From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=PkVDJGLG; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTPS id 9AC765A061E for ; Fri, 14 Nov 2025 01:01:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1763078471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5bTUr5V7vNg0mi83oTBV2/RC/Ibzea6MmSQl5ufH+sI=; b=PkVDJGLGTqVzKO1AUmYIeIW0bjI747RuKPYySC9cHX9E7ZjVLMM1+a81M3vC660E7hvO4k vtb0dLfm3pwI/rlvrFiayzZL2N7Yo/uMuSVidw0OIMI1Fh1oYflKdyk6Gpm3flu5ViXKtk r4TXppJNY4/VqIaD8LkjVkukcDtIw1w= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-323-TtlxD9IzOfuc6haLC4IPcw-1; Thu, 13 Nov 2025 19:01:09 -0500 X-MC-Unique: TtlxD9IzOfuc6haLC4IPcw-1 X-Mimecast-MFC-AGG-ID: TtlxD9IzOfuc6haLC4IPcw_1763078468 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-429cbd8299cso676564f8f.1 for ; Thu, 13 Nov 2025 16:01:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763078467; x=1763683267; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Hcj5gUI0c90y7/fZ4QK1vg8jaR5UnT3LvClq/7MU5SY=; b=rs7EvsXnbYL6rKxi1DL9YO9tmEF+iuAonX/oHKEQcOJ1pvOBfL37o14DogPrsdlk4F CaFSUwNbROC5TLHjDP3RSPPCwgTHchpdGHjFtxcVVInXUcUWT8Zd2IXeud0bSa2d/GN2 lVHAPtmOQ3h/PcKuXvpLjb4eHLquwcz5gh/fTwqLPZRw3HOHvExREei2t2aRKvuveD6z 39104ydbmkiyE3L8b9V6QbUVpeRTs6IYjaylCDYp+RUEyaFe0Ee8RlQ+7EIRHXZbNlQ2 RaQH/E9196JIIHyxpt/YF1adwN/djyT4V7nXnSa/6A3uZlf2vpNaMAMiu+hIYaWSUqSI lpHw== X-Forwarded-Encrypted: i=1; AJvYcCUXc0l30vT8VcqTM+x9oSCIHIts+aCdLar0JwCR+xJMzoGlynvMffY/k+3IV9809p07QG75CFfTIM8=@passt.top X-Gm-Message-State: AOJu0YwcsIMPh/2P5MR3kyvqGmzKiEWenrBLsCq52n5L+r9nXk0vKfR8 3MQjpVuZeiibdoxqyL1szPZJzIQwrt4JAko8UFfD23Tot2SGyhR282kBwA8ZO03h0DnH0up2rCT vHx+fWKqs82ghwLWkItHreVCGjzZEs/uOhcQLDcr4jTROF31ZvqBB8Q== X-Gm-Gg: ASbGnctTrmO2nkzI9ZqBF4rB2/FmGyJxgdwMAzmp9khRP7Eji0TEv965AFg5u/haXUG t8gBWfT9Si/bKjt/6HnDowostx4F3I9YeLCQ2CDVEp5PKjA2EkTYVwq1ZMnV/fJIQnEUCyXHCZD JnqTFByAjxtYE5/phzfYl5QsbiaumLZyFg7FYmGzHXOAL7MAT6mEV3aO9p5D4JUzEDjQs7A2Ju+ RIKopkTv9uyKeS0PJCOJedpFy3joCfXXm0sVoAxUbALCAyk+uCCI4g5+74MrwYHOMVjZrfWfs/a FBhY4RxN4mzeymnl7lhyc2l6eOEu80BZanmF9wRRq6UEOWrb+6jkPfpVvYSPKGZFMAmrTyXyH07 YhLDy1ColBy9vYBsNurAJ X-Received: by 2002:a05:6000:438a:b0:42b:2a41:f1a with SMTP id ffacd0b85a97d-42b59373208mr1086811f8f.26.1763078466722; Thu, 13 Nov 2025 16:01:06 -0800 (PST) X-Google-Smtp-Source: AGHT+IFBeCwCQrSXTZ8rc3SO4lCxe6urw27iDB4y5ONa8X6chISu1EninJuQ9ZnhDOdCYGk3aMBCkA== X-Received: by 2002:a05:6000:438a:b0:42b:2a41:f1a with SMTP id ffacd0b85a97d-42b59373208mr1086782f8f.26.1763078466192; Thu, 13 Nov 2025 16:01:06 -0800 (PST) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42b53e7ae88sm6564672f8f.6.2025.11.13.16.01.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Nov 2025 16:01:05 -0800 (PST) Date: Fri, 14 Nov 2025 01:01:03 +0100 From: Stefano Brivio To: David Gibson Subject: Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob expansion Message-ID: <20251114010103.3cb1eaa8@elisabeth> In-Reply-To: References: <20251103120834.192683-1-lvivier@redhat.com> <20251104060149.1ee2ad10@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: sjHIX4oxtANVUUoLVR_GdNQMGdkN8qZCCsvN4N6PtC0_1763078468 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Message-ID-Hash: YCB46OKABDKRYI6UCMH2TMDM5RCGSJ2C X-Message-ID-Hash: YCB46OKABDKRYI6UCMH2TMDM5RCGSJ2C X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Laurent Vivier , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed, 5 Nov 2025 12:22:38 +1100 David Gibson wrote: > On Tue, Nov 04, 2025 at 06:01:49AM +0100, Stefano Brivio wrote: > > On Mon, 3 Nov 2025 13:08:34 +0100 > > Laurent Vivier wrote: > > =20 > > > we use [a-z] and [A-Z] patterns with 'tr', but > > > if there are files with names matching these patterns they will be > > > replaced by the name of the file and seccomp.h will not be generated > > > correctly: > > > $ rm seccomp.h > > > $ touch a b > > > $ make > > > tr: extra operand '[A-Z]' > > > Try 'tr --help' for more information. > > > seccomp profile passt allows: accept accept4 bind clock_gettime clos= e connect epoll_ctl epoll_pwait epoll_wait exit_group > > > fallocate fcntl fsync ftruncate getsockname getsockopt listen lsee= k read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto > > > ... > > > cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic = -std=3Dc11 -D_XOPEN_SOURCE=3D700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=3D2 -O2 -p= ie -fPIE -DPAGE_SIZE=3D4096 -DVERSION=3D"2025_09_19.623dbf6-54-gf6b6118fcab= d" -DDUAL_STACK_SOCKETS=3D1 -DHAS_GETRANDOM -fstack-protector-strong arch= .c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c = igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.= c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_= buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c v= irtio.c vu_common.c -o passt > > > In file included from isolation.c:83: > > > seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a funct= ion); did you mean 'AUDIT_ARCH'? > > > 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 8= 0), > > > | ^~~~~~~~~~~ > > >=20 > > > Signed-off-by: Laurent Vivier > > > --- > > > seccomp.sh | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > >=20 > > > diff --git a/seccomp.sh b/seccomp.sh > > > index a7bc417b9f6b..ba92b29d9a29 100755 > > > --- a/seccomp.sh > > > +++ b/seccomp.sh > > > @@ -22,7 +22,7 @@ IN=3D"$@" > > > [ -z "${ARCH}" ] && ARCH=3D"$(uname -m)" > > > [ -z "${CC}" ] && CC=3D"cc" > > > =20 > > > -AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z] = \ > > > +AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]' = \ =20 > >=20 > > Oops. > >=20 > > I wonder if this is a complete fix though, because in general I didn't > > care about possible expansions and I just assumed I set -f on the whole > > script, which I didn't for some reason. That is, it should be: > >=20 > > #!/bin/sh -euf > >=20 > > and if you run 'shellcheck seccomp.sh', you'll find many other places > > where I didn't care, so perhaps we really need that -f, but I didn't > > look into all those shellcheck reports. > >=20 > > And by the way of shellcheck and compatibility, this is still on my > > to-do list: > >=20 > > https://github.com/chimera-linux/cports/pull/1483#issuecomment-207900= 7408 > >=20 > > All in all, I can apply this, it fixes a bit and surely doesn't hurt. > >=20 > > Or we can (also?) add -f, but we need to make sure we don't rely on > > expansions. We should perhaps check / fix reasonable shellcheck reports > > and compatibility issues too. =20 >=20 > I don't love that idea. I hadn't even realised -f existed until right > now, so having an obscure global flag change behaviour everywhere > doesn't ideal for readability. I don't think it's *that* obscure actually, I use it quite commonly (unless the script is playing with files), I have a few occurrences of it in my current /usr/lib, and it even predates POSIX and SUS. >From page 108 of AT&T's System V Interface Definition, Issue 2 Volume II, Chapter 4 (Commands and Utilities), SH(BU_CMD): -f (New in System V Release 2.) Disable file name generation https://bitsavers.org/pdf/att/unix/SVID/System_V_Interface_Definition_Iss= ue_2_Volume_2_1986.pdf > Plus, disabling globs removes the need > for _some_ escaping, but not all, so it just means there's now two > different sets of rules you'd need to apply about what must be > escaped. Well, I think we should escape everything anyway, and make sure we do by making it shellcheck(1)-clean, eventually. But '[a-z]' in 'tr [a-z]' expanding to 'a' is the very madness that -f is supposed to protect us from. That is, I see it as something needed for defensive/robust programming rather than something hiding issues. --=20 Stefano