[File] [PATCH] Fix seccomp rules for executing decompressor on glibc

Michał Górny mgorny at gentoo.org
Thu Sep 15 14:57:15 UTC 2022


On Thu, 2022-09-15 at 10:27 -0400, Christos Zoulas wrote:
> On 2022-09-15 4:10 am, Michał Górny wrote:
> > Add ALLOW_RULE for all the syscalls used by glibc on my system to spawn
> > the decompressor.  With them present, `file -z ...` starts working 
> > again
> > when not using external libraries, at least on amd64.  Other
> > architectures may need more syscalls.
> 
> Yes, I know. The reason I have not done this already is because once we
> allow clone and execve there is not much point in sandboxing... I guess
> we can modify -S to add those syscalls instead and that is better than
> completely disabling sandboxing... What do you think?
> 

Yeah, I feel like seccomp becomes pretty much useless at this point. 
That said, I don't really understand why file(1) would need it
in the first place.

Perhaps another option would be to just disable spawning external
compressors when sandboxing is enabled.  I don't think it's critical, my
main concern is that the output like:

  $ file -z t.tar.lz 
  t.tar.lz: Bad system call

is quite confusing.

-- 
Best regards,
Michał Górny



More information about the File mailing list