[File] Improving seccomp command line options

Christoph Biedl astron.com.bwoj at manchmal.in-ulm.de
Sat Jul 13 16:00:31 UTC 2019


Hello,

the seccomp support, while a desirable feature, has created some
trouble, and I'd like to improve the situation.

At first, seccomp is not supported on all platforms and architectures.
Now programs that call file and want to disable seccomp for some
reason[1] are no longer portable since --no-sandbox triggers an error
when file was built without seccomp support.

Also there is no user-friendly way to tell whether a particular
installation of file uses sandboxing - there's ldd but ... but.

Therefore I'd like to propose two changes:

Make the --no-sandbox option a no-op if seccomp is disabled. Then the
above situation is avoided.

And to give users a chance to check seccomp support, print the status of
call sandbox support in the --version output.

Aside, "descompressing" in the manpage feels like a wrong word, but I'm
not a native speaker.

Regards,

    Christoph

[1] Besides -z (at least for some compression types), also wrapper
    using LD_PRELOAD may be affected, for example Debian's fakeroot.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: seccomp.patch
Type: text/x-diff
Size: 1742 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20190713/50307993/attachment.bin>


More information about the File mailing list