From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=W3LmxqiT; dkim-atps=neutral Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 9CBC05A061E for ; Fri, 14 Nov 2025 01:50:38 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202510; t=1763081436; bh=pDPoq5UBt+x3n9LhXeJWzICpgqz7W3DsHmJxFuho+eM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=W3LmxqiTeZK+xE3aOBzIID/zUjmhvtECGE29Nh8zkUuEViiPaziAOvz5N+cIbbTle /uL7fZXHxrEFcXyOPzz+MInBJBCJRLzBqiOQ7c0bgiSDcq0Wq8djynJzbnUfceEduE seQOiCkSVUysHM38NQ3Mtoi2t4t80H40xu16ME8k7Yrfhjk4Ogk1SbizbNKsZ9m3ZT BMMppYOOrKy5ts8E3G3GJsknw23aToEesecLaIMy+3DTa+hwC1MhSyg8ZuNBI2oU1E HSAGJkUf3USWRinyDXuyRIv+oDcCbkaSI93VDdV2yZVT72WT0qwNXyX4xzArTfis6Z s1dWiq7INzvlA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4d6z8D4W2Fz4wM9; Fri, 14 Nov 2025 11:50:36 +1100 (AEDT) Date: Fri, 14 Nov 2025 11:50:29 +1100 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob expansion Message-ID: References: <20251103120834.192683-1-lvivier@redhat.com> <20251104060149.1ee2ad10@elisabeth> <20251114010103.3cb1eaa8@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iVq3aF5XaFs2Se1O" Content-Disposition: inline In-Reply-To: <20251114010103.3cb1eaa8@elisabeth> Message-ID-Hash: I6YNSBTQLDBIFPAR6TSPQHOO4QBB5AOE X-Message-ID-Hash: I6YNSBTQLDBIFPAR6TSPQHOO4QBB5AOE X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Laurent Vivier , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --iVq3aF5XaFs2Se1O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 14, 2025 at 01:01:03AM +0100, Stefano Brivio wrote: > On Wed, 5 Nov 2025 12:22:38 +1100 > David Gibson wrote: >=20 > > On Tue, Nov 04, 2025 at 06:01:49AM +0100, Stefano Brivio wrote: > > > On Mon, 3 Nov 2025 13:08:34 +0100 > > > Laurent Vivier wrote: > > > =20 > > > > we use [a-z] and [A-Z] patterns with 'tr', but > > > > if there are files with names matching these patterns they will be > > > > replaced by the name of the file and seccomp.h will not be generated > > > > correctly: > > > > $ rm seccomp.h > > > > $ touch a b > > > > $ make > > > > tr: extra operand '[A-Z]' > > > > Try 'tr --help' for more information. > > > > seccomp profile passt allows: accept accept4 bind clock_gettime cl= ose connect epoll_ctl epoll_pwait epoll_wait exit_group > > > > fallocate fcntl fsync ftruncate getsockname getsockopt listen ls= eek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto > > > > ... > > > > cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedanti= c -std=3Dc11 -D_XOPEN_SOURCE=3D700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=3D2 -O2 = -pie -fPIE -DPAGE_SIZE=3D4096 -DVERSION=3D"2025_09_19.623dbf6-54-gf6b6118fc= abd" -DDUAL_STACK_SOCKETS=3D1 -DHAS_GETRANDOM -fstack-protector-strong ar= ch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.= c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlin= k.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tc= p_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c= virtio.c vu_common.c -o passt > > > > In file included from isolation.c:83: > > > > seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a fun= ction); did you mean 'AUDIT_ARCH'? > > > > 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0,= 80), > > > > | ^~~~~~~~~~~ > > > >=20 > > > > Signed-off-by: Laurent Vivier > > > > --- > > > > seccomp.sh | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > >=20 > > > > diff --git a/seccomp.sh b/seccomp.sh > > > > index a7bc417b9f6b..ba92b29d9a29 100755 > > > > --- a/seccomp.sh > > > > +++ b/seccomp.sh > > > > @@ -22,7 +22,7 @@ IN=3D"$@" > > > > [ -z "${ARCH}" ] && ARCH=3D"$(uname -m)" > > > > [ -z "${CC}" ] && CC=3D"cc" > > > > =20 > > > > -AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z] = \ > > > > +AUDIT_ARCH=3D"AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]' = \ =20 > > >=20 > > > Oops. > > >=20 > > > I wonder if this is a complete fix though, because in general I didn't > > > care about possible expansions and I just assumed I set -f on the who= le > > > script, which I didn't for some reason. That is, it should be: > > >=20 > > > #!/bin/sh -euf > > >=20 > > > and if you run 'shellcheck seccomp.sh', you'll find many other places > > > where I didn't care, so perhaps we really need that -f, but I didn't > > > look into all those shellcheck reports. > > >=20 > > > And by the way of shellcheck and compatibility, this is still on my > > > to-do list: > > >=20 > > > https://github.com/chimera-linux/cports/pull/1483#issuecomment-2079= 007408 > > >=20 > > > All in all, I can apply this, it fixes a bit and surely doesn't hurt. > > >=20 > > > Or we can (also?) add -f, but we need to make sure we don't rely on > > > expansions. We should perhaps check / fix reasonable shellcheck repor= ts > > > and compatibility issues too. =20 > >=20 > > I don't love that idea. I hadn't even realised -f existed until right > > now, so having an obscure global flag change behaviour everywhere > > doesn't ideal for readability. >=20 > I don't think it's *that* obscure actually, I use it quite commonly > (unless the script is playing with files), I have a few occurrences of > it in my current /usr/lib, and it even predates POSIX and SUS. >=20 > >From page 108 of AT&T's System V Interface Definition, Issue 2 Volume > II, Chapter 4 (Commands and Utilities), SH(BU_CMD): >=20 > -f (New in System V Release 2.) Disable file name generation >=20 > https://bitsavers.org/pdf/att/unix/SVID/System_V_Interface_Definition_I= ssue_2_Volume_2_1986.pdf Being ancient doesn't, of itself, make it less obscure... Empirically, I've been using shell on and off for 30 years, and I'd never encountered it. > > Plus, disabling globs removes the need > > for _some_ escaping, but not all, so it just means there's now two > > different sets of rules you'd need to apply about what must be > > escaped. >=20 > Well, I think we should escape everything anyway, and make sure we > do by making it shellcheck(1)-clean, eventually. >=20 > But '[a-z]' in 'tr [a-z]' expanding to 'a' is the very madness that -f > is supposed to protect us from. That is, I see it as something needed > for defensive/robust programming rather than something hiding issues. Eh, I suppose. I mean the main lesson I see is "trying to get anything complex right in shell is a fool's errand"... --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --iVq3aF5XaFs2Se1O Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmkWfNQACgkQzQJF27ox 2GczhRAAonbZ26iXds5sEf6BsyDy59ITM+a7G33qhRXA+ZcyB/Mg5nFM206PNG4u zNGaQ5F04ONgCi+maXe5Magk+TZvWJtuUnZCD6vTwUkfYX2093Ouwc6W9nvpdMny Wy2cWFVms+9dFeqLNfH76nn2AFq+ZqJjTgZ/BVP9u4m+KIC46dToJwpJNxwEqkYO jjCP/6M10w30F2NnC+viPYWwDcyfahkP+DXAA8RaoPrGBdk1c6FVc+lEOM5tGP0Z zgZifYNso7/vXwxqO1tADNUTrno6dFqWWO+0qezzV2DKT8b2nGDRWPeNpYbPBntY 2PbG4o0ioInyl3qKhT8EKkhFtYIqAMElC0qclEg9/YQX1w3/dTFSUt6dv1dCubp8 5kOxb7dppGD7nViqSYdhBjHQQvk8HsE/quBc81acsnXQFh8wI6O5oynT4Z2DZrG7 2rtzwD0LnojRuhC7PrMNLTymFV4wywNi0zNnIH+4vhfYgGV2Npa6VMYibLHHjT8D LECG/Yr/x+Qq7qV+OFYCvw8sgRqENuIc//tFyHfUNMxecYt+fYdy+2aBjonrrJ5L YTwKJ5Rw3y53zHUnKp0GJEKMDFF4SPRKM1mqWUbxP33DNiLN1zVSQNPFWflcqVnM LSu+RpkjH1by0LZHd/Aya1O0Iy+fgImJn+p1XEIIb8vLG5iidfs= =S40j -----END PGP SIGNATURE----- --iVq3aF5XaFs2Se1O--