On Thu, Sep 21, 2023 at 12:25:21PM +0100, Richard W.M. Jones wrote: > On Wed, Sep 20, 2023 at 11:42:55PM +0200, Olaf Hering wrote: > > Recently a commit was added to call 'file -zSb' instead of 'file -zb'. > > > > This causes a regression on Leap 15 (but not on Tumbleweed), because > > file 5.32 does not understand the -S option. > > > > How can this be fixed properly, to handle both cases either at runtime > > or at buildtime? > > The background to this was: > > https://github.com/libguestfs/libguestfs/issues/100 > > It took a while to work out what was going on in the original bug > report, but it turned out that Arch (IIRC) enabled the seccomp feature > in the 'file' command. This filters what system calls 'file' is > allowed to make, which strengthens security as 'file' is often run on > untrusted inputs. > > Unfortunately the seccomp rules for 'file' don't cope with running > external programs (ie. 'file -z' which runs zcat). We filed a bug to > try to get that fixed: > > https://bugzilla.redhat.com/show_bug.cgi?id=2148753 > https://bugs.astron.com/view.php?id=406 > > but the fix to seccomp policy was rejected recently in both Fedora & > upstream.
Their rationale in that bug makes no sense. Not allowing 'clone+execve' etc is correct when '-z' is NOT specified by the user. No argument there. If '-z' is specified then adding clone+execve etc is the only way it can work. They should apply a different seccomp filter for '-z' only which includes clone+execve, etc. Telling people to turn off seccomp entirely in order to use '-z' is even worse for security than just allowing clone+execve. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://listman.redhat.com/mailman/listinfo/libguestfs
