diff options
author | Damien Miller <djm@mindrot.org> | 2013-02-22 11:37:00 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-02-22 11:37:00 +1100 |
commit | 91f40d8592562b804813a320a4ac3871dbaaf433 (patch) | |
tree | 11c012692061931ce2f673c8b733fa000b5d499b | |
parent | a2b5a4c746871bd32a12a00548ccf1a9c3c21101 (diff) |
- (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
ok dtucker
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | configure.ac | 86 | ||||
-rw-r--r-- | sandbox-seccomp-filter.c | 8 |
3 files changed, 60 insertions, 37 deletions
@@ -3,6 +3,9 @@ | |||
3 | ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. | 3 | ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm. |
4 | - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named | 4 | - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named |
5 | libgss too. Patch from Pierre Ossman, ok djm. | 5 | libgss too. Patch from Pierre Ossman, ok djm. |
6 | - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux | ||
7 | seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com; | ||
8 | ok dtucker | ||
6 | 9 | ||
7 | 20130221 | 10 | 20130221 |
8 | - (tim) [regress/forward-control.sh] shell portability fix. | 11 | - (tim) [regress/forward-control.sh] shell portability fix. |
diff --git a/configure.ac b/configure.ac index 6c11f0b90..e526390f7 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.507 2013/02/21 23:43:16 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.508 2013/02/22 00:37:00 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.507 $) | 18 | AC_REVISION($Revision: 1.508 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -120,31 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
120 | #include <sys/types.h> | 120 | #include <sys/types.h> |
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
124 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
125 | #include <sys/types.h> | ||
126 | #include <linux/seccomp.h> | ||
127 | ]) | ||
128 | fi | ||
129 | if test "x$have_seccomp_filter" = "x1" ; then | ||
130 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
131 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
132 | #include <errno.h> | ||
133 | #include <linux/seccomp.h> | ||
134 | #include <stdlib.h> | ||
135 | #include <sys/prctl.h> | ||
136 | ]], | ||
137 | [[ errno = 0; | ||
138 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
139 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
140 | [ AC_MSG_RESULT([yes]) ], [ | ||
141 | AC_MSG_RESULT([no]) | ||
142 | # Disable seccomp filter as a target | ||
143 | have_seccomp_filter=0 | ||
144 | ] | ||
145 | ) | ||
146 | fi | ||
147 | |||
148 | use_stack_protector=1 | 123 | use_stack_protector=1 |
149 | AC_ARG_WITH([stackprotect], | 124 | AC_ARG_WITH([stackprotect], |
150 | [ --without-stackprotect Don't use compiler's stack protection], [ | 125 | [ --without-stackprotect Don't use compiler's stack protection], [ |
@@ -321,6 +296,7 @@ AC_CHECK_HEADERS([ \ | |||
321 | crypto/sha2.h \ | 296 | crypto/sha2.h \ |
322 | dirent.h \ | 297 | dirent.h \ |
323 | endian.h \ | 298 | endian.h \ |
299 | elf.h \ | ||
324 | features.h \ | 300 | features.h \ |
325 | fcntl.h \ | 301 | fcntl.h \ |
326 | floatingpoint.h \ | 302 | floatingpoint.h \ |
@@ -700,20 +676,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
700 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], | 676 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [], |
701 | [], [#include <linux/types.h>]) | 677 | [], [#include <linux/types.h>]) |
702 | AC_CHECK_FUNCS([prctl]) | 678 | AC_CHECK_FUNCS([prctl]) |
703 | have_seccomp_audit_arch=1 | 679 | AC_MSG_CHECKING([for seccomp architecture]) |
680 | seccomp_audit_arch= | ||
704 | case "$host" in | 681 | case "$host" in |
705 | x86_64-*) | 682 | x86_64-*) |
706 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], | 683 | seccomp_audit_arch=AUDIT_ARCH_X86_64 |
707 | [Specify the system call convention in use]) | ||
708 | ;; | 684 | ;; |
709 | i*86-*) | 685 | i*86-*) |
710 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], | 686 | seccomp_audit_arch=AUDIT_ARCH_I386 |
711 | [Specify the system call convention in use]) | ||
712 | ;; | ||
713 | *) | ||
714 | have_seccomp_audit_arch=0 | ||
715 | ;; | 687 | ;; |
688 | arm*-*) | ||
689 | seccomp_audit_arch=AUDIT_ARCH_ARM | ||
690 | ;; | ||
716 | esac | 691 | esac |
692 | if test "x$seccomp_audit_arch" != "x" ; then | ||
693 | AC_MSG_RESULT(["$seccomp_audit_arch"]) | ||
694 | AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], | ||
695 | [Specify the system call convention in use]) | ||
696 | else | ||
697 | AC_MSG_RESULT([architecture not supported]) | ||
698 | fi | ||
717 | ;; | 699 | ;; |
718 | mips-sony-bsd|mips-sony-newsos4) | 700 | mips-sony-bsd|mips-sony-newsos4) |
719 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) | 701 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) |
@@ -2629,6 +2611,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"], | |||
2629 | [non-privileged user for privilege separation]) | 2611 | [non-privileged user for privilege separation]) |
2630 | AC_SUBST([SSH_PRIVSEP_USER]) | 2612 | AC_SUBST([SSH_PRIVSEP_USER]) |
2631 | 2613 | ||
2614 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
2615 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
2616 | #include <sys/types.h> | ||
2617 | #include <linux/seccomp.h> | ||
2618 | ]) | ||
2619 | fi | ||
2620 | if test "x$have_seccomp_filter" = "x1" ; then | ||
2621 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
2622 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
2623 | #include <errno.h> | ||
2624 | #include <elf.h> | ||
2625 | #include <linux/audit.h> | ||
2626 | #include <linux/seccomp.h> | ||
2627 | #include <stdlib.h> | ||
2628 | #include <sys/prctl.h> | ||
2629 | ]], | ||
2630 | [[ int i = $seccomp_audit_arch; | ||
2631 | errno = 0; | ||
2632 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
2633 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
2634 | [ AC_MSG_RESULT([yes]) ], [ | ||
2635 | AC_MSG_RESULT([no]) | ||
2636 | # Disable seccomp filter as a target | ||
2637 | have_seccomp_filter=0 | ||
2638 | ] | ||
2639 | ) | ||
2640 | fi | ||
2641 | |||
2632 | # Decide which sandbox style to use | 2642 | # Decide which sandbox style to use |
2633 | sandbox_arg="" | 2643 | sandbox_arg="" |
2634 | AC_ARG_WITH([sandbox], | 2644 | AC_ARG_WITH([sandbox], |
@@ -2716,11 +2726,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ | |||
2716 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | 2726 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ |
2717 | ( test -z "$sandbox_arg" && \ | 2727 | ( test -z "$sandbox_arg" && \ |
2718 | test "x$have_seccomp_filter" = "x1" && \ | 2728 | test "x$have_seccomp_filter" = "x1" && \ |
2729 | test "x$ac_cv_header_elf_h" = "xyes" && \ | ||
2719 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | 2730 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ |
2720 | test "x$have_seccomp_audit_arch" = "x1" && \ | 2731 | test "x$ac_cv_header_linux_filter_h" = "xyes" && \ |
2732 | test "x$seccomp_audit_arch" != "x" && \ | ||
2721 | test "x$have_linux_no_new_privs" = "x1" && \ | 2733 | test "x$have_linux_no_new_privs" = "x1" && \ |
2722 | test "x$ac_cv_func_prctl" = "xyes" ) ; then | 2734 | test "x$ac_cv_func_prctl" = "xyes" ) ; then |
2723 | test "x$have_seccomp_audit_arch" != "x1" && \ | 2735 | test "x$seccomp_audit_arch" = "x" && \ |
2724 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) | 2736 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) |
2725 | test "x$have_linux_no_new_privs" != "x1" && \ | 2737 | test "x$have_linux_no_new_privs" != "x1" && \ |
2726 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) | 2738 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ef2b13c4f..e12418399 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
@@ -44,6 +44,7 @@ | |||
44 | #include <linux/audit.h> | 44 | #include <linux/audit.h> |
45 | #include <linux/filter.h> | 45 | #include <linux/filter.h> |
46 | #include <linux/seccomp.h> | 46 | #include <linux/seccomp.h> |
47 | #include <elf.h> | ||
47 | 48 | ||
48 | #include <asm/unistd.h> | 49 | #include <asm/unistd.h> |
49 | 50 | ||
@@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = { | |||
90 | SC_DENY(open, EACCES), | 91 | SC_DENY(open, EACCES), |
91 | SC_ALLOW(getpid), | 92 | SC_ALLOW(getpid), |
92 | SC_ALLOW(gettimeofday), | 93 | SC_ALLOW(gettimeofday), |
94 | #ifdef __NR_time /* not defined on EABI ARM */ | ||
93 | SC_ALLOW(time), | 95 | SC_ALLOW(time), |
96 | #endif | ||
94 | SC_ALLOW(read), | 97 | SC_ALLOW(read), |
95 | SC_ALLOW(write), | 98 | SC_ALLOW(write), |
96 | SC_ALLOW(close), | 99 | SC_ALLOW(close), |
@@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = { | |||
102 | SC_ALLOW(select), | 105 | SC_ALLOW(select), |
103 | #endif | 106 | #endif |
104 | SC_ALLOW(madvise), | 107 | SC_ALLOW(madvise), |
108 | #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ | ||
109 | SC_ALLOW(mmap2), | ||
110 | #endif | ||
111 | #ifdef __NR_mmap | ||
105 | SC_ALLOW(mmap), | 112 | SC_ALLOW(mmap), |
113 | #endif | ||
106 | SC_ALLOW(munmap), | 114 | SC_ALLOW(munmap), |
107 | SC_ALLOW(exit_group), | 115 | SC_ALLOW(exit_group), |
108 | #ifdef __NR_rt_sigprocmask | 116 | #ifdef __NR_rt_sigprocmask |