| 4 Jul 2026 |
hexa | https://github.com/file/file/commit/d1253f68dd075fe063117f2f15caedf835e01328 | 11:29:07 |
hexa | or landlock | 11:29:38 |
hexa | https://github.com/file/file/commit/c18098f7590027dccb8efac534d73650c7678362 | 11:29:38 |
tom | FWIW, passing --no-sandbox also doesn't help / still outputs application/x-decompression-error-bzip2-Cannot-posix-spawn--bzip2---Permission-denied
-S, --no-sandbox disable system call sandboxing
| 11:38:52 |
hexa | works after building with --disable-landlock | 12:01:26 |
tom | can confirm | 12:02:33 |
tom | * can confirm, I also had a build running | 12:02:58 |
hexa | https://github.com/file/file/commit/c18098f7590027dccb8efac534d73650c7678362#diff-e6998db1fa15e1051e40b63c686f2f0c83b81a865694def06dc9ef111764cfc3R121-R123 | 12:06:43 |
hexa | I think this smells | 12:06:46 |
hexa |
/* Landlock sandbox: read anywhere, write only in $TMPDIR. */
| 12:07:37 |
hexa | that's fair, but executee? | 12:07:45 |
hexa | Redacted or Malformed Event | 12:07:47 |
tom | yeah, I'm not seeing any LANDLOCK_ACCESS_FS_EXECUTE | 12:10:13 |
tom | yup, that's it. works after adding a | LANDLOCK_ACCESS_FS_EXECUTE in the landlock_allow_path call. | 12:19:06 |
hexa | what kind of machine are you building on? :D | 12:19:35 |
hexa | gnutar ain't cheap to build | 12:19:48 |
K900 | We're not scrapping the cycle for this, are we | 12:20:08 |
hexa | I hope not | 12:20:17 |
hexa | diff --git a/pkgs/tools/misc/file/default.nix b/pkgs/tools/misc/file/default.nix
index da9968755584..ed03fc9f892b 100644
--- a/pkgs/tools/misc/file/default.nix
+++ b/pkgs/tools/misc/file/default.nix
@@ -26,6 +26,12 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-7RRlaIOyOjZLQFfAVZXZMlLam8Rz0wEGUZUZ0NoUEoM=";
};
+ postPatch = ''
+ substituteInPlace src/landlock.c --replace-fail \
+ "LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR" \
+ "LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_EXECUTE"
+ '';
+
outputs = [
"out"
"dev"
| 12:20:25 |
hexa | fwiw | 12:20:26 |
tom | gnutar takes like 5m40 for me ^^ CPU is a i7-13700K | 12:20:49 |
hexa |
⏵ gnutar-1.35 on 1cd ⏱ 8m4s (∅ 11m22s)
| 12:21:09 |
hexa | upstream only has a mailing list 🥲 | 12:22:02 |
K900 | Of course they do | 12:22:37 |
tom | they also have https://bugs.astron.com/ | 12:23:19 |
tom | whatever that is | 12:23:26 |
hexa | ohhh mantis | 12:23:29 |
hexa | I like | 12:23:34 |
hexa | looks very different than I remember it | 12:25:49 |
hexa | from 15-20 years ago 🫣 | 12:25:56 |