fixes for android/termux setup#909
Open
tridge wants to merge 6 commits into
Open
Conversation
secure_relative_open() invokes openat2(2) directly via syscall() (glibc lacked a wrapper for years). In a seccomp-restricted environment a disallowed syscall raises SIGSYS and kills the process rather than failing with ENOSYS, so the existing "fall back on ENOSYS" path never runs. The Android app sandbox blocks openat2 exactly this way: on Termux every rsync transfer died the moment the receiver opened a basis file (receiver.c calls secure_relative_open unconditionally), with the peer seeing only "connection unexpectedly closed". The same hazard applies to hardened containers and systemd's SystemCallFilter. Probe openat2 once behind a temporary SIGSYS handler (sigsetjmp/ siglongjmp). If it is missing or blocked, secure_relative_open_linux() returns ENOSYS so callers use the portable per-component O_NOFOLLOW walk, which relies only on openat() and is never seccomp-blocked. Where openat2 is available (the normal case) behaviour is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Termux's Python is built without os.link, and Android app storage rejects link(2) outright, so tests that build hard links crashed with AttributeError instead of skipping. Add hardlinks_supported() (a cached probe) and make_hardlink() (raises OSError, never AttributeError) to rsyncfns.py. The dedicated hardlinks test now skips cleanly; hands and relative guard their incidental hard links (the rest of each test still runs); itemize skips (its expected itemized output assumes the link). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Python 3.13's Path.is_file() propagates PermissionError, which Android's app sandbox raises for /proc/sys/fs/protected_regular, crashing the test before its guarded read_text(). Wrap is_file()+read_text() in one try/except OSError -> test_skipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kernel_resolve_beneath_supported() calls openat2 directly to detect RESOLVE_BENEATH support. In a seccomp sandbox (Android/Termux) that call is killed with SIGSYS rather than failing with ENOSYS, killing the helper and failing chmod-symlink-race. Probe behind a temporary SIGSYS handler (sigsetjmp/siglongjmp), reporting "unsupported" when blocked -- matching the secure_relative_open() fix in syscall.c. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The issue RsyncProject#715 fix relies on openat2(RESOLVE_BENEATH); without it secure_relative_open() uses the per-component fallback, which can't follow a dir-symlink basedir, so RsyncProject#715 still applies. The test already skips on the non-Linux fallback platforms by name, but Android/Termux is a Linux kernel with openat2 blocked by seccomp, so it must skip too. Probe openat2(RESOLVE_BENEATH) at runtime in a subprocess (so a seccomp SIGSYS kills the child, not the test) and skip when it's unavailable. Also handle Termux's platform.system() == 'Android'. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add packaging/build-termux-deb.sh, which cross-compiles a statically-linked rsync with the Android NDK and packages it as a Termux .deb (installed under the Termux prefix, /data/data/com.termux/files/usr/bin/rsync), and a termux-deb.yml workflow that runs it for every Termux architecture (aarch64, arm, x86_64, i686) and uploads the .deb files as artifacts. The binary is self-contained: optional external libraries (zstd/lz4/xxhash/ openssl/acl/xattr/iconv) are omitted, leaving md5/md4 and bundled zlib, so the .deb has no Termux dependencies and installs with `dpkg -i` (or `apt install ./rsync_<ver>_<arch>.deb`) on any Termux version. The build forces the cross-compile cache values configure can't probe (lchmod/lutimes off; socketpair and mknod-FIFO/socket on; IPv6 enabled). The resulting binary includes the openat2-seccomp fallback, so transfers work in the Android app sandbox. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.