From b2144cd686bdbe20ce1e9068fa9d0133ff295701 Mon Sep 17 00:00:00 2001 From: Christos Zoulas Date: Fri, 2 Mar 2018 16:11:37 +0000 Subject: [PATCH] Add -S to disable libseccomp if it exists, and fix option docs that where out of sync. --- src/file.c | 58 +++++++++++++++++++++++++++++++++---------------- src/file_opts.h | 3 +++ 2 files changed, 42 insertions(+), 19 deletions(-) diff --git a/src/file.c b/src/file.c index 5152f423..87dd1bb6 100644 --- a/src/file.c +++ b/src/file.c @@ -32,7 +32,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: file.c,v 1.174 2017/09/24 16:04:56 christos Exp $") +FILE_RCSID("@(#)$File: file.c,v 1.175 2018/03/02 16:11:37 christos Exp $") #endif /* lint */ #include "magic.h" @@ -59,25 +59,37 @@ FILE_RCSID("@(#)$File: file.c,v 1.174 2017/09/24 16:04:56 christos Exp $") #endif #if defined(HAVE_GETOPT_H) && defined(HAVE_STRUCT_OPTION) -#include -#ifndef HAVE_GETOPT_LONG -int getopt_long(int argc, char * const *argv, const char *optstring, const struct option *longopts, int *longindex); +# include +# ifndef HAVE_GETOPT_LONG +int getopt_long(int, char * const *, const char *, + const struct option *, int *); +# endif +# else +# include "mygetopt.h" #endif + +#ifdef S_IFLNK +# define IFLNK_h "h" +# define IFLNK_L "L" #else -#include "mygetopt.h" +# define IFLNK_h "" +# define IFLNK_L "" #endif -#ifdef S_IFLNK -#define FILE_FLAGS "-bcEhikLlNnprsvzZ0" +#ifdef HAVE_LIBSECCOMP +# define SECCOMP_S "S" #else -#define FILE_FLAGS "-bcEiklNnprsvzZ0" +# define SECCOMP_S "" #endif +#define FILE_FLAGS "bcCdE" IFLNK_h "ik" IFLNK_L "lNnprs" SECCOMP_S "vzZ0" +#define OPTSTRING "bcCde:Ef:F:hiklLm:nNpP:rsSvzZ0" + # define USAGE \ - "Usage: %s [" FILE_FLAGS "] [--apple] [--extension] [--mime-encoding]\n" \ + "Usage: %s [-" FILE_FLAGS "] [--apple] [--extension] [--mime-encoding]\n" \ " [--mime-type] [-e ] [-F ] " \ " [-f ]\n" \ - " [-m ] ...\n" \ + " [-m ] [-P ] ...\n" \ " %s -C [-m ]\n" \ " %s [--help]\n" @@ -103,7 +115,6 @@ private const struct option long_options[] = { #undef OPT_LONGONLY {0, 0, NULL, 0} }; -#define OPTSTRING "bcCde:Ef:F:hiklLm:nNpP:rsvzZ0" private const struct { const char *name; @@ -164,6 +175,9 @@ main(int argc, char *argv[]) size_t i; int action = 0, didsomefiles = 0, errflg = 0; int flags = 0, e = 0; +#ifdef HAVE_LIBSECCOMP + int sandbox = 1; +#endif struct magic_set *magic = NULL; int longindex; const char *magicfile = NULL; /* where the magic is */ @@ -186,14 +200,6 @@ main(int argc, char *argv[]) file_setprogname(progname); -#ifdef HAVE_LIBSECCOMP -#if 0 - if (enable_sandbox_basic() == -1) -#else - if (enable_sandbox_full() == -1) -#endif - file_err(EXIT_FAILURE, "SECCOMP initialisation failed"); -#endif /* HAVE_LIBSECCOMP */ #ifdef S_IFLNK posixly = getenv("POSIXLY_CORRECT") != NULL; @@ -291,6 +297,11 @@ main(int argc, char *argv[]) case 's': flags |= MAGIC_DEVICES; break; +#ifdef HAVE_LIBSECCOMP + case 'S': + sandbox = 0; + break; +#endif case 'v': if (magicfile == NULL) magicfile = magic_getpath(magicfile, action); @@ -326,6 +337,15 @@ main(int argc, char *argv[]) if (e) return e; +#ifdef HAVE_LIBSECCOMP +#if 0 + if (sandbox && enable_sandbox_basic() == -1) +#else + if (sandbox && enable_sandbox_full() == -1) +#endif + file_err(EXIT_FAILURE, "SECCOMP initialisation failed"); +#endif /* HAVE_LIBSECCOMP */ + if (MAGIC_VERSION != magic_version()) file_warnx("Compiled magic version [%d] " "does not match with shared library magic version [%d]\n", diff --git a/src/file_opts.h b/src/file_opts.h index 52ace189..02611ccb 100644 --- a/src/file_opts.h +++ b/src/file_opts.h @@ -54,5 +54,8 @@ OPT('P', "parameter", 1, 0, " set file engine parameter limits\n" OPT('r', "raw", 0, 0, " don't translate unprintable chars to \\ooo\n") OPT('s', "special-files", 0, 0, " treat special (block/char devices) files as\n" " ordinary ones\n") +#ifdef HAVE_LIBSECCOMP +OPT('S', "no-sandbox", 0, 0, " disable system call sandboxing\n") +#endif OPT('C', "compile", 0, 0, " compile file specified by -m\n") OPT('d', "debug", 0, 0, " print debugging messages\n") -- 2.40.0