728992 – sys-apps/portage: Add ebuild-helper to disable file's seccomp sandbox

Bug 728992 - sys-apps/portage: Add ebuild-helper to disable file's seccomp sandbox

Summary: sys-apps/portage: Add ebuild-helper to disable file's seccomp sandbox

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Enhancement/Feature Requests (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-06-21 11:25 UTC by tka
Modified:	2020-06-24 22:42 UTC (History)
CC List:	2 users (show)

See Also:	728978 728888
Package list:
Runtime testing required:	---

Attachments
bin/ebuild-helpers/file (file,761 bytes, text/plain) 2020-06-21 11:42 UTC, tka	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tka 2020-06-21 11:25:54 UTC

File's seccomp sandbox does not work under portage's own sandbox. If sys-apps/file was built with USE=seccomp, an invocation from within emerge fails (see bug 728978 as an example). Instead of having to fix all individual packages that call file during build or test, I suggest implementing an ebuild-helper in portage that disables file's seccomp sandbox.

Reproducible: Always

Comment 1 Sam James archtester

2020-06-21 11:32:21 UTC

Or patch sys-apps/file to disable seccomp when the sandbox variables are present.

Comment 2 tka 2020-06-21 11:42:31 UTC

Created attachment 645500 [details]
bin/ebuild-helpers/file

This is a POC created by using bin/ebuild-helpers/bsd/sed as template. Essentially, it adds parameter -S to disable file's sandbox to invocations of file. It was tested by building app-arch/zstd and it lets zstd's test suite pass without error. However, I am not an expert in portage's build environment and didn't do more extensive testing. So, consider this a POC only.

Another point one might add, is code to detect whether portages sandbox is enabled and only add -S if it is.

A quick search shows that support for libseccomp was added to file sometime in 2017. Therefore, I think that all relevant versions of file support the parameter -S. If this is not the case, the helper shuould also detect whether -S is supported.

Comment 3 tka 2020-06-21 11:44:22 UTC

(In reply to Sam James (sec padawan) from comment #1)
> Or patch sys-apps/file to disable seccomp when the sandbox variables are
> present.

Or that. I only want my builds and test to succeed. ;-)

Comment 4 Ionen Wolkens gentoo-dev

2020-06-21 14:32:31 UTC

> Or patch sys-apps/file to disable seccomp when the sandbox variables are
> present.
Wouldn't that allow disabling seccomp through potentially steathly set env vars? As-in, even outside of real sandbox. Plus not sure I like the idea of changing applications to suit portage's needs.

Comment 5 Mike Gilbert gentoo-dev

2020-06-21 14:53:04 UTC

Any idea how many ebuilds would actually be affected by this?

I'm not sure it makes sense to add a helper to Portage if only a small number of ebuilds are affected.

Comment 6 Arfrever Frehtes Taifersar Arahesis 2020-06-23 08:41:22 UTC

Inside Portage:

> bin/misc-functions.sh:                  if [[ -z ${soname} && $(file "${D%/}${obj}") == *"SB shared object"* ]]; then
> bin/install-qa-check.d/10ignored-flags:                 f=$(file "${x}") || continue
> bin/install-qa-check.d/80multilib-strict:                               if file "${file}" | grep -Eq "${MULTILIB_STRICT_DENY}" ; then

Comment 7 Arfrever Frehtes Taifersar Arahesis 2020-06-23 21:01:52 UTC

Are no changes in Portage needed anymore with patch from bug #728978 applied to sys-apps/file?

Comment 8 tka 2020-06-24 22:42:42 UTC

(In reply to Arfrever Frehtes Taifersar Arahesis from comment #7)
> Are no changes in Portage needed anymore with patch from bug #728978 applied
> to sys-apps/file?

Yes, the patch for file seems to be enough. That makes this request obsolete. There is no need to have portage disable the file's sandbox anymore.