[pacman-dev] RFC: support file with seccomp enabled

Message ID 20190812034625.3652-1-eschwartz@archlinux.org
State Accepted, archived
Headers show
Series
  • [pacman-dev] RFC: support file with seccomp enabled
Related show

Commit Message

Eli Schwartz Aug. 12, 2019, 3:46 a.m. UTC
Not all compression types can be detected in the seccomp sandbox, so we
need to disable it. This requires either configuring makepkg to know the
sandbox is available, or checking for file >= 5.38 in which the sandbox
option is a no-op even when seccomp is disabled.

- Requires autoconf-archive for autotools version compare macro.
- meson version comparison could be made a lot simpler using meson-git.

Fixes FS#58626

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 RELEASE                              |  1 +
 build-aux/edit-script.sh.in          |  1 +
 configure.ac                         | 19 +++++++++++++++++++
 meson.build                          | 10 ++++++++++
 meson_options.txt                    |  3 +++
 scripts/Makefile.am                  |  1 +
 scripts/libmakepkg/source/file.sh.in |  2 +-
 7 files changed, 36 insertions(+), 1 deletion(-)

Comments

Allan McRae Aug. 13, 2019, 1:47 a.m. UTC | #1
On 12/8/19 1:46 pm, Eli Schwartz wrote:
> Not all compression types can be detected in the seccomp sandbox, so we
> need to disable it. This requires either configuring makepkg to know the
> sandbox is available, or checking for file >= 5.38 in which the sandbox
> option is a no-op even when seccomp is disabled.
> 
> - Requires autoconf-archive for autotools version compare macro.
> - meson version comparison could be made a lot simpler using meson-git.
> 
> Fixes FS#58626
> 
> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>


This looks good to me.  Before file is called by makepkg, we have
downloaded and check the source with signatures/checksums, so we should
trust the source by this stage.

I don't mind the extra autoconf-archive dependency for generating
tarballs for the current release.

A

Patch

diff --git a/RELEASE b/RELEASE
index c9949253..7a9184b4 100644
--- a/RELEASE
+++ b/RELEASE
@@ -11,6 +11,7 @@  The following checklist should be used for making a pacman release.
 - Update doc/index.asciidoc
 - Create a signed git tag (git tag -s vX.Y.Z -m "commit message")
 - Create and sign release tarballs (generate with "make distcheck")
+  - In addition to the standard autotools toolchain, autoconf-archive is needed
 - Update pacman website
 
 Transifex updates are handled using the transifex client. The basic process is:
diff --git a/build-aux/edit-script.sh.in b/build-aux/edit-script.sh.in
index d5495057..640d32f8 100644
--- a/build-aux/edit-script.sh.in
+++ b/build-aux/edit-script.sh.in
@@ -19,6 +19,7 @@  mode=$3
   -e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \
   -e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \
   -e "s|@INODECMD[@]|@INODECMD@|g" \
+  -e "s|@FILECMD[@]|@FILECMD@|g" \
   -e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \
   -e "s|@SEDPATH[@]|@SEDPATH@|g" \
   -e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \
diff --git a/configure.ac b/configure.ac
index cb2fb2bf..0f3dd3ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,6 +120,12 @@  AC_ARG_WITH(ldconfig,
 		[set the full path to ldconfig]),
 	[LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig])
 
+# Help line for determining whether file is seccomp-enabled
+AC_ARG_WITH(file-seccomp,
+	AS_HELP_STRING([--with-file-seccomp={yes|no|auto}],
+		[determine whether file is seccomp-enabled @<:@default=auto@:>@]),
+	[with_file_seccomp=$withval], [with_file_seccomp=auto])
+
 # Help line for selecting a crypto library
 AC_ARG_WITH(crypto,
 	AS_HELP_STRING([--with-crypto={openssl|nettle}],
@@ -222,6 +228,18 @@  PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
 PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], ,
 	AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!]))
 
+# Check file for seccomp
+if test "x$with_file_seccomp" = "xauto"; then
+	file_version="$(file --version| sed -n 's/^file-\(.*\)/\1/p')"
+	AX_COMPARE_VERSION([$file_version], [ge], [5.38], [with_file_seccomp=yes])
+fi
+if test "x$with_file_seccomp" = "xyes"; then
+	FILECMD="file -S"
+else
+	FILECMD="file"
+fi
+AC_SUBST(FILECMD)
+
 # Check for OpenSSL
 have_openssl=no
 have_nettle=no
@@ -559,6 +577,7 @@  ${PACKAGE_NAME}:
     Host Type              : ${CHOST}
     File inode command     : ${INODECMD}
     In-place sed command   : ${SEDPATH} ${SEDINPLACEFLAGS}
+    File seccomp command   : ${FILECMD}
 
     libalpm version        : ${LIB_VERSION}
     libalpm version info   : ${LIB_VERSION_INFO}
diff --git a/meson.build b/meson.build
index e79ecb6c..f3b5d6da 100644
--- a/meson.build
+++ b/meson.build
@@ -224,12 +224,20 @@  config_h = configure_file(
         configuration : conf)
 add_project_arguments('-include', 'config.h', language : 'c')
 
+filecmd = 'file'
 default_sedinplaceflags = ' --follow-symlinks -i'
 inodecmd = 'stat -c \'%i %n\''
 strip_binaries = '--strip-all'
 strip_shared = '--strip-unneeded'
 strip_static = '--strip-debug'
 
+file_seccomp = get_option('file-seccomp')
+# meson-git has find_program('file', required: false, version: '>=5.38')
+filever = run_command('sh', '-c', 'file --version | sed -n "s/^file-\(.*\)/\\1/p"').stdout()
+if file_seccomp.enabled() or ( file_seccomp.auto() and filever.version_compare('>= 5.38') )
+  filecmd = 'file -S'
+endif
+
 os = host_machine.system()
 if os.startswith('darwin')
   inodecmd = '/usr/bin/stat -f \'%i %n\''
@@ -272,6 +280,7 @@  substs.set('BUILDSCRIPT', BUILDSCRIPT)
 substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir'))
 substs.set('DEBUGSUFFIX', get_option('debug-suffix'))
 substs.set('INODECMD', inodecmd)
+substs.set('FILECMD', filecmd)
 substs.set('SEDINPLACEFLAGS', sedinplaceflags)
 substs.set('SEDPATH', SED.path())
 substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR)
@@ -428,6 +437,7 @@  message('\n    '.join([
   '   Host Type               : @0@'.format(chost),
   '   File inode command      : @0@'.format(inodecmd),
   '   In-place sed command    : @0@ @1@'.format(SED.path(), sedinplaceflags),
+  '   File seccomp command    : @0@'.format(filecmd),
   '   libalpm version         : @0@'.format(libalpm_version),
   '   pacman version          : @0@'.format(PACKAGE_VERSION),
   '',
diff --git a/meson_options.txt b/meson_options.txt
index 2d640e87..2b92ca1a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -52,5 +52,8 @@  option('i18n', type : 'boolean', value : true,
        description : 'enable localization of pacman, libalpm and scripts')
 
 # tools
+option('file-seccomp', type: 'feature', value: 'auto',
+	   description: 'determine whether file is seccomp-enabled')
+
 option('sedinplaceflags', type : 'string', value : 'auto',
        description : 'flags to pass to sed to edit a file in-place')
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 0597a0e5..1008fed3 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -180,6 +180,7 @@  edit = sed \
 	-e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \
 	-e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \
 	-e "s|@INODECMD[@]|$(INODECMD)|g" \
+	-e "s|@FILECMD[@]|$(FILECMD)|g" \
 	-e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \
 	-e 's|@SEDPATH[@]|$(SEDPATH)|g' \
 	-e 's|@SCRIPTNAME[@]|$@|g' \
diff --git a/scripts/libmakepkg/source/file.sh.in b/scripts/libmakepkg/source/file.sh.in
index 8492ba11..f6d79f9e 100644
--- a/scripts/libmakepkg/source/file.sh.in
+++ b/scripts/libmakepkg/source/file.sh.in
@@ -96,7 +96,7 @@  extract_file() {
 	fi
 
 	# do not rely on extension for file type
-	local file_type=$(file -bizL -- "$file")
+	local file_type=$(@FILECMD@ -bizL -- "$file")
 	local ext=${file##*.}
 	local cmd=''
 	case "$file_type" in