Date: Thursday, January 23, 2020 @ 19:19:10 Author: anthraxx Revision: 373851
upgpkg: file 5.38-2: fix TCGETS call libseccomp sandbox - sandbox blocks required TCGETS on console with glibc Added: file/trunk/file-5.38-seccomp-tcgets.patch Modified: file/trunk/PKGBUILD --------------------------------+ PKGBUILD | 8 +++++--- file-5.38-seccomp-tcgets.patch | 28 ++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-01-23 19:17:19 UTC (rev 373850) +++ PKGBUILD 2020-01-23 19:19:10 UTC (rev 373851) @@ -4,7 +4,7 @@ pkgname=file pkgver=5.38 -pkgrel=1 +pkgrel=2 pkgdesc='File type identification utility' arch=('x86_64') license=('custom') @@ -12,10 +12,12 @@ url='https://www.darwinsys.com/file/' depends=('glibc' 'zlib' 'xz' 'bzip2' 'libseccomp' 'libseccomp.so') provides=('libmagic.so') -source=("ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz"{,.asc}) +source=("ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz"{,.asc} + file-5.38-seccomp-tcgets.patch) validpgpkeys=('BE04995BA8F90ED0C0C176C471112AB16CB33B3A') # Christos Zoulas sha256sums=('593c2ffc2ab349c5aea0f55fedfe4d681737b6b62376a9b3ad1e77b2cc19fa34' - 'SKIP') + 'SKIP' + 'da6197e89ca53bd4f0d9009fa3a18c6fdb66dc07eb92e6bd77207eadb4548cfe') prepare() { cd $pkgname-$pkgver Added: file-5.38-seccomp-tcgets.patch =================================================================== --- file-5.38-seccomp-tcgets.patch (rev 0) +++ file-5.38-seccomp-tcgets.patch 2020-01-23 19:19:10 UTC (rev 373851) @@ -0,0 +1,28 @@ +From 78573ec1c43346064661169c5c8df32e7c3bd6d6 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <chris...@zoulas.com> +Date: Fri, 17 Jan 2020 17:12:58 +0000 +Subject: [PATCH] PR/130: tobias: adjust seccomp for ioctl on hardwired + terminal + +--- + src/seccomp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/seccomp.c b/src/seccomp.c +index ebf3ea1cb..0ba17233b 100644 +--- a/src/seccomp.c ++++ b/src/seccomp.c +@@ -186,8 +186,12 @@ enable_sandbox_full(void) + ALLOW_IOCTL_RULE(FIONREAD); + #endif + #ifdef TIOCGWINSZ +- // musl libc may call ioctl TIOCGWINSZ when calling stdout ++ // musl libc may call ioctl TIOCGWINSZ on stdout + ALLOW_IOCTL_RULE(TIOCGWINSZ); ++#endif ++#ifdef TCGETS ++ // glibc may call ioctl TCGETS on stdout on physical terminal ++ ALLOW_IOCTL_RULE(TCGETS); + #endif + ALLOW_RULE(lseek); + ALLOW_RULE(_llseek);