From 441f6d73051f459767f04c4cbe6d530db04ff07a Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Wed, 24 Jul 2019 12:26:48 -0400
Subject: [pacman-dev] [PATCH v2] RFC: support file with seccomp enabled

Not all compression types can be detected in the seccomp sandbox, so we
need to disable it. This requires either configuring makepkg to know the
sandbox is available, or checking for file >= 5.38 in which the sandbox
option is a no-op even when seccomp is disabled.

- Requires autoconf-archive for autotools version compare macro.
- meson version comparison could be made a lot simpler using meson-git.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 build-aux/edit-script.sh.in          |  1 +
 configure.ac                         | 18 ++++++++++++++++++
 meson.build                          |  9 +++++++++
 meson_options.txt                    |  3 +++
 scripts/Makefile.am                  |  1 +
 scripts/libmakepkg/source/file.sh.in |  2 +-
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/build-aux/edit-script.sh.in b/build-aux/edit-script.sh.in
index d5495057..640d32f8 100644
--- a/build-aux/edit-script.sh.in
+++ b/build-aux/edit-script.sh.in
@@ -19,6 +19,7 @@ mode=$3
   -e "s|@TEMPLATE_DIR[@]|@TEMPLATE_DIR@|g" \
   -e "s|@DEBUGSUFFIX[@]|@DEBUGSUFFIX@|g" \
   -e "s|@INODECMD[@]|@INODECMD@|g" \
+  -e "s|@FILECMD[@]|@FILECMD@|g" \
   -e "s|@SEDINPLACEFLAGS[@]|@SEDINPLACEFLAGS@|g" \
   -e "s|@SEDPATH[@]|@SEDPATH@|g" \
   -e "s|@configure_input[@]|Generated from ${input##*/}; do not edit by hand.|g" \
diff --git a/configure.ac b/configure.ac
index cb2fb2bf..f11bc7aa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -120,6 +120,12 @@ AC_ARG_WITH(ldconfig,
 		[set the full path to ldconfig]),
 	[LDCONFIG=$withval], [LDCONFIG=/sbin/ldconfig])
 
+# Help line for determining whether file is seccomp-enabled
+AC_ARG_WITH(file-seccomp,
+	AS_HELP_STRING([--with-file-seccomp={yes|no|auto}],
+		[determine whether file is seccomp-enabled @<:@default=auto@:>@]),
+	[with_file_seccomp=$withval], [with_file_seccomp=auto])
+
 # Help line for selecting a crypto library
 AC_ARG_WITH(crypto,
 	AS_HELP_STRING([--with-crypto={openssl|nettle}],
@@ -222,6 +228,18 @@ PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], ,
 PKG_CHECK_MODULES(LIBARCHIVE, [libarchive >= 3.0.0], ,
 	AC_MSG_ERROR([*** libarchive >= 3.0.0 is needed to compile pacman!]))
 
+# Check file for seccomp
+if test "x$with_file_seccomp" = "xauto"; then
+	file_version="$(file --version| sed -n 's/^file-\(.*\)/\1/p')"
+	AX_COMPARE_VERSION([$file_version], [ge], [5.38], [with_file_seccomp=yes])
+fi
+if test "x$with_file_seccomp" = "xyes"; then
+	FILECMD="file -S"
+else
+	FILECMD="file"
+fi
+AC_SUBST(FILECMD)
+
 # Check for OpenSSL
 have_openssl=no
 have_nettle=no
diff --git a/meson.build b/meson.build
index 13f730b1..68262240 100644
--- a/meson.build
+++ b/meson.build
@@ -234,12 +234,20 @@ config_h = configure_file(
         configuration : conf)
 add_project_arguments('-include', 'config.h', language : 'c')
 
+filecmd = 'file'
 default_sedinplaceflags = ' --follow-symlinks -i'
 inodecmd = 'stat -c \'%i %n\''
 strip_binaries = '--strip-all'
 strip_shared = '--strip-unneeded'
 strip_static = '--strip-debug'
 
+file_seccomp = get_option('file-seccomp')
+# meson-git has find_program('file', required: false, version: '>=5.38')
+filever = run_command('sh', '-c', 'file --version | sed -n "s/^file-\(.*\)/\\1/p"').stdout()
+if file_seccomp.enabled() or ( file_seccomp.auto() and filever.version_compare('>= 5.38') )
+  filecmd = 'file -S'
+endif
+
 os = host_machine.system()
 if os.startswith('darwin')
   inodecmd = '/usr/bin/stat -f \'%i %n\''
@@ -282,6 +290,7 @@ substs.set('BUILDSCRIPT', BUILDSCRIPT)
 substs.set('TEMPLATE_DIR', get_option('makepkg-template-dir'))
 substs.set('DEBUGSUFFIX', get_option('debug-suffix'))
 substs.set('INODECMD', inodecmd)
+substs.set('FILECMD', filecmd)
 substs.set('SEDINPLACEFLAGS', sedinplaceflags)
 substs.set('SEDPATH', SED.path())
 substs.set('LIBMAKEPKGDIR', LIBMAKEPKGDIR)
diff --git a/meson_options.txt b/meson_options.txt
index 2d640e87..2b92ca1a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -52,5 +52,8 @@ option('i18n', type : 'boolean', value : true,
        description : 'enable localization of pacman, libalpm and scripts')
 
 # tools
+option('file-seccomp', type: 'feature', value: 'auto',
+	   description: 'determine whether file is seccomp-enabled')
+
 option('sedinplaceflags', type : 'string', value : 'auto',
        description : 'flags to pass to sed to edit a file in-place')
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 0597a0e5..1008fed3 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -180,6 +180,7 @@ edit = sed \
 	-e 's|@TEMPLATE_DIR[@]|$(TEMPLATE_DIR)|g' \
 	-e 's|@DEBUGSUFFIX[@]|$(DEBUGSUFFIX)|g' \
 	-e "s|@INODECMD[@]|$(INODECMD)|g" \
+	-e "s|@FILECMD[@]|$(FILECMD)|g" \
 	-e 's|@SEDINPLACEFLAGS[@]|$(SEDINPLACEFLAGS)|g' \
 	-e 's|@SEDPATH[@]|$(SEDPATH)|g' \
 	-e 's|@SCRIPTNAME[@]|$@|g' \
diff --git a/scripts/libmakepkg/source/file.sh.in b/scripts/libmakepkg/source/file.sh.in
index 8492ba11..f6d79f9e 100644
--- a/scripts/libmakepkg/source/file.sh.in
+++ b/scripts/libmakepkg/source/file.sh.in
@@ -96,7 +96,7 @@ extract_file() {
 	fi
 
 	# do not rely on extension for file type
-	local file_type=$(file -bizL -- "$file")
+	local file_type=$(@FILECMD@ -bizL -- "$file")
 	local ext=${file##*.}
 	local cmd=''
 	case "$file_type" in
-- 
2.22.0