hook tame(2) sandbox up to build

OpenBSD only for now
author: Damien Miller <djm@mindrot.org> 2015-10-08 04:30:48 +1100
committer: Damien Miller <djm@mindrot.org> 2015-10-08 04:30:48 +1100
commit: 9846a2f4067383bb76b4e31a9d2303e0a9c13a73 (patch)
tree: 8663fbdaa27ed750fa08a63ae797a16081da88bd
parent: 0c46bbe68b70bdf0d6d20588e5847e71f3739fe6 (diff)
3 files changed, 17 insertions, 4 deletions
diff --git a/Makefile.in b/Makefile.in
index 0901f4225..8305cec9d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -110,7 +110,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        sftp-server.o sftp-common.o \
        roaming_common.o roaming_serv.o \
        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-        sandbox-seccomp-filter.o sandbox-capsicum.o
+        sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-tame.o
 MANPAGES        = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
diff --git a/configure.ac b/configure.ac
index d900df4b5..1693cfae8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -854,6 +854,7 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE([SYSLOG_R_SAFE_IN_SIGHAND], [1],
            [syslog_r function is safe to use in in a signal handler])
        TEST_MALLOC_OPTIONS="AFGJPRX"
+        AC_CHECK_FUNCS([tame])
        ;;
 *-*-solaris*)
        if test "x$withval" != "xno" ; then
@@ -2997,7 +2998,7 @@ fi
 # Decide which sandbox style to use
 sandbox_arg=""
 AC_ARG_WITH([sandbox],
-        [  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
+        [  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, tame)],
        [
                if test "x$withval" = "xyes" ; then
                        sandbox_arg=""
@@ -3093,7 +3094,13 @@ AC_RUN_IFELSE(
        [AC_MSG_WARN([cross compiling: assuming yes])]
 )
-if test "x$sandbox_arg" = "xsystrace" || \
+if test "x$sandbox_arg" = "xtame" || \
+   ( test -z "$sandbox_arg" && test "x$ac_cv_func_tame" = "xyes" ) ; then
+        test "x$ac_cv_func_tame" != "xyes" && \
+                AC_MSG_ERROR([tame sandbox requires tame(2) support])
+        SANDBOX_STYLE="tame"
+        AC_DEFINE([SANDBOX_TAME], [1], [Sandbox using tame(2)])
+elif test "x$sandbox_arg" = "xsystrace" || \
   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
        test "x$have_systr_policy_kill" != "x1" && \
                AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
diff --git a/sandbox-tame.c b/sandbox-tame.c
index 12c91adea..daa3f3a74 100644
--- a/sandbox-tame.c
+++ b/sandbox-tame.c
@@ -15,6 +15,10 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include "includes.h"
+#ifdef SANDBOX_TAME
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/syscall.h>
@@ -38,7 +42,7 @@ struct ssh_sandbox {
 };
 struct ssh_sandbox *
-ssh_sandbox_init(void)
+ssh_sandbox_init(struct monitor *m)
 {
        struct ssh_sandbox *box;
@@ -69,3 +73,5 @@ ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
        box->child_pid = child_pid;
        /* Nothing to do here */
 }
+#endif /* SANDBOX_TAME */
author	Damien Miller <djm@mindrot.org>	2015-10-08 04:30:48 +1100
committer	Damien Miller <djm@mindrot.org>	2015-10-08 04:30:48 +1100
commit	9846a2f4067383bb76b4e31a9d2303e0a9c13a73 (patch)
tree	8663fbdaa27ed750fa08a63ae797a16081da88bd
parent	0c46bbe68b70bdf0d6d20588e5847e71f3739fe6 (diff)