diff options
author | Damien Miller <djm@mindrot.org> | 2012-04-04 11:27:54 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2012-04-04 11:27:54 +1000 |
commit | e0956e38349d4a32f3c4a726af45a3695ff2d3c2 (patch) | |
tree | 55f6b3c7251fa1512b38640fb23c809b4af285e3 /configure.ac | |
parent | ce1ec9d4e27d4e08ef02e4e96818263d3ff2eecc (diff) |
- (djm) [Makefile.in configure.ac sandbox-seccomp-filter.c] Add sandbox
mode for Linux's new seccomp filter; patch from Will Drewry; feedback
and ok dtucker@
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 68 |
1 files changed, 65 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index acf529b04..23ac1490a 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.488 2012/04/04 01:27:57 djm Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.487 $) | 18 | AC_REVISION($Revision: 1.488 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -116,6 +116,35 @@ AC_CHECK_DECL([RLIMIT_NPROC], | |||
116 | #include <sys/types.h> | 116 | #include <sys/types.h> |
117 | #include <sys/resource.h> | 117 | #include <sys/resource.h> |
118 | ]) | 118 | ]) |
119 | AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | ||
120 | #include <sys/types.h> | ||
121 | #include <linux/prctl.h> | ||
122 | ]) | ||
123 | if test "x$have_linux_no_new_privs" = "x1" ; then | ||
124 | AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ | ||
125 | #include <sys/types.h> | ||
126 | #include <linux/seccomp.h> | ||
127 | ]) | ||
128 | fi | ||
129 | if test "x$have_seccomp_filter" = "x1" ; then | ||
130 | AC_MSG_CHECKING([kernel for seccomp_filter support]) | ||
131 | AC_RUN_IFELSE([AC_LANG_PROGRAM([[ | ||
132 | #include <errno.h> | ||
133 | #include <linux/seccomp.h> | ||
134 | #include <stdlib.h> | ||
135 | #include <sys/prctl.h> | ||
136 | ]], | ||
137 | [[ errno = 0; | ||
138 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
139 | exit(errno == EFAULT ? 0 : 1); ]])], | ||
140 | [ AC_MSG_RESULT([yes]) ], [ | ||
141 | AC_MSG_RESULT([no]) | ||
142 | # Disable seccomp filter as a target | ||
143 | have_seccomp_filter=0 | ||
144 | ], | ||
145 | [ AC_MSG_RESULT([cross-compiling, assuming yes]) ] | ||
146 | ) | ||
147 | fi | ||
119 | 148 | ||
120 | use_stack_protector=1 | 149 | use_stack_protector=1 |
121 | AC_ARG_WITH([stackprotect], | 150 | AC_ARG_WITH([stackprotect], |
@@ -657,6 +686,22 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | |||
657 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 686 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
658 | [Prepend the address family to IP tunnel traffic]) | 687 | [Prepend the address family to IP tunnel traffic]) |
659 | fi | 688 | fi |
689 | AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h]) | ||
690 | AC_CHECK_FUNCS([prctl]) | ||
691 | have_seccomp_audit_arch=1 | ||
692 | case "$host" in | ||
693 | x86_64-*) | ||
694 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64], | ||
695 | [Specify the system call convention in use]) | ||
696 | ;; | ||
697 | i*86-*) | ||
698 | AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386], | ||
699 | [Specify the system call convention in use]) | ||
700 | ;; | ||
701 | *) | ||
702 | have_seccomp_audit_arch=0 | ||
703 | ;; | ||
704 | esac | ||
660 | ;; | 705 | ;; |
661 | mips-sony-bsd|mips-sony-newsos4) | 706 | mips-sony-bsd|mips-sony-newsos4) |
662 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) | 707 | AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty]) |
@@ -2518,7 +2563,7 @@ AC_SUBST([SSH_PRIVSEP_USER]) | |||
2518 | # Decide which sandbox style to use | 2563 | # Decide which sandbox style to use |
2519 | sandbox_arg="" | 2564 | sandbox_arg="" |
2520 | AC_ARG_WITH([sandbox], | 2565 | AC_ARG_WITH([sandbox], |
2521 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace)], | 2566 | [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)], |
2522 | [ | 2567 | [ |
2523 | if test "x$withval" = "xyes" ; then | 2568 | if test "x$withval" = "xyes" ; then |
2524 | sandbox_arg="" | 2569 | sandbox_arg="" |
@@ -2541,6 +2586,23 @@ elif test "x$sandbox_arg" = "xdarwin" || \ | |||
2541 | AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) | 2586 | AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) |
2542 | SANDBOX_STYLE="darwin" | 2587 | SANDBOX_STYLE="darwin" |
2543 | AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) | 2588 | AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) |
2589 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
2590 | ( test -z "$sandbox_arg" && \ | ||
2591 | test "x$have_seccomp_filter" == "x1" && \ | ||
2592 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | ||
2593 | test "x$have_seccomp_audit_arch" = "x1" && \ | ||
2594 | test "x$have_linux_no_new_privs" = "x1" && \ | ||
2595 | test "x$ac_cv_func_prctl" = "xyes" ) ; then | ||
2596 | test "x$have_seccomp_audit_arch" != "x1" && \ | ||
2597 | AC_MSG_ERROR([seccomp_filter sandbox not supported on $host]) | ||
2598 | test "x$have_linux_no_new_privs" != "x1" && \ | ||
2599 | AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS]) | ||
2600 | test "x$have_seccomp_filter" != "x1" && \ | ||
2601 | AC_MSG_ERROR([seccomp_filter sandbox requires seccomp headers]) | ||
2602 | test "x$ac_cv_func_prctl" != "xyes" && \ | ||
2603 | AC_MSG_ERROR([seccomp_filter sandbox requires prctl function]) | ||
2604 | SANDBOX_STYLE="seccomp_filter" | ||
2605 | AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) | ||
2544 | elif test "x$sandbox_arg" = "xrlimit" || \ | 2606 | elif test "x$sandbox_arg" = "xrlimit" || \ |
2545 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then | 2607 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then |
2546 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | 2608 | test "x$ac_cv_func_setrlimit" != "xyes" && \ |