file: Use -S option with -z

The file(1) manual suggests using -S (disable seccomp) with -z since the set of system calls provided by the seccomp policy does not allow the subprocess to run. This is obvious when you use file -z on a compressed file on a Linux distro that enables file's seccomp policy (Arch does this, Fedora does not): $ file -zbsL lib-i586.so.zst Bad system call I also fixed some incorrect text in the manual. Thanks: Toolybird for pointing to this fix Reported-by: David Runge Fixes: https://github.com/libguestfs/libguestfs/issues/100
2026-03-22 07:03:38 +00:00 · 2022-11-28 10:21:00 +00:00
parent e657e45b43
commit 23986d3c4f
3 changed files with 5 additions and 6 deletions
--- a/daemon/file.ml
+++ b/daemon/file.ml
@@ -43,7 +43,7 @@ let file path =
    | S_SOCK -> "socket"
    | S_REG ->
       (* Regular file, so now run [file] on it. *)
-       let out = command "file" ["-zb"; Sysroot.sysroot_path path] in
+       let out = command "file" ["-zSb"; Sysroot.sysroot_path path] in

       (*  We need to remove the trailing \n from output of file(1).
        *
@@ -54,6 +54,6 @@ let file path =
       String.trimr out
  )
  else (* it's a device *) (
-    let out = command "file" ["-zbsL"; path] in
+    let out = command "file" ["-zSbsL"; path] in
    String.trimr out
  )
--- a/daemon/filearch.ml
+++ b/daemon/filearch.ml
@@ -128,7 +128,7 @@ and cpio_arch magic orig_path path =
        | bin :: bins ->
           let bin_path = tmpdir // bin in
           if is_regular_file bin_path then (
-             let out = command "file" ["-zb"; bin_path] in
+             let out = command "file" ["-zSb"; bin_path] in
             file_architecture_of_magic out orig_path bin_path
           )
           else
--- a/generator/actions_core.ml
+++ b/generator/actions_core.ml
@@ -2204,9 +2204,8 @@ the type or contents of the file.
 This call will also transparently look inside various types
 of compressed file.

-The exact command which runs is C<file -zb path>.  Note in
-particular that the filename is not prepended to the output
-(the I<-b> option).
+The filename is not prepended to the output
+(like the file command I<-b> option).

 The output depends on the output of the underlying L<file(1)>
 command and it can change in future in ways beyond our control.