commit: 97c69a6b18aa618d0e8a150f59c2a27edea14044 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Aug 15 17:00:02 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Aug 15 17:00:02 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97c69a6b
sys-apps/file: fix seccomp w/ glibc-2.42 Closes: https://bugs.gentoo.org/961520 Signed-off-by: Sam James <sam <AT> gentoo.org> sys-apps/file/file-5.46-r3.ebuild | 191 +++++++++++++++++++++ .../file/files/file-5.46-seccomp-glibc-2.42.patch | 82 +++++++++ sys-apps/file/files/file-5.46-seccomp-rseq.patch | 50 ++++++ 3 files changed, 323 insertions(+) diff --git a/sys-apps/file/file-5.46-r3.ebuild b/sys-apps/file/file-5.46-r3.ebuild new file mode 100644 index 000000000000..6fbf7cef0302 --- /dev/null +++ b/sys-apps/file/file-5.46-r3.ebuild @@ -0,0 +1,191 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_USE_PEP517=setuptools +DISTUTILS_OPTIONAL=1 +PYTHON_COMPAT=( python3_{11..14} ) + +inherit distutils-r1 toolchain-funcs multilib-minimal + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/file/file"; + inherit autotools git-r3 +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/file.asc + inherit libtool verify-sig + SRC_URI="https://astron.com/pub/file/${P}.tar.gz"; + SRC_URI+=" verify-sig? ( https://astron.com/pub/file/${P}.tar.gz.asc )" + + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-file )" +fi + +DESCRIPTION="Identify a file's format by scanning binary data for patterns" +HOMEPAGE="https://www.darwinsys.com/file/"; + +LICENSE="BSD-2" +SLOT="0" +IUSE="bzip2 lzip lzma python seccomp static-libs zlib zstd" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +DEPEND=" + bzip2? ( app-arch/bzip2[${MULTILIB_USEDEP}] ) + lzip? ( app-arch/lzlib ) + lzma? ( app-arch/xz-utils[${MULTILIB_USEDEP}] ) + seccomp? ( >=sys-libs/libseccomp-2.5.4[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) + zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] ) +" +RDEPEND=" + ${DEPEND} + python? ( + ${PYTHON_DEPS} + !dev-python/python-magic + ) + seccomp? ( >=sys-libs/libseccomp-2.5.4[${MULTILIB_USEDEP}] ) +" +BDEPEND+=" + python? ( + ${PYTHON_DEPS} + ${DISTUTILS_DEPS} + ) +" + +# https://bugs.gentoo.org/898676 +QA_CONFIG_IMPL_DECL_SKIP=( makedev ) + +PATCHES=( + "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet + "${FILESDIR}/file-5.45-seccomp-sandbox.patch" + "${FILESDIR}/file-5.46-zip.patch" + "${FILESDIR}/file-5.46-buffer-overflow.patch" + "${FILESDIR}/file-5.46-seccomp-rseq.patch" + "${FILESDIR}/file-5.46-seccomp-glibc-2.42.patch" +) + +src_prepare() { + default + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + else + elibtoolize + fi + + # Don't let python README kill main README, bug #60043 + mv python/README.md python/README.python.md || die + + # bug #662090 + sed -i '[email protected]@README.python.md@' python/setup.py || die +} + +multilib_src_configure() { + local myeconfargs=( + --enable-fsect-man5 + $(use_enable bzip2 bzlib) + $(multilib_native_use_enable lzip lzlib) + $(use_enable lzma xzlib) + $(use_enable seccomp libseccomp) + $(use_enable static-libs static) + $(use_enable zlib) + $(use_enable zstd zstdlib) + ) + + econf "${myeconfargs[@]}" +} + +build_src_configure() { + local myeconfargs=( + --disable-shared + --disable-libseccomp + --disable-bzlib + --disable-xzlib + --disable-zlib + ) + + econf_build "${myeconfargs[@]}" +} + +need_build_file() { + # When cross-compiling, we need to build up our own file + # because people often don't keep matching host/target + # file versions, bug #362941 + tc-is-cross-compiler && ! has_version -b "~${CATEGORY}/${P}" +} + +src_configure() { + local ECONF_SOURCE="${S}" + + if need_build_file ; then + mkdir -p "${WORKDIR}"/build || die + cd "${WORKDIR}"/build || die + build_src_configure + fi + + multilib-minimal_src_configure +} + +multilib_src_compile() { + if multilib_is_native_abi ; then + emake + else + # bug #586444 + emake -C src magic.h + emake -C src libmagic.la + fi +} + +src_compile() { + if need_build_file ; then + # bug #586444 + emake -C "${WORKDIR}"/build/src magic.h + emake -C "${WORKDIR}"/build/src file + local -x PATH="${WORKDIR}/build/src:${PATH}" + fi + + multilib-minimal_src_compile + + if use python ; then + cd python || die + distutils-r1_src_compile + fi +} + +src_test() { + multilib-minimal_src_test + + if use python ; then + cd python || die + distutils-r1_src_test + fi +} + +python_test() { + eunittest +} + +multilib_src_install() { + if multilib_is_native_abi ; then + default + else + emake -C src install-{nodist_includeHEADERS,libLTLIBRARIES} DESTDIR="${D}" + fi +} + +multilib_src_install_all() { + dodoc ChangeLog MAINT # README + + # Required for `file -C` + insinto /usr/share/misc/magic + doins -r magic/Magdir/* + + if use python ; then + cd python || die + distutils-r1_src_install + fi + + find "${ED}" -type f -name "*.la" -delete || die +} diff --git a/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch b/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch new file mode 100644 index 000000000000..47ae4d4074ec --- /dev/null +++ b/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch @@ -0,0 +1,82 @@ +https://bugs.astron.com/view.php?id=678 +Two patches: +1) https://github.com/file/file/commit/f49e4b1a393c0378e43b65c36765676c98d018c4 +2) From the bug + +From f49e4b1a393c0378e43b65c36765676c98d018c4 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <[email protected]> +Date: Thu, 20 Mar 2025 14:57:41 +0000 +Subject: [PATCH] Fix termios handling on linux/ppc (Dr. Werner Fink) + +--- + src/seccomp.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 9e00034ad..f05c30f9f 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,15 +27,20 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.30 2024/11/28 14:04:24 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP + #include <seccomp.h> /* libseccomp */ + #include <sys/prctl.h> /* prctl */ +-#include <sys/ioctl.h> + #include <sys/socket.h> +-#include <termios.h> ++#ifdef __powerpc64__ ++// See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806 ++# include <asm/termbits.h> ++#else ++# include <termios.h> ++#endif ++#include <sys/ioctl.h> + #include <fcntl.h> + #include <stdlib.h> + #include <errno.h> + + +From 7b23bd3f87069fcebc9173c8d1637c2a2e1a12d1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <[email protected]> +Date: Wed, 6 Aug 2025 23:11:10 +0200 +Subject: [PATCH] Extend seccomp for glibc and physical terminals + +New glibc implementations might also use TCGETS2 instead of TCGETS. +This happens on current Arch Linux systems. Allow TCGETS2 in seccomp +sandbox as well. +--- + src/seccomp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/seccomp.c b/src/seccomp.c +index f05c30f9..dddb821c 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -37,6 +37,8 @@ FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $") + #ifdef __powerpc64__ + // See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806 + # include <asm/termbits.h> ++#elif defined __linux__ ++# include <linux/termios.h> + #else + # include <termios.h> + #endif +@@ -121,6 +123,10 @@ enable_sandbox(void) + #ifdef TCGETS + // glibc may call ioctl TCGETS on stdout on physical terminal + ALLOW_IOCTL_RULE(TCGETS); ++#endif ++#ifdef TCGETS2 ++ // glibc may call ioctl TCGETS2 on stdout on physical terminal ++ ALLOW_IOCTL_RULE(TCGETS2); + #endif + ALLOW_RULE(lseek); + ALLOW_RULE(_llseek); +-- +2.50.1 diff --git a/sys-apps/file/files/file-5.46-seccomp-rseq.patch b/sys-apps/file/files/file-5.46-seccomp-rseq.patch new file mode 100644 index 000000000000..a0b124f48814 --- /dev/null +++ b/sys-apps/file/files/file-5.46-seccomp-rseq.patch @@ -0,0 +1,50 @@ +https://github.com/file/file/commit/339bdef41536d63ffacd2e48082d195a1e3617b9 + +From 339bdef41536d63ffacd2e48082d195a1e3617b9 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <[email protected]> +Date: Thu, 28 Nov 2024 14:04:24 +0000 +Subject: [PATCH] Sort, add rseq (Cristian Rodriguez) + +--- + src/seccomp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index ce8243300..9e00034ad 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: seccomp.c,v 1.29 2024/09/29 16:49:25 christos Exp $") ++FILE_RCSID("@(#)$File: seccomp.c,v 1.30 2024/11/28 14:04:24 christos Exp $") + #endif /* lint */ + + #if HAVE_LIBSECCOMP +@@ -103,6 +103,8 @@ enable_sandbox(void) + #ifdef __NR_getdents64 + ALLOW_RULE(getdents64); + #endif ++ ALLOW_RULE(getpid); // Used by glibc in file_pipe2file() ++ ALLOW_RULE(getrandom); // Used by glibc in file_pipe2file() + #ifdef FIONREAD + // called in src/compress.c under sread + ALLOW_IOCTL_RULE(FIONREAD); +@@ -136,6 +138,7 @@ enable_sandbox(void) + #ifdef __NR_readlinkat + ALLOW_RULE(readlinkat); + #endif ++ ALLOW_RULE(rseq); // Used by glibc to randomize malloc + ALLOW_RULE(rt_sigaction); + ALLOW_RULE(rt_sigprocmask); + ALLOW_RULE(rt_sigreturn); +@@ -145,8 +148,6 @@ enable_sandbox(void) + ALLOW_RULE(stat64); + ALLOW_RULE(sysinfo); + ALLOW_RULE(umask); // Used in file_pipe2file() +- ALLOW_RULE(getpid); // Used by glibc in file_pipe2file() +- ALLOW_RULE(getrandom); // Used by glibc in file_pipe2file() + ALLOW_RULE(unlink); + ALLOW_RULE(utimes); + ALLOW_RULE(write);
