Re: new snapshot available: coreutils-8.27.99-3ebdc3

[Pádraig Brady]

On 29/08/17 05:43, Kamil Dudka wrote:
> On Tuesday, August 29, 2017 10:49:17 AM CEST Pádraig Brady wrote:
>> We plan to release coreutils-8.28 towards the end of this week,
>> so any testing you can do on various different systems between now and then
>> would be most welcome.
>>
>> --------------------------------------
>>
>> You can download the coreutils snapshot in xz format (5.2 MB) from:
>>   https://pixelbeat.org/cu/coreutils-ss.tar.xz
>>
>> And verify with gpg or md5sum with:
>>   https://pixelbeat.org/cu/coreutils-ss.tar.xz.sig
>>   MD5 (coreutils-ss.tar.xz) = f38d980b63f88b66bf2415c3edf6313b
>>
>> --------------------------------------
>>
>> To test follow this standard procedure:
>>
>>   tar -xf coreutils-ss.tar.xz
>>   cd coreutils-8.27.99-3ebdc3/
>>   ./configure && make check VERBOSE=yes
>>
>> Failures are reported and details are in tests/test-suite.log
> 
> tests/misc/runcon-no-reorder.sh fails on my Fedora 25 VM if and only
> if coreutils is compiled _without_ having libseccomp-devel installed:
> 
> FAIL: tests/misc/runcon-no-reorder
> ==================================

> + diff -u exp out
> --- exp 2017-08-29 14:39:57.481307950 +0200
> +++ out 2017-08-29 14:39:57.486307987 +0200
> @@ -1 +1 @@
> -runcon: runcon may be used only on a SELinux kernel
> +runcon: cannot create session

Indeed my setsid() is not robust because one really needs
to fork first (and check for -1 in the return).

However I've investigated a bit more libseccomp doesn't
provide that much protection. I.E. there are other ways
to input to a tty when passing it to a lower privilege process.

So it looks like libseccomp is not worth it,
and I'll remove that before release I think.

cheers,
Pádraig