Support file with seccomp enabled

Not all compression types can be detected in the seccomp sandbox, so we need to disable it. This requires either configuring makepkg to know the sandbox is available, or checking for file >= 5.38 in which the sandbox option is a no-op even when seccomp is disabled. - Requires autoconf-archive for autotools version compare macro. - meson version comparison could be made a lot simpler using meson-git. Fixes FS#58626 Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
author: Eli Schwartz <eschwartz@archlinux.org> 2019-08-11 23:46:25 -0400
committer: Allan McRae <allan@archlinux.org> 2019-10-07 13:43:37 +1000
commit: de6249ce221aae4062ea131d4f676f7e3d44af28 (patch)
tree: 42c10fed40bc0fe591c8e38fb136afd433e00bf5
parent: 2a792ac7bb1ceda42767c696e2664819b47ffc3b (diff)
7 files changed, 36 insertions, 1 deletions
diff --git a/RELEASE b/RELEASE
index c9949253..7a9184b4 100644
--- a/RELEASE
+++ b/RELEASE
@@ -11,6 +11,7 @@ The following checklist should be used for making a pacman release.
 - Update doc/index.asciidoc
 - Create a signed git tag (git tag -s vX.Y.Z -m "commit message")
 - Create and sign release tarballs (generate with "make distcheck")
+  - In addition to the standard autotools toolchain, autoconf-archive is needed
 - Update pacman website
 
 Transifex updates are handled using the transifex client. The basic process is:
diff --git a/build-aux/edit-script.sh.in b/build-aux/edit-script.sh.in
index d5495057..640d32f8 100644
--- a/build-aux/edit-script.sh.in
+++ b/build-aux/edit-script.sh.in
@@ -19,6 +19,7 @@ mode=$3
   -e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \
   -e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \
   -e "s|@INODECMD[@]|@INODECMD@|g" \
+  -e "s|@FILECMD[@]|@FILECMD@|g" \
   -e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \
   -e "s|@SEDPATH[@]|@SEDPATH@|g" \
   -e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \
diff --git a/configure.ac b/configure.ac
index cb2fb2bf..0f3dd3ea 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,6 +120,12 @@ AC_ARG_WITH(ldconfig,
 		[set the full path to ldconfig]),
 	[LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig])
 
+# Help line for determining whether file is seccomp-enabled
+AC_ARG_WITH(file-seccomp,
+	AS_HELP_STRING([--with-file-seccomp={yes|no|auto}],
+		[determine whether file is seccomp-enabled @<:@default=auto@:>@]),
+	[with_file_seccomp=$withval], [with_file_seccomp=auto])
+
 # Help line for selecting a crypto library
 AC_ARG_WITH(crypto,
 	AS_HELP_STRING([--with-crypto={openssl|nettle}],
@@ -222,6 +228,18 @@ PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
 PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], ,
 	AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!]))
 
+# Check file for seccomp
+if test "x$with_file_seccomp" = "xauto"; then
+	file_version="$(file --version| sed -n 's/^file-\(.*\)/\1/p')"
+	AX_COMPARE_VERSION([$file_version], [ge], [5.38], [with_file_seccomp=yes])
+fi
+if test "x$with_file_seccomp" = "xyes"; then
+	FILECMD="file -S"
+else
+	FILECMD="file"
+fi
+AC_SUBST(FILECMD)
+
 # Check for OpenSSL
 have_openssl=no
 have_nettle=no
@@ -559,6 +577,7 @@ ${PACKAGE_NAME}:
     Host Type              : ${CHOST}
     File inode command     : ${INODECMD}
     In-place sed command   : ${SEDPATH} ${SEDINPLACEFLAGS}
+    File seccomp command   : ${FILECMD}
 
     libalpm version        : ${LIB_VERSION}
     libalpm version info   : ${LIB_VERSION_INFO}
diff --git a/meson.build b/meson.build
index 453e2282..7be2425c 100644
--- a/meson.build
+++ b/meson.build
@@ -220,12 +220,20 @@ config_h = configure_file(
         configuration : conf)
 add_project_arguments('-include', 'config.h', language : 'c')
 
+filecmd = 'file'
 default_sedinplaceflags = ' --follow-symlinks -i'
 inodecmd = 'stat -c \'%i %n\''
 strip_binaries = '--strip-all'
 strip_shared = '--strip-unneeded'
 strip_static = '--strip-debug'
 
+file_seccomp = get_option('file-seccomp')
+# meson-git has find_program('file', required: false, version: '>=5.38')
+filever = run_command('sh', '-c', 'file --version | sed -n "s/^file-\(.*\)/\\1/p"').stdout()
+if file_seccomp.enabled() or ( file_seccomp.auto() and filever.version_compare('>= 5.38') )
+  filecmd = 'file -S'
+endif
+
 os = host_machine.system()
 if os.startswith('darwin')
   inodecmd = '/usr/bin/stat -f \'%i %n\''
@@ -268,6 +276,7 @@ substs.set('BUILDSCRIPT', BUILDSCRIPT)
 substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir'))
 substs.set('DEBUGSUFFIX', get_option('debug-suffix'))
 substs.set('INODECMD', inodecmd)
+substs.set('FILECMD', filecmd)
 substs.set('SEDINPLACEFLAGS', sedinplaceflags)
 substs.set('SEDPATH', SED.path())
 substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR)
@@ -424,6 +433,7 @@ message('\n    '.join([
   '   Host Type               : @0@'.format(chost),
   '   File inode command      : @0@'.format(inodecmd),
   '   In-place sed command    : @0@ @1@'.format(SED.path(), sedinplaceflags),
+  '   File seccomp command    : @0@'.format(filecmd),
   '   libalpm version         : @0@'.format(libalpm_version),
   '   pacman version          : @0@'.format(PACKAGE_VERSION),
   '',
diff --git a/meson_options.txt b/meson_options.txt
index 2d640e87..2b92ca1a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -52,5 +52,8 @@ option('i18n', type : 'boolean', value : true,
        description : 'enable localization of pacman, libalpm and scripts')
 
 # tools
+option('file-seccomp', type: 'feature', value: 'auto',
+	   description: 'determine whether file is seccomp-enabled')
+
 option('sedinplaceflags', type : 'string', value : 'auto',
        description : 'flags to pass to sed to edit a file in-place')
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ea72f21e..7b6cd00c 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -182,6 +182,7 @@ edit = sed \
 	-e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \
 	-e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \
 	-e "s|@INODECMD[@]|$(INODECMD)|g" \
+	-e "s|@FILECMD[@]|$(FILECMD)|g" \
 	-e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \
 	-e 's|@SEDPATH[@]|$(SEDPATH)|g' \
 	-e 's|@SCRIPTNAME[@]|$@|g' \
diff --git a/scripts/libmakepkg/source/file.sh.in b/scripts/libmakepkg/source/file.sh.in
index 8492ba11..f6d79f9e 100644
--- a/scripts/libmakepkg/source/file.sh.in
+++ b/scripts/libmakepkg/source/file.sh.in
@@ -96,7 +96,7 @@ extract_file() {
 	fi
 
 	# do not rely on extension for file type
-	local file_type=$(file -bizL -- "$file")
+	local file_type=$(@FILECMD@ -bizL -- "$file")
 	local ext=${file##*.}
 	local cmd=''
 	case "$file_type" in
author	Eli Schwartz <eschwartz@archlinux.org>	2019-08-11 23:46:25 -0400
committer	Allan McRae <allan@archlinux.org>	2019-10-07 13:43:37 +1000
commit	de6249ce221aae4062ea131d4f676f7e3d44af28 (patch)
tree	42c10fed40bc0fe591c8e38fb136afd433e00bf5
parent	2a792ac7bb1ceda42767c696e2664819b47ffc3b (diff)