Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob expansion

[David Gibson <david@gibson.dropbear.id.au>]

[-- Attachment #1: Type: text/plain, Size: 2574 bytes --]

On Mon, Nov 03, 2025 at 01:08:34PM +0100, Laurent Vivier wrote:
> we use [a-z] and [A-Z] patterns with 'tr', but
> if there are files with names matching these patterns they will be
> replaced by the name of the file and seccomp.h will not be generated
> correctly:
> $ rm seccomp.h
> $ touch a b
> $ make
> tr: extra operand '[A-Z]'
> Try 'tr --help' for more information.
> seccomp profile passt allows:  accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group
>    fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto
> ...
> cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong   arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt
> In file included from isolation.c:83:
> seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'?
>    11 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80),
>       |                                             ^~~~~~~~~~~
> 
> Signed-off-by: Laurent Vivier <lvivier@redhat.com>

Ouch.

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  seccomp.sh | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/seccomp.sh b/seccomp.sh
> index a7bc417b9f6b..ba92b29d9a29 100755
> --- a/seccomp.sh
> +++ b/seccomp.sh
> @@ -22,7 +22,7 @@ IN="$@"
>  [ -z "${ARCH}" ] && ARCH="$(uname -m)"
>  [ -z "${CC}" ] && CC="cc"
>  
> -AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z]             \
> +AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]'         \
>                                        | sed 's/^ARM.*/ARM/'        \
>                                        | sed 's/I[456]86/I386/'     \
>                                        | sed 's/PPC64/PPC/'         \
> -- 
> 2.51.0
> 

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]