[File] Improving seccomp command line options
Christos Zoulas
christos at zoulas.com
Sat Jul 13 16:27:15 UTC 2019
I agree, and done...
christos
> On Jul 13, 2019, at 12:00 PM, Christoph Biedl <astron.com.bwoj at manchmal.in-ulm.de> wrote:
>
> Hello,
>
> the seccomp support, while a desirable feature, has created some
> trouble, and I'd like to improve the situation.
>
> At first, seccomp is not supported on all platforms and architectures.
> Now programs that call file and want to disable seccomp for some
> reason[1] are no longer portable since --no-sandbox triggers an error
> when file was built without seccomp support.
>
> Also there is no user-friendly way to tell whether a particular
> installation of file uses sandboxing - there's ldd but ... but.
>
> Therefore I'd like to propose two changes:
>
> Make the --no-sandbox option a no-op if seccomp is disabled. Then the
> above situation is avoided.
>
> And to give users a chance to check seccomp support, print the status of
> call sandbox support in the --version output.
>
> Aside, "descompressing" in the manpage feels like a wrong word, but I'm
> not a native speaker.
>
> Regards,
>
> Christoph
>
> [1] Besides -z (at least for some compression types), also wrapper
> using LD_PRELOAD may be affected, for example Debian's fakeroot.
>
> <seccomp.patch>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
More information about the File
mailing list