Browse Source

Cherry-pick two commits that fine-tune seccomp handling

Christoph Biedl 1 year ago
parent
commit
75c4c7a7a8

+ 47 - 0
debian/patches/cherry-pick.FILE5_37-29-gfa46ca9d.allow-only-the-ioctls-we-use-shankara-pailoor.patch

@@ -0,0 +1,47 @@
+Subject: Allow only the ioctls we use (Shankara Pailoor)
+Origin: FILE5_37-29-gfa46ca9d <https://github.com/file/file/commit/FILE5_37-29-gfa46ca9d>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Jun 21 16:44:23 2019 +0000
+
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -33,6 +33,7 @@
+ #if HAVE_LIBSECCOMP
+ #include <seccomp.h> /* libseccomp */
+ #include <sys/prctl.h> /* prctl */
++#include <sys/ioctl.h>
+ #include <sys/socket.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+@@ -49,8 +50,14 @@
+ 	    goto out; \
+     while (/*CONSTCOND*/0)
+ 
+-static scmp_filter_ctx ctx;
++#define ALLOW_IOCTL_RULE(param) \
++    do \
++	if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(ioctl), 1, \
++	    SCMP_CMP(1, SCMP_CMP_EQ, param)) == -1) \
++		goto out; \
++    while (/*CONSTCOND*/0)
+ 
++static scmp_filter_ctx ctx;
+ 
+ int
+ enable_sandbox_basic(void)
+@@ -171,7 +178,14 @@
+ #ifdef __NR_getdents64
+ 	ALLOW_RULE(getdents64);
+ #endif
+-	ALLOW_RULE(ioctl);
++#ifdef FIONREAD
++	// called in src/compress.c under sread
++	ALLOW_IOCTL_RULE(FIONREAD);
++#endif
++#ifdef TIOCGWINSZ
++	// musl libc may call ioctl TIOCGWINSZ when calling stdout
++	ALLOW_IOCTL_RULE(TIOCGWINSZ);
++#endif
+ 	ALLOW_RULE(lseek);
+  	ALLOW_RULE(_llseek);
+ 	ALLOW_RULE(lstat);

+ 15 - 0
debian/patches/cherry-pick.FILE5_37-40-g3c6390a4.add-umask-2-from-shankara-pailoor.patch

@@ -0,0 +1,15 @@
+Subject: Add umask(2) (from Shankara Pailoor)
+Origin: FILE5_37-40-g3c6390a4 <https://github.com/file/file/commit/FILE5_37-40-g3c6390a4>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Jul 3 15:33:20 2019 +0000
+
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -211,6 +211,7 @@
+ 	ALLOW_RULE(stat);
+ 	ALLOW_RULE(stat64);
+ 	ALLOW_RULE(sysinfo);
++	ALLOW_RULE(umask);	// Used in file_pipe2file()
+ 	ALLOW_RULE(unlink);
+ 	ALLOW_RULE(write);
+ 

+ 1 - 1
debian/patches/cherry-pick.FILE5_37-55-gb259a07e.add-lzma-and-bzip-built-in-decompression-support.patch

@@ -213,7 +213,7 @@ Date: Thu Jul 18 20:32:06 2019 +0000
  
 --- a/src/seccomp.c
 +++ b/src/seccomp.c
-@@ -167,6 +167,9 @@
+@@ -174,6 +174,9 @@
   	ALLOW_RULE(fcntl64);
  	ALLOW_RULE(fstat);
   	ALLOW_RULE(fstat64);

+ 2 - 0
debian/patches/series

@@ -1,4 +1,6 @@
 # cherry-picked commits. Keep in upstream's chronological order
+cherry-pick.FILE5_37-29-gfa46ca9d.allow-only-the-ioctls-we-use-shankara-pailoor.patch
+cherry-pick.FILE5_37-40-g3c6390a4.add-umask-2-from-shankara-pailoor.patch
 cherry-pick.FILE5_37-46-g103c6ec2.dont-print-the-string-entry-unless-the-zip-entry-matched-christoph-biedl.patch
 cherry-pick.FILE5_37-47-g62de35af.disable-gem-gdos-fonts-for-now-needs-to-be-stronger.patch
 cherry-pick.FILE5_37-50-g2a1bb655.always-support-the-no-sandbox-option.patch