Support seccomp sandboxing to reduce the attack surface and enable it by default. Important for usecases with files from untrusted sources.
Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- rules/file.in | 14 +++++++++++++- rules/file.make | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/rules/file.in b/rules/file.in index a4e0a7125..3f44cc380 100644 --- a/rules/file.in +++ b/rules/file.in @@ -1,10 +1,11 @@ ## SECTION=shell_and_console -config FILE +menuconfig FILE tristate select HOST_FILE select ZLIB select GCCLIBS_GCC_S + select LIBSECCOMP if FILE_SECCOMP prompt "file" help The file command is "a file type guesser", that is, a command-line tool @@ -15,3 +16,14 @@ config FILE reliable, but requires a bit of I/O. http://www.darwinsys.com/file/ + +if FILE + +config FILE_SECCOMP + bool + default y + prompt "enable seccomp sandboxing" + help + Enables seccomp sandboxing to reduce the attack surface. + +endif diff --git a/rules/file.make b/rules/file.make index d60a0b045..bfa39ae76 100644 --- a/rules/file.make +++ b/rules/file.make @@ -37,7 +37,7 @@ FILE_CONF_OPT := \ --enable-elf \ --enable-elf-core \ --enable-zlib \ - --disable-libseccomp \ + --$(call ptx/endis, PTXCONF_FILE_SECCOMP)-libseccomp \ --disable-fsect-man5 \ $(GLOBAL_LARGE_FILE_OPTION) \ --disable-warnings -- 2.18.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de