diff mbox series

file: explicitly disable seccomp

Message ID 20191018112819.16210-1-ross.burton@intel.com
State Accepted
Commit a752faa152df031df5acaa40491299ac115109a4
Headers show
Series file: explicitly disable seccomp | expand

Commit Message

Ross Burton Oct. 18, 2019, 11:28 a.m. UTC 
file will automatically enable seccomp if the seccomp headers are available, but
the build will fail on Opensuse Tumbleweed because the include paths are wrong.

Enabling seccomp is a bad idea because it interacts badly with pseudo (causing
build failures), so explicitly and globally disable seccomp.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-devtools/file/file_5.37.bb | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Khem Raj Oct. 18, 2019, 12:33 p.m. UTC | #1 
On Fri, Oct 18, 2019 at 4:58 PM Ross Burton <ross.burton@intel.com> wrote:

> file will automatically enable seccomp if the seccomp headers are

> available, but

> the build will fail on Opensuse Tumbleweed because the include paths are

> wrong.

>

> Enabling seccomp is a bad idea because it interacts badly with pseudo

> (causing

> build failures), so explicitly and globally disable seccomp.

>

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-devtools/file/file_5.37.bb | 2 ++

>  1 file changed, 2 insertions(+)

>

> diff --git a/meta/recipes-devtools/file/file_5.37.bb

> b/meta/recipes-devtools/file/file_5.37.bb

> index a840dbc012b..c53a120b840 100644

> --- a/meta/recipes-devtools/file/file_5.37.bb

> +++ b/meta/recipes-devtools/file/file_5.37.bb

> @@ -21,6 +21,8 @@ S = "${WORKDIR}/git"

>

>  inherit autotools update-alternatives

>

> +EXTRA_OECONF += "--disable-libseccomp"

> +



On host it makes sense but how about for target recipe ? We do have
libseccomp support
Perhaps it’s best to disable it for native and native sdk alone ?

>

>  ALTERNATIVE_${PN} = "file"

>  ALTERNATIVE_LINK_NAME[file] = "${bindir}/file"

>

> --

> 2.20.1

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

>
<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 18, 2019 at 4:58 PM Ross Burton &lt;<a href="mailto:ross.burton@intel.com">ross.burton@intel.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">file will automatically enable seccomp if the seccomp headers are available, but<br>
the build will fail on Opensuse Tumbleweed because the include paths are wrong.<br>
<br>
Enabling seccomp is a bad idea because it interacts badly with pseudo (causing<br>
build failures), so explicitly and globally disable seccomp.<br>
<br>
Signed-off-by: Ross Burton &lt;<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>&gt;<br>

---<br>
 meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a> | 2 ++<br>
 1 file changed, 2 insertions(+)<br>
<br>
diff --git a/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a> b/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
index a840dbc012b..c53a120b840 100644<br>
--- a/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
+++ b/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
@@ -21,6 +21,8 @@ S = &quot;${WORKDIR}/git&quot;<br>
<br>
 inherit autotools update-alternatives<br>
<br>
+EXTRA_OECONF += &quot;--disable-libseccomp&quot;<br>
+</blockquote><div dir="auto"><br></div><div dir="auto">On host it makes sense but how about for target recipe ? We do have libseccomp support </div><div dir="auto">Perhaps it’s best to disable it for native and native sdk alone ?</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
 ALTERNATIVE_${PN} = &quot;file&quot;<br>
 ALTERNATIVE_LINK_NAME[file] = &quot;${bindir}/file&quot;<br>
<br>
-- <br>
2.20.1<br>
<br>
-- <br>
_______________________________________________<br>
Openembedded-core mailing list<br>
<a href="mailto:Openembedded-core@lists.openembedded.org" target="_blank">Openembedded-core@lists.openembedded.org</a><br>
<a href="http://lists.openembedded.org/mailman/listinfo/openembedded-core" rel="noreferrer" target="_blank">http://lists.openembedded.org/mailman/listinfo/openembedded-core</a><br>
</blockquote></div></div>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Richard Purdie Oct. 18, 2019, 9:28 p.m. UTC | #2 
On Fri, 2019-10-18 at 18:03 +0530, Khem Raj wrote:
> 
> 
> On Fri, Oct 18, 2019 at 4:58 PM Ross Burton <ross.burton@intel.com>
> wrote:
> > file will automatically enable seccomp if the seccomp headers are
> > available, but
> > the build will fail on Opensuse Tumbleweed because the include
> > paths are wrong.
> > 
> > Enabling seccomp is a bad idea because it interacts badly with
> > pseudo (causing
> > build failures), so explicitly and globally disable seccomp.
> > 
> > Signed-off-by: Ross Burton <ross.burton@intel.com>
> > ---
> >  meta/recipes-devtools/file/file_5.37.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/meta/recipes-devtools/file/file_5.37.bb
> > b/meta/recipes-devtools/file/file_5.37.bb
> > index a840dbc012b..c53a120b840 100644
> > --- a/meta/recipes-devtools/file/file_5.37.bb
> > +++ b/meta/recipes-devtools/file/file_5.37.bb
> > @@ -21,6 +21,8 @@ S = "${WORKDIR}/git"
> > 
> >  inherit autotools update-alternatives
> > 
> > +EXTRA_OECONF += "--disable-libseccomp"
> > +
> 
> On host it makes sense but how about for target recipe ? We do have
> libseccomp support 
> Perhaps it’s best to disable it for native and native sdk alone ?

Given the problem reports in the media and the decisions made by most
other distros I think disabling this is probably safest until its been
make more usable (no other distro is shipping this enabled now).

Cheers,

Richard
Khem Raj Oct. 19, 2019, 5:26 a.m. UTC | #3 
On Sat, Oct 19, 2019 at 2:58 AM Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Fri, 2019-10-18 at 18:03 +0530, Khem Raj wrote:

> >

> >

> > On Fri, Oct 18, 2019 at 4:58 PM Ross Burton <ross.burton@intel.com>

> > wrote:

> > > file will automatically enable seccomp if the seccomp headers are

> > > available, but

> > > the build will fail on Opensuse Tumbleweed because the include

> > > paths are wrong.

> > >

> > > Enabling seccomp is a bad idea because it interacts badly with

> > > pseudo (causing

> > > build failures), so explicitly and globally disable seccomp.

> > >

> > > Signed-off-by: Ross Burton <ross.burton@intel.com>

> > > ---

> > >  meta/recipes-devtools/file/file_5.37.bb | 2 ++

> > >  1 file changed, 2 insertions(+)

> > >

> > > diff --git a/meta/recipes-devtools/file/file_5.37.bb

> > > b/meta/recipes-devtools/file/file_5.37.bb

> > > index a840dbc012b..c53a120b840 100644

> > > --- a/meta/recipes-devtools/file/file_5.37.bb

> > > +++ b/meta/recipes-devtools/file/file_5.37.bb

> > > @@ -21,6 +21,8 @@ S = "${WORKDIR}/git"

> > >

> > >  inherit autotools update-alternatives

> > >

> > > +EXTRA_OECONF += "--disable-libseccomp"

> > > +

> >

> > On host it makes sense but how about for target recipe ? We do have

> > libseccomp support

> > Perhaps it’s best to disable it for native and native sdk alone ?

>

> Given the problem reports in the media and the decisions made by most

> other distros I think disabling this is probably safest until its been

> make more usable (no other distro is shipping this enabled now).

>


Ok makes sense


> Cheers,

>

> Richard

>

>

>

>

>

>
<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 19, 2019 at 2:58 AM Richard Purdie &lt;<a href="mailto:richard.purdie@linuxfoundation.org">richard.purdie@linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, 2019-10-18 at 18:03 +0530, Khem Raj wrote:<br>
&gt; <br>
&gt; <br>
&gt; On Fri, Oct 18, 2019 at 4:58 PM Ross Burton &lt;<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>&gt;<br>
&gt; wrote:<br>
&gt; &gt; file will automatically enable seccomp if the seccomp headers are<br>
&gt; &gt; available, but<br>
&gt; &gt; the build will fail on Opensuse Tumbleweed because the include<br>
&gt; &gt; paths are wrong.<br>
&gt; &gt; <br>
&gt; &gt; Enabling seccomp is a bad idea because it interacts badly with<br>
&gt; &gt; pseudo (causing<br>
&gt; &gt; build failures), so explicitly and globally disable seccomp.<br>
&gt; &gt; <br>
&gt; &gt; Signed-off-by: Ross Burton &lt;<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>&gt;<br>
&gt; &gt; ---<br>
&gt; &gt;  meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a> | 2 ++<br>
&gt; &gt;  1 file changed, 2 insertions(+)<br>
&gt; &gt; <br>
&gt; &gt; diff --git a/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
&gt; &gt; b/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
&gt; &gt; index a840dbc012b..c53a120b840 100644<br>
&gt; &gt; --- a/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
&gt; &gt; +++ b/meta/recipes-devtools/file/<a href="http://file_5.37.bb" rel="noreferrer" target="_blank">file_5.37.bb</a><br>
&gt; &gt; @@ -21,6 +21,8 @@ S = &quot;${WORKDIR}/git&quot;<br>
&gt; &gt; <br>
&gt; &gt;  inherit autotools update-alternatives<br>
&gt; &gt; <br>
&gt; &gt; +EXTRA_OECONF += &quot;--disable-libseccomp&quot;<br>
&gt; &gt; +<br>
&gt; <br>
&gt; On host it makes sense but how about for target recipe ? We do have<br>
&gt; libseccomp support <br>
&gt; Perhaps it’s best to disable it for native and native sdk alone ?<br>
<br>
Given the problem reports in the media and the decisions made by most<br>
other distros I think disabling this is probably safest until its been<br>
make more usable (no other distro is shipping this enabled now).<br>
</blockquote><div dir="auto"><br></div><div dir="auto">Ok makes sense </div><div dir="auto"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Cheers,<br>
<br>
Richard<br>
<br>
<br>
<br>
<br>
<br>
</blockquote></div></div>
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff mbox series

Patch

diff --git a/meta/recipes-devtools/file/file_5.37.bb b/meta/recipes-devtools/file/file_5.37.bb
index a840dbc012b..c53a120b840 100644
--- a/meta/recipes-devtools/file/file_5.37.bb
+++ b/meta/recipes-devtools/file/file_5.37.bb
@@ -21,6 +21,8 @@  S = "${WORKDIR}/git"
 
 inherit autotools update-alternatives
 
+EXTRA_OECONF += "--disable-libseccomp"
+
 ALTERNATIVE_${PN} = "file"
 ALTERNATIVE_LINK_NAME[file] = "${bindir}/file"