From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=cWxocE2z; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 7AE8F5A061B for ; Tue, 04 Nov 2025 06:01:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762232515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FSxxkxoE83SiH3GoSz69bTQpfJ/f3R8OyCMaaektL0M=; b=cWxocE2zAt2VoGldY2PEPqA/qbvpgrYuzKAAJCAinknr3f8SyuzZbKsYt5lm6RWV3RhHJA XZY4CFev8Kkmhe58SEE7+XiPNKjxTE0jTDyK/sBD2QHLEcOLqPHyz2hc+qArrKtB+lchl0 BeiYaZUFUE0D1OO2mULp/1+hM4AX1DI= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-RtmtMuPRNWWiU9TJGRhAQw-1; Tue, 04 Nov 2025 00:01:54 -0500 X-MC-Unique: RtmtMuPRNWWiU9TJGRhAQw-1 X-Mimecast-MFC-AGG-ID: RtmtMuPRNWWiU9TJGRhAQw_1762232513 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-477171bbf51so27709755e9.3 for ; Mon, 03 Nov 2025 21:01:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762232512; x=1762837312; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=FSxxkxoE83SiH3GoSz69bTQpfJ/f3R8OyCMaaektL0M=; b=VbPjiUT+rJ0oF31nznx1ceEIBpnhXXrk8DV3vOdPdM0ow/z2x+E0ejE9U+qDGuRP1W C3QX6x6N5S2/N4Yoe9u90+4jPaemtCJdcDpB3qengAPBnVZO95SPtMUVd5fpaSkkHnPj Q+sf4E0FMYU9rVGT2FnIzBitHim/+r9qiQIXjT7tzSrDzyCxZzjPcybEaHKMtlmeJYwj 54WQdVvtWlt6jYVAi4qem8XHu0qIdwbpHPjOu+II+BpOmJBzIw8XTvGX7LvdLWWGOuiJ TZwg3BOgN9066b7lpLMKolLTzpf+5MiHxrx3eD6ucS0EsrQMUqgT2zTVfX4+RUBpfw4a sqfQ== X-Gm-Message-State: AOJu0Yy2q2jxJ0PHCe06v4GlLyq3DTXbv3dYnEdHmoXRe2MOlAm8ka2Q rZxPeuHWsuH6LCFAdIw+hiFIlhrBIjvG61RnE4xBAfzEo3eRkUOCvIW9bdTaPbBJUvpe9nGZwel KWay4gfam3c1a5fBZFA8Nl3t62W7VZvcU8KsQ/uogLUC2TbXfEiJO9w== X-Gm-Gg: ASbGnct6/GbT87ctsWCTFXjc664/IwZzetsQ5ZbdCM1CNzIuZUytUIG3t+onWBnoQAi 5K99JKBp0hdsOPFMqB6d9NiwSc+dyWitvk6IUD13WGnySr5M1fE32Pv5p7xsrEnYiviZ95ItN/Y Ik/wv7FMwckYZEQkBaxTU7uba8N4UgBnB5SUnhxfQqRi/LVW+ftYALwT8QXB3JJGLXIrcVHDb3U 9cOY/pclNNIfDpaT35FgO/ZLQrmH5P8CaQ7e3u+YMoMUxU5EghcNb2r9ammPVjZ1HIWnXURBKc+ ocz0R+/+va1DWS3U6BqHCVWq0h0pK4HJuEmeRf6xomB63bcVo7SZcaOyRSTXYOGPSUs9CHM5yIe wBFJLGwXMiKOtA4hgHE3S18OKc6g= X-Received: by 2002:a05:600c:4e05:b0:475:de12:d3b5 with SMTP id 5b1f17b1804b1-477308a8f1amr158294325e9.34.1762232512329; Mon, 03 Nov 2025 21:01:52 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxPlf+uEo/Ai2nnq0hJBzP+DbnPGXc3X1+XA55FVBc3HB/amm03bZaYyzoX/4uyRA9LBLxGA== X-Received: by 2002:a05:600c:4e05:b0:475:de12:d3b5 with SMTP id 5b1f17b1804b1-477308a8f1amr158294155e9.34.1762232511889; Mon, 03 Nov 2025 21:01:51 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47755856d0asm8937605e9.0.2025.11.03.21.01.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Nov 2025 21:01:51 -0800 (PST) Date: Tue, 4 Nov 2025 06:01:49 +0100 From: Stefano Brivio To: Laurent Vivier Subject: Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob expansion Message-ID: <20251104060149.1ee2ad10@elisabeth> In-Reply-To: <20251103120834.192683-1-lvivier@redhat.com> References: <20251103120834.192683-1-lvivier@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: snudvW4OYth6r1QWO8IeZGpO9TF6O8fVCYgkdt-olMc_1762232513 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: FSRR5QNG7YGLRVFNJ35U54EEJOHMHVRY X-Message-ID-Hash: FSRR5QNG7YGLRVFNJ35U54EEJOHMHVRY X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, 3 Nov 2025 13:08:34 +0100 Laurent Vivier wrote: > we use [a-z] and [A-Z] patterns with 'tr', but > if there are files with names matching these patterns they will be > replaced by the name of the file and seccomp.h will not be generated > correctly: > $ rm seccomp.h > $ touch a b > $ make > tr: extra operand '[A-Z]' > Try 'tr --help' for more information. > seccomp profile passt allows: accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group > fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto > ... > cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt > In file included from isolation.c:83: > seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'? > 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80), > | ^~~~~~~~~~~ > > Signed-off-by: Laurent Vivier > --- > seccomp.sh | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/seccomp.sh b/seccomp.sh > index a7bc417b9f6b..ba92b29d9a29 100755 > --- a/seccomp.sh > +++ b/seccomp.sh > @@ -22,7 +22,7 @@ IN="$@" > [ -z "${ARCH}" ] && ARCH="$(uname -m)" > [ -z "${CC}" ] && CC="cc" > > -AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z] \ > +AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]' \ Oops. I wonder if this is a complete fix though, because in general I didn't care about possible expansions and I just assumed I set -f on the whole script, which I didn't for some reason. That is, it should be: #!/bin/sh -euf and if you run 'shellcheck seccomp.sh', you'll find many other places where I didn't care, so perhaps we really need that -f, but I didn't look into all those shellcheck reports. And by the way of shellcheck and compatibility, this is still on my to-do list: https://github.com/chimera-linux/cports/pull/1483#issuecomment-2079007408 All in all, I can apply this, it fixes a bit and surely doesn't hurt. Or we can (also?) add -f, but we need to make sure we don't rely on expansions. We should perhaps check / fix reasonable shellcheck reports and compatibility issues too. Let me know if you think you might find time for any of that, or if I should just apply this for the moment. -- Stefano