diff options
| author |   Mike Gilbert <floppym@gentoo.org> | 2023-10-19 14:06:37 -0400 |
|---|---|---|
| committer | Mike Gilbert <floppym@gentoo.org> | 2023-10-19 14:08:42 -0400 |
| commit | dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b (patch) | |
| tree | 38ef7111ef55d365f746121396cac2d581b31387 /sys-apps/file | |
| parent | net-p2p/bitcoind: drop 25.0 (diff) | |
| download | gentoo-dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b.tar.gz gentoo-dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b.tar.bz2 gentoo-dbbbf5f526aff28f9c8ba79c7a277bc3aa09398b.zip | |
sys-apps/file: add another seccomp fix for sandbox
Bug: https://bugs.gentoo.org/728978
Bug: https://bugs.gentoo.org/889046
Bug: https://bugs.gentoo.org/915890
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'sys-apps/file')
| -rw-r--r-- | sys-apps/file/file-5.45-r2.ebuild (renamed from sys-apps/file/file-5.45-r1.ebuild) | 2 | ||||
| -rw-r--r-- | sys-apps/file/files/file-5.45-seccomp-sandbox.patch | 48 |
2 files changed, 49 insertions, 1 deletions
diff --git a/sys-apps/file/file-5.45-r1.ebuild b/sys-apps/file/file-5.45-r2.ebuild index 84d29bfbdf00..6626b607e4b4 100644 --- a/sys-apps/file/file-5.45-r1.ebuild +++ b/sys-apps/file/file-5.45-r2.ebuild @@ -60,7 +60,7 @@ QA_CONFIG_IMPL_DECL_SKIP=( makedev ) PATCHES=( "${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet - "${FILESDIR}/file-5.43-portage-sandbox.patch" #889046 + "${FILESDIR}/file-5.45-seccomp-sandbox.patch" "${FILESDIR}/${P}-32-bit-time_t.patch" "${FILESDIR}/${P}-32-bit-time_t-deux.patch" "${FILESDIR}/${P}-weak-magic-shell.patch" #908401 diff --git a/sys-apps/file/files/file-5.45-seccomp-sandbox.patch b/sys-apps/file/files/file-5.45-seccomp-sandbox.patch new file mode 100644 index 000000000000..4ae62b5aa947 --- /dev/null +++ b/sys-apps/file/files/file-5.45-seccomp-sandbox.patch @@ -0,0 +1,48 @@ +From 056d8aa6e0a743ff743c60a1fca67126f3dce0b6 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <floppym@gentoo.org> +Date: Thu, 19 Oct 2023 13:58:20 -0400 +Subject: [PATCH] seccomp: allow syscalls used by Gentoo's LD_PRELOAD sandbox + +Bug: https://bugs.gentoo.org/728978 +Bug: https://bugs.gentoo.org/889046 +Bug: https://bugs.gentoo.org/915890 +--- + src/seccomp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/seccomp.c b/src/seccomp.c +index 87d4c49e..31954ff4 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -174,6 +174,9 @@ enable_sandbox_full(void) + ALLOW_RULE(exit_group); + #ifdef __NR_faccessat + ALLOW_RULE(faccessat); ++#endif ++#ifdef __NR_faccessat2 ++ ALLOW_RULE(faccessat2); + #endif + ALLOW_RULE(fcntl); + ALLOW_RULE(fcntl64); +@@ -185,9 +188,18 @@ enable_sandbox_full(void) + ALLOW_RULE(fstatat64); + #endif + ALLOW_RULE(futex); ++ ALLOW_RULE(getcwd); + ALLOW_RULE(getdents); + #ifdef __NR_getdents64 + ALLOW_RULE(getdents64); ++#endif ++ ALLOW_RULE(getgid); ++#ifdef __NR_getgid32 ++ ALLOW_RULE(getgid32); ++#endif ++ ALLOW_RULE(getuid); ++#ifdef __NR_getuid32 ++ ALLOW_RULE(getuid32); + #endif + #ifdef FIONREAD + // called in src/compress.c under sread +-- +2.42.0 + |