --cflags)" %configure --disable-silent-rules --datadir=%{_miscdir} \ --disable-static \ + --disable-libseccomp \ --enable-fsect-man5 make %{?_smp_mflags} pkgdatadir='$(datadir)' LDFLAGS="-pie" diff --git a/python-magic.spec b/python-magic.spec index 8107d49..a9c821c 100644 --- a/python-magic.spec +++ b/python-magic.spec @@ -1,7 +1,7 @@ # # spec file for package python-magic # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed