Support file with seccomp enabled

Not all compression types can be detected in the seccomp sandbox, so we
need to disable it. This requires either configuring makepkg to know the
sandbox is available, or checking for file >= 5.38 in which the sandbox
option is a no-op even when seccomp is disabled.

- Requires autoconf-archive for autotools version compare macro.
- meson version comparison could be made a lot simpler using meson-git.

Fixes FS#58626

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>

RELEASE

@@ -11,6 +11,7 @@ The following checklist should be used for making a pacman release.
 - Update doc/index.asciidoc
 - Create a signed git tag (git tag -s vX.Y.Z -m "commit message")
 - Create and sign release tarballs (generate with "make distcheck")
+  - In addition to the standard autotools toolchain, autoconf-archive is needed
 - Update pacman website
 
 Transifex updates are handled using the transifex client. The basic process is:

build-aux/edit-script.sh.in

@@ -19,6 +19,7 @@ mode=$3
   -e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \
   -e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \
   -e "s|@INODECMD[@]|@INODECMD@|g" \
+  -e "s|@FILECMD[@]|@FILECMD@|g" \
   -e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \
   -e "s|@SEDPATH[@]|@SEDPATH@|g" \
   -e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \

configure.ac

@@ -120,6 +120,12 @@ AC_ARG_WITH(ldconfig,
 		[set the full path to ldconfig]),
 	[LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig])
 
+# Help line for determining whether file is seccomp-enabled
+AC_ARG_WITH(file-seccomp,
+	AS_HELP_STRING([--with-file-seccomp={yes|no|auto}],
+		[determine whether file is seccomp-enabled @<:@default=auto@:>@]),
+	[with_file_seccomp=$withval], [with_file_seccomp=auto])
+
 # Help line for selecting a crypto library
 AC_ARG_WITH(crypto,
 	AS_HELP_STRING([--with-crypto={openssl|nettle}],
@@ -222,6 +228,18 @@ PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
 PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], ,
 	AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!]))
 
+# Check file for seccomp
+if test "x$with_file_seccomp" = "xauto"; then
+	file_version="$(file --version| sed -n 's/^file-\(.*\)/\1/p')"
+	AX_COMPARE_VERSION([$file_version], [ge], [5.38], [with_file_seccomp=yes])
+fi
+if test "x$with_file_seccomp" = "xyes"; then
+	FILECMD="file -S"
+else
+	FILECMD="file"
+fi
+AC_SUBST(FILECMD)
+
 # Check for OpenSSL
 have_openssl=no
 have_nettle=no
@@ -559,6 +577,7 @@ ${PACKAGE_NAME}:
     Host Type              : ${CHOST}
     File inode command     : ${INODECMD}
     In-place sed command   : ${SEDPATH} ${SEDINPLACEFLAGS}
+    File seccomp command   : ${FILECMD}
 
     libalpm version        : ${LIB_VERSION}
     libalpm version info   : ${LIB_VERSION_INFO}

meson.build

@@ -220,12 +220,20 @@ config_h = configure_file(
         configuration : conf)
 add_project_arguments('-include', 'config.h', language : 'c')
 
+filecmd = 'file'
 default_sedinplaceflags = ' --follow-symlinks -i'
 inodecmd = 'stat -c \'%i %n\''
 strip_binaries = '--strip-all'
 strip_shared = '--strip-unneeded'
 strip_static = '--strip-debug'
 
+file_seccomp = get_option('file-seccomp')
+# meson-git has find_program('file', required: false, version: '>=5.38')
+filever = run_command('sh', '-c', 'file --version | sed -n "s/^file-\(.*\)/\\1/p"').stdout()
+if file_seccomp.enabled() or ( file_seccomp.auto() and filever.version_compare('>= 5.38') )
+  filecmd = 'file -S'
+endif
+
 os = host_machine.system()
 if os.startswith('darwin')
   inodecmd = '/usr/bin/stat -f \'%i %n\''
@@ -268,6 +276,7 @@ substs.set('BUILDSCRIPT', BUILDSCRIPT)
 substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir'))
 substs.set('DEBUGSUFFIX', get_option('debug-suffix'))
 substs.set('INODECMD', inodecmd)
+substs.set('FILECMD', filecmd)
 substs.set('SEDINPLACEFLAGS', sedinplaceflags)
 substs.set('SEDPATH', SED.path())
 substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR)
@@ -424,6 +433,7 @@ message('\n    '.join([
   '   Host Type               : @0@'.format(chost),
   '   File inode command      : @0@'.format(inodecmd),
   '   In-place sed command    : @0@ @1@'.format(SED.path(), sedinplaceflags),
+  '   File seccomp command    : @0@'.format(filecmd),
   '   libalpm version         : @0@'.format(libalpm_version),
   '   pacman version          : @0@'.format(PACKAGE_VERSION),
   '',

meson_options.txt

@@ -52,5 +52,8 @@ option('i18n', type : 'boolean', value : true,
        description : 'enable localization of pacman, libalpm and scripts')
 
 # tools
+option('file-seccomp', type: 'feature', value: 'auto',
+	   description: 'determine whether file is seccomp-enabled')
+
 option('sedinplaceflags', type : 'string', value : 'auto',
        description : 'flags to pass to sed to edit a file in-place')

scripts/Makefile.am

@@ -182,6 +182,7 @@ edit = sed \
 	-e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \
 	-e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \
 	-e "s|@INODECMD[@]|$(INODECMD)|g" \
+	-e "s|@FILECMD[@]|$(FILECMD)|g" \
 	-e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \
 	-e 's|@SEDPATH[@]|$(SEDPATH)|g' \
 	-e 's|@SCRIPTNAME[@]|$@|g' \

scripts/libmakepkg/source/file.sh.in

@@ -96,7 +96,7 @@ extract_file() {
 	fi
 
 	# do not rely on extension for file type
-	local file_type=$(file -bizL -- "$file")
+	local file_type=$(@FILECMD@ -bizL -- "$file")
 	local ext=${file##*.}
 	local cmd=''
 	case "$file_type" in