file: seccomp sandboxing

Support seccomp sandboxing to reduce the attack surface and enable it by
default. Important for usecases with files from untrusted sources.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

2 files changed, 14 insertions, 2 deletions

diff --git a/rules/file.in b/rules/file.in
index a4e0a7125..3f44cc380 100644
--- a/rules/file.in
+++ b/rules/file.in
@@ -1,10 +1,11 @@
 ## SECTION=shell_and_console
 
-config FILE
+menuconfig FILE
 	tristate
 	select HOST_FILE
 	select ZLIB
 	select GCCLIBS_GCC_S
+	select LIBSECCOMP if FILE_SECCOMP
 	prompt "file"
 	help
 	  The file command is "a file type guesser", that is, a command-line tool
@@ -15,3 +16,14 @@ config FILE
 	  reliable, but requires a bit of I/O.
 	  
 	  http://www.darwinsys.com/file/
+
+if FILE
+
+config FILE_SECCOMP
+	bool
+	default y
+	prompt "enable seccomp sandboxing"
+	help
+	  Enables seccomp sandboxing to reduce the attack surface.
+
+endif
diff --git a/rules/file.make b/rules/file.make
index d60a0b045..bfa39ae76 100644
--- a/rules/file.make
+++ b/rules/file.make
@@ -37,7 +37,7 @@ FILE_CONF_OPT	:= \
 	--enable-elf \
 	--enable-elf-core \
 	--enable-zlib \
-	--disable-libseccomp \
+	--$(call ptx/endis, PTXCONF_FILE_SECCOMP)-libseccomp \
 	--disable-fsect-man5 \
 	$(GLOBAL_LARGE_FILE_OPTION) \
 	--disable-warnings