Support seccomp sandboxing to reduce the attack surface and enable it by
default. Important for usecases with files from untrusted sources.
Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com>
---
rules/file.in | 14 +++++++++++++-
rules/file.make | 2 +-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/rules/file.in b/rules/file.in
index a4e0a7125..3f44cc380 100644
--- a/rules/file.in
+++ b/rules/file.in
@@ -1,10 +1,11 @@
## SECTION=shell_and_console
-config FILE
+menuconfig FILE
tristate
select HOST_FILE
select ZLIB
select GCCLIBS_GCC_S
+ select LIBSECCOMP if FILE_SECCOMP
prompt "file"
help
The file command is "a file type guesser", that is, a command-line
tool
@@ -15,3 +16,14 @@ config FILE
reliable, but requires a bit of I/O.
http://www.darwinsys.com/file/
+
+if FILE
+
+config FILE_SECCOMP
+ bool
+ default y
+ prompt "enable seccomp sandboxing"
+ help
+ Enables seccomp sandboxing to reduce the attack surface.
+
+endif
diff --git a/rules/file.make b/rules/file.make
index d60a0b045..bfa39ae76 100644
--- a/rules/file.make
+++ b/rules/file.make
@@ -37,7 +37,7 @@ FILE_CONF_OPT := \
--enable-elf \
--enable-elf-core \
--enable-zlib \
- --disable-libseccomp \
+ --$(call ptx/endis, PTXCONF_FILE_SECCOMP)-libseccomp \
--disable-fsect-man5 \
$(GLOBAL_LARGE_FILE_OPTION) \
--disable-warnings
--
2.18.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
