- (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux

    seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
       ok dtucker

3 files changed, 60 insertions, 37 deletions

diff --git a/ChangeLog b/ChangeLog
index d67e550c2..c8f85fd8b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@
    ssh(1) since they're not needed.  Patch from Pierre Ossman, ok djm.
  - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
    libgss too.  Patch from Pierre Ossman, ok djm.
+ - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
+   seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
+   ok dtucker
 
 20130221
  - (tim) [regress/forward-control.sh] shell portability fix.
diff --git a/configure.ac b/configure.ac
index 6c11f0b90..e526390f7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.507 2013/02/21 23:43:16 dtucker Exp $
+# $Id: configure.ac,v 1.508 2013/02/22 00:37:00 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.507 $)
+AC_REVISION($Revision: 1.508 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
 
@@ -120,31 +120,6 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
         #include <sys/types.h>
         #include <linux/prctl.h>
 ])
-if test "x$have_linux_no_new_privs" = "x1" ; then
-AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
-        #include <sys/types.h>
-        #include <linux/seccomp.h>
-])
-fi
-if test "x$have_seccomp_filter" = "x1" ; then
-AC_MSG_CHECKING([kernel for seccomp_filter support])
-AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-                #include <errno.h>
-                #include <linux/seccomp.h>
-                #include <stdlib.h>
-                #include <sys/prctl.h>
-        ]],
-        [[ errno = 0;
-           prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
-           exit(errno == EFAULT ? 0 : 1); ]])],
-        [ AC_MSG_RESULT([yes]) ], [
-                AC_MSG_RESULT([no])
-                # Disable seccomp filter as a target
-                have_seccomp_filter=0
-        ]
-)
-fi
-
 use_stack_protector=1
 AC_ARG_WITH([stackprotect],
     [  --without-stackprotect  Don't use compiler's stack protection], [
@@ -321,6 +296,7 @@ AC_CHECK_HEADERS([ \
         crypto/sha2.h \
         dirent.h \
         endian.h \
+        elf.h \
         features.h \
         fcntl.h \
         floatingpoint.h \
@@ -700,20 +676,26 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
         AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
             [], [#include <linux/types.h>])
         AC_CHECK_FUNCS([prctl])
-        have_seccomp_audit_arch=1
+        AC_MSG_CHECKING([for seccomp architecture])
+        seccomp_audit_arch=
         case "$host" in
         x86_64-*)
-                AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64],
-                    [Specify the system call convention in use])
+                seccomp_audit_arch=AUDIT_ARCH_X86_64
                 ;;
         i*86-*)
-                AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386],
-                    [Specify the system call convention in use])
-                ;;
-        *)
-                have_seccomp_audit_arch=0
+                seccomp_audit_arch=AUDIT_ARCH_I386
                 ;;
+        arm*-*)
+                seccomp_audit_arch=AUDIT_ARCH_ARM
+                ;;
         esac
+        if test "x$seccomp_audit_arch" != "x" ; then
+                AC_MSG_RESULT(["$seccomp_audit_arch"])
+                AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
+                    [Specify the system call convention in use])
+        else
+                AC_MSG_RESULT([architecture not supported])
+        fi
         ;;
 mips-sony-bsd|mips-sony-newsos4)
         AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
@@ -2629,6 +2611,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
         [non-privileged user for privilege separation])
 AC_SUBST([SSH_PRIVSEP_USER])
 
+if test "x$have_linux_no_new_privs" = "x1" ; then
+AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
+        #include <sys/types.h>
+        #include <linux/seccomp.h>
+])
+fi
+if test "x$have_seccomp_filter" = "x1" ; then
+AC_MSG_CHECKING([kernel for seccomp_filter support])
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+                #include <errno.h>
+                #include <elf.h>
+                #include <linux/audit.h>
+                #include <linux/seccomp.h>
+                #include <stdlib.h>
+                #include <sys/prctl.h>
+        ]],
+        [[ int i = $seccomp_audit_arch;
+           errno = 0;
+           prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+           exit(errno == EFAULT ? 0 : 1); ]])],
+        [ AC_MSG_RESULT([yes]) ], [
+                AC_MSG_RESULT([no])
+                # Disable seccomp filter as a target
+                have_seccomp_filter=0
+        ]
+)
+fi
+
 # Decide which sandbox style to use
 sandbox_arg=""
 AC_ARG_WITH([sandbox],
@@ -2716,11 +2726,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \
 elif test "x$sandbox_arg" = "xseccomp_filter" || \
      ( test -z "$sandbox_arg" && \
        test "x$have_seccomp_filter" = "x1" && \
+       test "x$ac_cv_header_elf_h" = "xyes" && \
        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
-       test "x$have_seccomp_audit_arch" = "x1" && \
+       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
+       test "x$seccomp_audit_arch" != "x" && \
        test "x$have_linux_no_new_privs" = "x1" && \
        test "x$ac_cv_func_prctl" = "xyes" ) ; then
-        test "x$have_seccomp_audit_arch" != "x1" && \
+        test "x$seccomp_audit_arch" = "x" && \
                 AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
         test "x$have_linux_no_new_privs" != "x1" && \
                 AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ef2b13c4f..e12418399 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -44,6 +44,7 @@
 #include <linux/audit.h>
 #include <linux/filter.h>
 #include <linux/seccomp.h>
+#include <elf.h>
 
 #include <asm/unistd.h>
 
@@ -90,7 +91,9 @@ static const struct sock_filter preauth_insns[] = {
         SC_DENY(open, EACCES),
         SC_ALLOW(getpid),
         SC_ALLOW(gettimeofday),
+#ifdef __NR_time /* not defined on EABI ARM */
         SC_ALLOW(time),
+#endif
         SC_ALLOW(read),
         SC_ALLOW(write),
         SC_ALLOW(close),
@@ -102,7 +105,12 @@ static const struct sock_filter preauth_insns[] = {
         SC_ALLOW(select),
 #endif
         SC_ALLOW(madvise),
+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
+        SC_ALLOW(mmap2),
+#endif
+#ifdef __NR_mmap
         SC_ALLOW(mmap),
+#endif
         SC_ALLOW(munmap),
         SC_ALLOW(exit_group),
 #ifdef __NR_rt_sigprocmask