[Libguestfs] regression: file does not understand the -S option
Daniel P. Berrangé
berrange at redhat.com
Thu Sep 21 11:41:26 UTC 2023
On Thu, Sep 21, 2023 at 12:25:21PM +0100, Richard W.M. Jones wrote:
> On Wed, Sep 20, 2023 at 11:42:55PM +0200, Olaf Hering wrote:
> > Recently a commit was added to call 'file -zSb' instead of 'file -zb'.
> >
> > This causes a regression on Leap 15 (but not on Tumbleweed), because
> > file 5.32 does not understand the -S option.
> >
> > How can this be fixed properly, to handle both cases either at runtime
> > or at buildtime?
>
> The background to this was:
>
> https://github.com/libguestfs/libguestfs/issues/100
>
> It took a while to work out what was going on in the original bug
> report, but it turned out that Arch (IIRC) enabled the seccomp feature
> in the 'file' command. This filters what system calls 'file' is
> allowed to make, which strengthens security as 'file' is often run on
> untrusted inputs.
>
> Unfortunately the seccomp rules for 'file' don't cope with running
> external programs (ie. 'file -z' which runs zcat). We filed a bug to
> try to get that fixed:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2148753
> https://bugs.astron.com/view.php?id=406
>
> but the fix to seccomp policy was rejected recently in both Fedora &
> upstream.
Their rationale in that bug makes no sense.
Not allowing 'clone+execve' etc is correct when '-z' is NOT specified
by the user. No argument there.
If '-z' is specified then adding clone+execve etc is the only way it
can work. They should apply a different seccomp filter for '-z' only
which includes clone+execve, etc. Telling people to turn off seccomp
entirely in order to use '-z' is even worse for security than just
allowing clone+execve.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libguestfs
mailing list