From 20157f0717b73c1698aa42b21b3b3c2b554107af Mon Sep 17 00:00:00 2001
From: Flatcar Buildbot <buildbot@flatcar-linux.org>
Date: Mon, 1 Sep 2025 07:13:58 +0000
Subject: [PATCH] sys-apps/file: Sync with Gentoo

It's from Gentoo commit 704d0fb0689c1dc690931187a0a66fdc540edbe1.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
---
 .../sys-apps/file/file-5.46-r3.ebuild         | 192 ++++++++++++++++++
 ...ile-5.46-seccomp-glibc-2.42-followup.patch |  20 ++
 .../files/file-5.46-seccomp-glibc-2.42.patch  |  82 ++++++++
 .../file/files/file-5.46-seccomp-rseq.patch   |  50 +++++
 4 files changed, 344 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/file/file-5.46-r3.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42-followup.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-rseq.patch

diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/file/file-5.46-r3.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/file/file-5.46-r3.ebuild
new file mode 100644
index 0000000000..4b9f8508c1
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/file/file-5.46-r3.ebuild
@@ -0,0 +1,192 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_USE_PEP517=setuptools
+DISTUTILS_OPTIONAL=1
+PYTHON_COMPAT=( python3_{11..14} )
+
+inherit distutils-r1 toolchain-funcs multilib-minimal
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/file/file"
+	inherit autotools git-r3
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/file.asc
+	inherit libtool verify-sig
+	SRC_URI="https://astron.com/pub/file/${P}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://astron.com/pub/file/${P}.tar.gz.asc )"
+
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-file )"
+fi
+
+DESCRIPTION="Identify a file's format by scanning binary data for patterns"
+HOMEPAGE="https://www.darwinsys.com/file/"
+
+LICENSE="BSD-2"
+SLOT="0"
+IUSE="bzip2 lzip lzma python seccomp static-libs zlib zstd"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+DEPEND="
+	bzip2? ( app-arch/bzip2[${MULTILIB_USEDEP}] )
+	lzip? ( app-arch/lzlib )
+	lzma? ( app-arch/xz-utils[${MULTILIB_USEDEP}] )
+	seccomp? ( >=sys-libs/libseccomp-2.5.4[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+	zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )
+"
+RDEPEND="
+	${DEPEND}
+	python? (
+		${PYTHON_DEPS}
+		!dev-python/python-magic
+	)
+	seccomp? ( >=sys-libs/libseccomp-2.5.4[${MULTILIB_USEDEP}] )
+"
+BDEPEND+="
+	python? (
+		${PYTHON_DEPS}
+		${DISTUTILS_DEPS}
+	)
+"
+
+# https://bugs.gentoo.org/898676
+QA_CONFIG_IMPL_DECL_SKIP=( makedev )
+
+PATCHES=(
+	"${FILESDIR}/file-5.43-seccomp-fstatat64-musl.patch" #789336, not upstream yet
+	"${FILESDIR}/file-5.45-seccomp-sandbox.patch"
+	"${FILESDIR}/file-5.46-zip.patch"
+	"${FILESDIR}/file-5.46-buffer-overflow.patch"
+	"${FILESDIR}/file-5.46-seccomp-rseq.patch"
+	"${FILESDIR}/file-5.46-seccomp-glibc-2.42.patch"
+	"${FILESDIR}/file-5.46-seccomp-glibc-2.42-followup.patch"
+)
+
+src_prepare() {
+	default
+
+	if [[ ${PV} == 9999 ]] ; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+
+	# Don't let python README kill main README, bug #60043
+	mv python/README.md python/README.python.md || die
+
+	# bug #662090
+	sed -i 's@README.md@README.python.md@' python/setup.py || die
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--enable-fsect-man5
+		$(use_enable bzip2 bzlib)
+		$(multilib_native_use_enable lzip lzlib)
+		$(use_enable lzma xzlib)
+		$(use_enable seccomp libseccomp)
+		$(use_enable static-libs static)
+		$(use_enable zlib)
+		$(use_enable zstd zstdlib)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+build_src_configure() {
+	local myeconfargs=(
+		--disable-shared
+		--disable-libseccomp
+		--disable-bzlib
+		--disable-xzlib
+		--disable-zlib
+	)
+
+	econf_build "${myeconfargs[@]}"
+}
+
+need_build_file() {
+	# When cross-compiling, we need to build up our own file
+	# because people often don't keep matching host/target
+	# file versions, bug #362941
+	tc-is-cross-compiler && ! has_version -b "~${CATEGORY}/${P}"
+}
+
+src_configure() {
+	local ECONF_SOURCE="${S}"
+
+	if need_build_file ; then
+		mkdir -p "${WORKDIR}"/build || die
+		cd "${WORKDIR}"/build || die
+		build_src_configure
+	fi
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi ; then
+		emake
+	else
+		# bug #586444
+		emake -C src magic.h
+		emake -C src libmagic.la
+	fi
+}
+
+src_compile() {
+	if need_build_file ; then
+		# bug #586444
+		emake -C "${WORKDIR}"/build/src magic.h
+		emake -C "${WORKDIR}"/build/src file
+		local -x PATH="${WORKDIR}/build/src:${PATH}"
+	fi
+
+	multilib-minimal_src_compile
+
+	if use python ; then
+		cd python || die
+		distutils-r1_src_compile
+	fi
+}
+
+src_test() {
+	multilib-minimal_src_test
+
+	if use python ; then
+		cd python || die
+		distutils-r1_src_test
+	fi
+}
+
+python_test() {
+	eunittest
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi ; then
+		default
+	else
+		emake -C src install-{nodist_includeHEADERS,libLTLIBRARIES} DESTDIR="${D}"
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc ChangeLog MAINT # README
+
+	# Required for `file -C`
+	insinto /usr/share/misc/magic
+	doins -r magic/Magdir/*
+
+	if use python ; then
+		cd python || die
+		distutils-r1_src_install
+	fi
+
+	find "${ED}" -type f -name "*.la" -delete || die
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42-followup.patch b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42-followup.patch
new file mode 100644
index 0000000000..0be2effabe
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42-followup.patch
@@ -0,0 +1,20 @@
+There's no need for the __linux__ check, as seccomp is Linux-only. Avoid
+including <termios.h> which will clash with <sys/ioctl.h>.
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -34,14 +34,7 @@ FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $")
+ #include <seccomp.h> /* libseccomp */
+ #include <sys/prctl.h> /* prctl */
+ #include <sys/socket.h>
+-#ifdef __powerpc64__
+-// See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806
+-# include <asm/termbits.h>
+-#elif defined __linux__
+-# include <linux/termios.h>
+-#else
+-# include <termios.h>
+-#endif
++#include <asm/termbits.h>
+ #include <sys/ioctl.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch
new file mode 100644
index 0000000000..47ae4d4074
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-glibc-2.42.patch
@@ -0,0 +1,82 @@
+https://bugs.astron.com/view.php?id=678
+Two patches:
+1) https://github.com/file/file/commit/f49e4b1a393c0378e43b65c36765676c98d018c4
+2) From the bug
+
+From f49e4b1a393c0378e43b65c36765676c98d018c4 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Thu, 20 Mar 2025 14:57:41 +0000
+Subject: [PATCH] Fix termios handling on linux/ppc (Dr. Werner Fink)
+
+---
+ src/seccomp.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index 9e00034ad..f05c30f9f 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,15 +27,20 @@
+ #include "file.h"
+ 
+ #ifndef	lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.30 2024/11/28 14:04:24 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $")
+ #endif	/* lint */
+ 
+ #if HAVE_LIBSECCOMP
+ #include <seccomp.h> /* libseccomp */
+ #include <sys/prctl.h> /* prctl */
+-#include <sys/ioctl.h>
+ #include <sys/socket.h>
+-#include <termios.h>
++#ifdef __powerpc64__
++// See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806
++# include <asm/termbits.h>
++#else
++# include <termios.h>
++#endif
++#include <sys/ioctl.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+ #include <errno.h>
+
+
+From 7b23bd3f87069fcebc9173c8d1637c2a2e1a12d1 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 6 Aug 2025 23:11:10 +0200
+Subject: [PATCH] Extend seccomp for glibc and  physical terminals
+
+New glibc implementations might also use TCGETS2 instead of TCGETS.
+This happens on current Arch Linux systems. Allow TCGETS2 in seccomp
+sandbox as well.
+---
+ src/seccomp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index f05c30f9..dddb821c 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -37,6 +37,8 @@ FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $")
+ #ifdef __powerpc64__
+ // See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806
+ # include <asm/termbits.h>
++#elif defined __linux__
++# include <linux/termios.h>
+ #else
+ # include <termios.h>
+ #endif
+@@ -121,6 +123,10 @@ enable_sandbox(void)
+ #ifdef TCGETS
+ 	// glibc may call ioctl TCGETS on stdout on physical terminal
+ 	ALLOW_IOCTL_RULE(TCGETS);
++#endif
++#ifdef TCGETS2
++	// glibc may call ioctl TCGETS2 on stdout on physical terminal
++	ALLOW_IOCTL_RULE(TCGETS2);
+ #endif
+ 	ALLOW_RULE(lseek);
+  	ALLOW_RULE(_llseek);
+-- 
+2.50.1
diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-rseq.patch b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-rseq.patch
new file mode 100644
index 0000000000..a0b124f488
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/file/files/file-5.46-seccomp-rseq.patch
@@ -0,0 +1,50 @@
+https://github.com/file/file/commit/339bdef41536d63ffacd2e48082d195a1e3617b9
+
+From 339bdef41536d63ffacd2e48082d195a1e3617b9 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Thu, 28 Nov 2024 14:04:24 +0000
+Subject: [PATCH] Sort, add rseq (Cristian Rodriguez)
+
+---
+ src/seccomp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index ce8243300..9e00034ad 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef	lint
+-FILE_RCSID("@(#)$File: seccomp.c,v 1.29 2024/09/29 16:49:25 christos Exp $")
++FILE_RCSID("@(#)$File: seccomp.c,v 1.30 2024/11/28 14:04:24 christos Exp $")
+ #endif	/* lint */
+ 
+ #if HAVE_LIBSECCOMP
+@@ -103,6 +103,8 @@ enable_sandbox(void)
+ #ifdef __NR_getdents64
+ 	ALLOW_RULE(getdents64);
+ #endif
++	ALLOW_RULE(getpid);	// Used by glibc in file_pipe2file()
++	ALLOW_RULE(getrandom);	// Used by glibc in file_pipe2file()
+ #ifdef FIONREAD
+ 	// called in src/compress.c under sread
+ 	ALLOW_IOCTL_RULE(FIONREAD);
+@@ -136,6 +138,7 @@ enable_sandbox(void)
+ #ifdef __NR_readlinkat
+ 	ALLOW_RULE(readlinkat);
+ #endif
++	ALLOW_RULE(rseq);	// Used by glibc to randomize malloc
+ 	ALLOW_RULE(rt_sigaction);
+ 	ALLOW_RULE(rt_sigprocmask);
+ 	ALLOW_RULE(rt_sigreturn);
+@@ -145,8 +148,6 @@ enable_sandbox(void)
+ 	ALLOW_RULE(stat64);
+ 	ALLOW_RULE(sysinfo);
+ 	ALLOW_RULE(umask);	// Used in file_pipe2file()
+-	ALLOW_RULE(getpid);	// Used by glibc in file_pipe2file()
+-	ALLOW_RULE(getrandom);	// Used by glibc in file_pipe2file()
+ 	ALLOW_RULE(unlink);
+ 	ALLOW_RULE(utimes);
+ 	ALLOW_RULE(write);