When I emerge sys-apps/file with USE="seccomp", I always get an invalid system call error when executing `file` command as a regular user. The only way to avoid this error is to run the command as root or emerge sys-apps/file with USE="seccomp lzma" strace output: https://pastebin.com/ZWJJbY09 emerge --info: https://pastebin.com/EvTDY5ue
Created attachment 687285 [details] emerge --info output
Created attachment 687288 [details] strace output
Note that upstream allow futex() [0] when XZLIBSUPPORT is defined (i.e. lzma support): >#ifdef XZLIBSUPPORT > ALLOW_RULE(futex); >#endif We probably need upstream to tell us whether futex is expected in general use, but it's not exactly a controversial syscall. It's easy for us to add it to the general whitelist for now. [0] https://github.com/file/file/blob/ec05878d72180287d84397819c5e3e127551ce46/src/seccomp.c#L179
Here the command with the -z parameter fails (also as root) with the seccomp use flag: "file -L -z ebook.epub" ebook.epub: Bad system call Seems to work otherwise. sys-apps/file-5.39-r3 (bzip2 seccomp zlib -lzma -python -static-libs ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32" PYTHON_TARGETS="python3_8 -python3_7 -python3_9") Building with USE="-seccomp" fixes the issue with -z parameter. The -z is used by default by app-misc/mc.
(In reply to Jaakko Perttilä from comment #4) > Here the command with the -z parameter fails (also as root) with the seccomp > use flag: "file -L -z ebook.epub" > ebook.epub: Bad system call > > Seems to work otherwise. > > sys-apps/file-5.39-r3 (bzip2 seccomp zlib -lzma -python -static-libs > ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32" > PYTHON_TARGETS="python3_8 -python3_7 -python3_9") > > Building with USE="-seccomp" fixes the issue with -z parameter. The -z is > used by default by app-misc/mc. We'll need strace from you too on that command: strace file -L -z ebook.epub. It is possible we will need a separat
Reported upstream. Will apply workaround in Gentoo soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b30e5f884f0602a68780d2c4d9c3ebe9e418a5c commit 5b30e5f884f0602a68780d2c4d9c3ebe9e418a5c Author: Sam James <sam@gentoo.org> AuthorDate: 2021-03-11 16:45:05 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-03-11 16:46:41 +0000 sys-apps/file: allow futex() syscall unconditionally In some cases, the futex() syscall is emitted even if lzma support is not compiled in. Allow it unconditionally for now. Bug: https://bugs.gentoo.org/771096 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/file/file-5.39-r4.ebuild | 147 +++++++++++++++++++++ .../file/files/file-5.39-allow-futex-seccomp.patch | 18 +++ 2 files changed, 165 insertions(+)
r4 seems to work without a problem for me.
x86 done
amd64 done
sparc done
ppc64 done
ppc done
hppa stable
arm64 done
s390 stable
arm done all arches done
*** Bug 779940 has been marked as a duplicate of this bug. ***