bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support file with seccomp enabled

Browse source 
Not all compression types can be detected in the seccomp sandbox, so we
need to disable it. This requires either configuring makepkg to know the
sandbox is available, or checking for file >= 5.38 in which the sandbox
option is a no-op even when seccomp is disabled.

- Requires autoconf-archive for autotools version compare macro.
- meson version comparison could be made a lot simpler using meson-git.

Fixes FS#58626

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Eli Schwartz 2019-08-11 23:46:25 -04:00 committed by Allan McRae
parent 2a792ac7bb
commit de6249ce22
7 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
RELEASE
View file

@ -11,6 +11,7 @@ The following checklist should be used for making a pacman release.
- Update doc/index.asciidoc - Update doc/index.asciidoc
- Create a signed git tag (git tag -s vX.Y.Z -m "commit message") - Create a signed git tag (git tag -s vX.Y.Z -m "commit message")
- Create and sign release tarballs (generate with "make distcheck") - Create and sign release tarballs (generate with "make distcheck")
- In addition to the standard autotools toolchain, autoconf-archive is needed
- Update pacman website - Update pacman website
Transifex updates are handled using the transifex client. The basic process is: Transifex updates are handled using the transifex client. The basic process is:

1
build-aux/edit-script.sh.in
View file

@ -19,6 +19,7 @@ mode=$3
-e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \ -e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \
-e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \ -e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \
-e "s|@INODECMD[@]|@INODECMD@|g" \ -e "s|@INODECMD[@]|@INODECMD@|g" \
-e "s|@FILECMD[@]|@FILECMD@|g" \
-e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \ -e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \
-e "s|@SEDPATH[@]|@SEDPATH@|g" \ -e "s|@SEDPATH[@]|@SEDPATH@|g" \
-e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \ -e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \

19
configure.ac
View file

@ -120,6 +120,12 @@ AC_ARG_WITH(ldconfig,
[set the full path to ldconfig]), [set the full path to ldconfig]),
[LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig]) [LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig])
# Help line for determining whether file is seccomp-enabled
AC_ARG_WITH(file-seccomp,
AS_HELP_STRING([--with-file-seccomp={yes|no|auto}],
[determine whether file is seccomp-enabled @<:@default=auto@:>@]),
[with_file_seccomp=$withval], [with_file_seccomp=auto])
# Help line for selecting a crypto library # Help line for selecting a crypto library
AC_ARG_WITH(crypto, AC_ARG_WITH(crypto,
AS_HELP_STRING([--with-crypto={openssl|nettle}], AS_HELP_STRING([--with-crypto={openssl|nettle}],
@ -222,6 +228,18 @@ PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], , PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], ,
AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!])) AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!]))
# Check file for seccomp
if test "x$with_file_seccomp" = "xauto"; then
file_version="$(file --version| sed -n 's/^file-\(.*\)/\1/p')"
AX_COMPARE_VERSION([$file_version], [ge], [5.38], [with_file_seccomp=yes])
fi
if test "x$with_file_seccomp" = "xyes"; then
FILECMD="file -S"
else
FILECMD="file"
fi
AC_SUBST(FILECMD)
# Check for OpenSSL # Check for OpenSSL
have_openssl=no have_openssl=no
have_nettle=no have_nettle=no
@ -559,6 +577,7 @@ ${PACKAGE_NAME}:
Host Type : ${CHOST} Host Type : ${CHOST}
File inode command : ${INODECMD} File inode command : ${INODECMD}
In-place sed command : ${SEDPATH} ${SEDINPLACEFLAGS} In-place sed command : ${SEDPATH} ${SEDINPLACEFLAGS}
File seccomp command : ${FILECMD}
libalpm version : ${LIB_VERSION} libalpm version : ${LIB_VERSION}
libalpm version info : ${LIB_VERSION_INFO} libalpm version info : ${LIB_VERSION_INFO}

10
meson.build
View file

@ -220,12 +220,20 @@ config_h = configure_file(
configuration : conf) configuration : conf)
add_project_arguments('-include', 'config.h', language : 'c') add_project_arguments('-include', 'config.h', language : 'c')
filecmd = 'file'
default_sedinplaceflags = ' --follow-symlinks -i' default_sedinplaceflags = ' --follow-symlinks -i'
inodecmd = 'stat -c \'%i %n\'' inodecmd = 'stat -c \'%i %n\''
strip_binaries = '--strip-all' strip_binaries = '--strip-all'
strip_shared = '--strip-unneeded' strip_shared = '--strip-unneeded'
strip_static = '--strip-debug' strip_static = '--strip-debug'
file_seccomp = get_option('file-seccomp')
# meson-git has find_program('file', required: false, version: '>=5.38')
filever = run_command('sh', '-c', 'file --version | sed -n "s/^file-\(.*\)/\\1/p"').stdout()
if file_seccomp.enabled() or ( file_seccomp.auto() and filever.version_compare('>= 5.38') )
filecmd = 'file -S'
endif
os = host_machine.system() os = host_machine.system()
if os.startswith('darwin') if os.startswith('darwin')
inodecmd = '/usr/bin/stat -f \'%i %n\'' inodecmd = '/usr/bin/stat -f \'%i %n\''
@ -268,6 +276,7 @@ substs.set('BUILDSCRIPT', BUILDSCRIPT)
substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir')) substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir'))
substs.set('DEBUGSUFFIX', get_option('debug-suffix')) substs.set('DEBUGSUFFIX', get_option('debug-suffix'))
substs.set('INODECMD', inodecmd) substs.set('INODECMD', inodecmd)
substs.set('FILECMD', filecmd)
substs.set('SEDINPLACEFLAGS', sedinplaceflags) substs.set('SEDINPLACEFLAGS', sedinplaceflags)
substs.set('SEDPATH', SED.path()) substs.set('SEDPATH', SED.path())
substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR) substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR)
@ -424,6 +433,7 @@ message('\n '.join([
' Host Type : @0@'.format(chost), ' Host Type : @0@'.format(chost),
' File inode command : @0@'.format(inodecmd), ' File inode command : @0@'.format(inodecmd),
' In-place sed command : @0@ @1@'.format(SED.path(), sedinplaceflags), ' In-place sed command : @0@ @1@'.format(SED.path(), sedinplaceflags),
' File seccomp command : @0@'.format(filecmd),
' libalpm version : @0@'.format(libalpm_version), ' libalpm version : @0@'.format(libalpm_version),
' pacman version : @0@'.format(PACKAGE_VERSION), ' pacman version : @0@'.format(PACKAGE_VERSION),
'', '',

3
meson_options.txt
View file

@ -52,5 +52,8 @@ option('i18n', type : 'boolean', value : true,
description : 'enable localization of pacman, libalpm and scripts') description : 'enable localization of pacman, libalpm and scripts')
# tools # tools
option('file-seccomp', type: 'feature', value: 'auto',
description: 'determine whether file is seccomp-enabled')
option('sedinplaceflags', type : 'string', value : 'auto', option('sedinplaceflags', type : 'string', value : 'auto',
description : 'flags to pass to sed to edit a file in-place') description : 'flags to pass to sed to edit a file in-place')

1
scripts/Makefile.am
View file

@ -182,6 +182,7 @@ edit = sed \
-e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \ -e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \
-e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \ -e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \
-e "s|@INODECMD[@]|$(INODECMD)|g" \ -e "s|@INODECMD[@]|$(INODECMD)|g" \
-e "s|@FILECMD[@]|$(FILECMD)|g" \
-e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \ -e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \
-e 's|@SEDPATH[@]|$(SEDPATH)|g' \ -e 's|@SEDPATH[@]|$(SEDPATH)|g' \
-e 's|@SCRIPTNAME[@]|$@|g' \ -e 's|@SCRIPTNAME[@]|$@|g' \

2
scripts/libmakepkg/source/file.sh.in
View file

@ -96,7 +96,7 @@ extract_file() {
fi fi
# do not rely on extension for file type # do not rely on extension for file type
local file_type=$(file -bizL -- "$file") local file_type=$(@FILECMD@ -bizL -- "$file")
local ext=${file##*.} local ext=${file##*.}
local cmd='' local cmd=''
case "$file_type" in case "$file_type" in