[Git][reproducible-builds/strip-nondeterminism][master] Pass --no-sandbox to if necessary to bypass seccomp-enabled version of file(1)...

Chris Lamb gitlab at salsa.debian.org
Mon Jul 22 14:44:29 UTC 2019 


Chris Lamb pushed to branch master at Reproducible Builds / strip-nondeterminism


Commits:
20b287d8 by Chris Lamb at 2019-07-22T14:42:34Z
Pass --no-sandbox to if necessary to bypass seccomp-enabled version of file(1) which was causing a huge number of regressions in our testing framework. (re. #932006)

- - - - -


1 changed file:

- lib/File/StripNondeterminism.pm


Changes:

=====================================
lib/File/StripNondeterminism.pm
=====================================
@@ -35,7 +35,7 @@ sub init() {
 sub _get_file_type($) {
 	my $file=shift;
 	open(FILE, '-|') # handle all filenames safely
-	  || exec('file', '--', $file)
+	  || exec('file', _internal_optional_file_args(), '--', $file)
 	  || die "can't exec file: $!";
 	my $type=<FILE>;
 	close FILE;
@@ -134,4 +134,22 @@ sub get_normalizer_by_name($) {
 	return _handler(shift);
 }
 
+# From Debian::Debhelper::Dh_Lib
+my $_disable_file_seccomp;
+sub _internal_optional_file_args {
+	if (not defined($_disable_file_seccomp)) {
+		my $consider_disabling_seccomp = 0;
+		if ($ENV{'FAKEROOTKEY'} or ($ENV{'LD_PRELOAD'}//'') =~ m/fakeroot/) {
+			$consider_disabling_seccomp = 1;
+		}
+		if ($consider_disabling_seccomp) {
+			my $has_no_sandbox = (qx/file --help/ // '') =~ m/--no-sandbox/;
+			$consider_disabling_seccomp = 0 if not $has_no_sandbox;
+		}
+		$_disable_file_seccomp = $consider_disabling_seccomp;
+	}
+	return ('--no-sandbox') if $_disable_file_seccomp;
+	return;
+}
+
 1;



View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/20b287d8eb20280057dae869f0a06a7c6b7c7107

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/20b287d8eb20280057dae869f0a06a7c6b7c7107
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190722/4dbfc766/attachment.html>

More information about the rb-commits mailing list