Re: [PATCH] seccomp.sh: Quote tr character ranges to prevent glob expansion

On Mon, 3 Nov 2025 13:08:34 +0100 Laurent Vivier wrote:

we use [a-z] and [A-Z] patterns with 'tr', but if there are files with names matching these patterns they will be replaced by the name of the file and seccomp.h will not be generated correctly: $ rm seccomp.h $ touch a b $ make tr: extra operand '[A-Z]' Try 'tr --help' for more information. seccomp profile passt allows: accept accept4 bind clock_gettime close connect epoll_ctl epoll_pwait epoll_wait exit_group fallocate fcntl fsync ftruncate getsockname getsockopt listen lseek read recvfrom recvmmsg recvmsg sendmmsg sendmsg sendto ... cc -Wall -Wextra -Wno-format-zero-length -Wformat-security -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE -DPAGE_SIZE=4096 -DVERSION="2025_09_19.623dbf6-54-gf6b6118fcabd" -DDUAL_STACK_SOCKETS=1 -DHAS_GETRANDOM -fstack-protector-strong arch.c arp.c checksum.c conf.c dhcp.c dhcpv6.c epoll_ctl.c flow.c fwd.c icmp.c igmp.c inany.c iov.c ip.c isolation.c lineread.c log.c mld.c ndp.c netlink.c migrate.c packet.c passt.c pasta.c pcap.c pif.c repair.c tap.c tcp.c tcp_buf.c tcp_splice.c tcp_vu.c udp.c udp_flow.c udp_vu.c util.c vhost_user.c virtio.c vu_common.c -o passt In file included from isolation.c:83: seccomp.h:11:45: error: 'AUDIT_ARCH_' undeclared here (not in a function); did you mean 'AUDIT_ARCH'? 11 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_, 0, 80), | ^~~~~~~~~~~

Signed-off-by: Laurent Vivier --- seccomp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/seccomp.sh b/seccomp.sh index a7bc417b9f6b..ba92b29d9a29 100755 --- a/seccomp.sh +++ b/seccomp.sh @@ -22,7 +22,7 @@ IN="$@" [ -z "${ARCH}" ] && ARCH="$(uname -m)" [ -z "${CC}" ] && CC="cc"

-AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr [a-z] [A-Z] \ +AUDIT_ARCH="AUDIT_ARCH_$(echo ${ARCH} | tr '[a-z]' '[A-Z]' \

Oops. I wonder if this is a complete fix though, because in general I didn't care about possible expansions and I just assumed I set -f on the whole script, which I didn't for some reason. That is, it should be: #!/bin/sh -euf and if you run 'shellcheck seccomp.sh', you'll find many other places where I didn't care, so perhaps we really need that -f, but I didn't look into all those shellcheck reports. And by the way of shellcheck and compatibility, this is still on my to-do list: https://github.com/chimera-linux/cports/pull/1483#issuecomment-2079007408 All in all, I can apply this, it fixes a bit and surely doesn't hurt. Or we can (also?) add -f, but we need to make sure we don't rely on expansions. We should perhaps check / fix reasonable shellcheck reports and compatibility issues too. Let me know if you think you might find time for any of that, or if I should just apply this for the moment. -- Stefano