From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=ZLBKV12j;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 4DBED5A026F
	for <passt-dev@passt.top>; Wed, 05 Nov 2025 02:22:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202510; t=1762305763;
	bh=lI+GZz7889hAyCy82qJpMv5YocnATM+A/ja/NhqOtTo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=ZLBKV12jF/RNaFc8sLdjKPNRZVO47Z7irYlHl+J3jZ82Twqy/2nIB27XJiQ51rL/M
	 Tx5zLE2dJwXzK0WwryaVY8AOHE1VkgOg6KPH8FhbOgub2x7+0V/8pvct711q+XnKpU
	 MpB+ETkxhuJWrc5/p7BhZfjpOZmycpwLDh+aurkfClmlrT3vw7NgflEpZWNmOhStqn
	 JfXjIheUjQ8po4iJPXGZ20WSP5ShWruu5uifZ+7tiwwUL8NFwijLpwf9JN2ii79HNe
	 xtWto6tYrC+kqMF8GGMF/bHDD6vIBMJl1lssxX85nyEkGZvpEPHUk6eiGOe24RrQ2E
	 uczaXN5D5pQSQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4d1SHR0ppqz4w9q; Wed, 05 Nov 2025 12:22:43 +1100 (AEDT)
Date: Wed, 5 Nov 2025 12:22:38 +1100
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob
 expansion
Message-ID: <aQqm3rrHYKmarU3r@zatzit>
References: <20251103120834.192683-1-lvivier@redhat.com>
 <20251104060149.1ee2ad10@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="7tcMPbUJ6w4ktKkm"
Content-Disposition: inline
In-Reply-To: <20251104060149.1ee2ad10@elisabeth>
Message-ID-Hash: FPWQVCGTIXVND7Y5DGDL4A7OIPYDWQRA
X-Message-ID-Hash: FPWQVCGTIXVND7Y5DGDL4A7OIPYDWQRA
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laurent Vivier <lvivier@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aQqm3rrHYKmarU3r@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/FPWQVCGTIXVND7Y5DGDL4A7OIPYDWQRA/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--7tcMPbUJ6w4ktKkm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 04, 2025 at 06:01:49AM +0100, Stefano Brivio wrote:
> On Mon,  3 Nov 2025 13:08:34 +0100
> Laurent Vivier <lvivier@redhat.com> wrote:
>=20
> > we use [a-z] and [A-Z] patterns with 'tr', but
> > if there are files with names matching these patterns they will be
> > replaced by the name of the file and seccomp.h will not be generated
> > correctly:
> > $ rm seccomp.h
> > $ touch a b
> > $ make
> > tr: extra operand '[A-Z]'
> > Try 'tr --help' for more information.
> > seccomp profile passt allows:  accept accept4 bind clock_gettime close =
connect epoll_ctl epoll_pwait epoll_wait exit_group
> >    fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek =
read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto
> > ...
> > cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -s=
td=3Dc11 -D_XOPEN_SOURCE=3D700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=3D2 -O2 -pie=
 -fPIE -DPAGE_SIZE=3D4096 -DVERSION=3D"2025_09_19.623dbf6-54-gf6b6118fcabd"=
 -DDUAL_STACK_SOCKETS=3D1 -DHAS_GETRANDOM -fstack-protector-strong   arch.c=
 arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c ig=
mp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c =
migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_bu=
f.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c vir=
tio.c vu_common.c -o passt
> > In file included from isolation.c:83:
> > seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a functio=
n); did you mean 'AUDIT_ARCH'?
> >    11 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80),
> >       |                                             ^~~~~~~~~~~
> >=20
> > Signed-off-by: Laurent Vivier <lvivier@redhat.com>
> > ---
> >  seccomp.sh | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >=20
> > diff --git a/seccomp.sh b/seccomp.sh
> > index a7bc417b9f6b..ba92b29d9a29 100755
> > --- a/seccomp.sh
> > +++ b/seccomp.sh
> > @@ -22,7 +22,7 @@ IN=3D"$@"
> >  [ -z "${ARCH}" ] && ARCH=3D"$(uname -m)"
> >  [ -z "${CC}" ] && CC=3D"cc"
> > =20
> > -AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z]             \
> > +AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]'         \
>=20
> Oops.
>=20
> I wonder if this is a complete fix though, because in general I didn't
> care about possible expansions and I just assumed I set -f on the whole
> script, which I didn't for some reason. That is, it should be:
>=20
> #!/bin/sh -euf
>=20
> and if you run 'shellcheck seccomp.sh', you'll find many other places
> where I didn't care, so perhaps we really need that -f, but I didn't
> look into all those shellcheck reports.
>=20
> And by the way of shellcheck and compatibility, this is still on my
> to-do list:
>=20
>   https://github.com/chimera-linux/cports/pull/1483#issuecomment-20790074=
08
>=20
> All in all, I can apply this, it fixes a bit and surely doesn't hurt.
>=20
> Or we can (also?) add -f, but we need to make sure we don't rely on
> expansions. We should perhaps check / fix reasonable shellcheck reports
> and compatibility issues too.

I don't love that idea.  I hadn't even realised -f existed until right
now, so having an obscure global flag change behaviour everywhere
doesn't ideal for readability.  Plus, disabling globs removes the need
for _some_ escaping, but not all, so it just means there's now two
different sets of rules you'd need to apply about what must be
escaped.

>=20
> Let me know if you think you might find time for any of that, or if I
> should just apply this for the moment.
>=20
> --=20
> Stefano
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--7tcMPbUJ6w4ktKkm
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmkKpskACgkQzQJF27ox
2GdeXA//eyxJ3O10QgROE0shQNy29XWo4vPcjk7M2ZtgfzKQIpuJVeOmjqoZ/cYO
4YViPXaUUHs8JNAtQNIJPPxdwi+zXaodf+rJKCZDY3msPq0XQqOeX5KaLO2K3rZy
u7cdh9I6ED5uCc2Dj/ztCjK9cxBy6Pg6ELYUI1Sg0tdq7jRIlxz8uiIbRmz3RvlC
MtSAlaVKqZ5TgVmmsqZMRwxKRxRsYjOAzzNc9EfRfPJztIjE5YsKUS+44eMKbgc5
ymHHo1Qx+WFxuPsgMPmXgE0nVOhvcksMFnwGoNYo1IepiHBmY5ClxQ0D70zykSwj
iel2L+P97PpAQQDeEip9G2ztcWZrgEYstKZpCJboSdOos2hg+csbNOwar0iW24Or
xQiPzyz0kuKCGDJD8GZhtf2/NLEKXX3QlwUduW2HA/xz9kxxNGCOkV2A906RHt95
QauTQTru2cT/wA/ZRb2s/U4LaVH8FMsMheoMK93JAG+evMUiiHBTf+2Y0DmaOsPY
6G0D2XSWWtiahqIR1Mvi+hUnOWBEy7P8KHP03+QUbKuNXCdDrvJkRPLn6l2HAE1q
D1yfBVSjH6ruTtXH4fr8MZUiLdSqlpzaGV14fKVuaPLsB1HW15902WEteiEV6aXf
kbb27u2Jw933fptQtlu13gl/ne1MnnGYMyvAIGvPHKNqkT5t4kk=
=iZpk
-----END PGP SIGNATURE-----

--7tcMPbUJ6w4ktKkm--