diff options
author | Colin Watson <cjwatson@debian.org> | 2012-05-26 01:44:40 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2012-05-26 01:44:40 +0100 |
commit | 15784261dfaece73ef53f5beb5d3917a95dc1ae4 (patch) | |
tree | c39ee6c8ff10efca0e0060d6db07780667832eeb /configure | |
parent | 9fce61538243d8d04d6cf174e118df6c4ece351d (diff) |
Add a sandbox fallback mechanism, so that behaviour on Linux depends on
whether the running system's kernel has seccomp_filter support, not the
build system's kernel (forwarded upstream as
https://bugzilla.mindrot.org/show_bug.cgi?id=2011).
Diffstat (limited to 'configure')
-rwxr-xr-x | configure | 72 |
1 files changed, 17 insertions, 55 deletions
@@ -5598,48 +5598,6 @@ if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes; then : | |||
5598 | fi | 5598 | fi |
5599 | 5599 | ||
5600 | fi | 5600 | fi |
5601 | if test "x$have_seccomp_filter" = "x1" ; then | ||
5602 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel for seccomp_filter support" >&5 | ||
5603 | $as_echo_n "checking kernel for seccomp_filter support... " >&6; } | ||
5604 | if test "$cross_compiling" = yes; then : | ||
5605 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compiling, assuming yes" >&5 | ||
5606 | $as_echo "cross-compiling, assuming yes" >&6; } | ||
5607 | |||
5608 | else | ||
5609 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
5610 | /* end confdefs.h. */ | ||
5611 | |||
5612 | #include <errno.h> | ||
5613 | #include <linux/seccomp.h> | ||
5614 | #include <stdlib.h> | ||
5615 | #include <sys/prctl.h> | ||
5616 | |||
5617 | int | ||
5618 | main () | ||
5619 | { | ||
5620 | errno = 0; | ||
5621 | prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); | ||
5622 | exit(errno == EFAULT ? 0 : 1); | ||
5623 | ; | ||
5624 | return 0; | ||
5625 | } | ||
5626 | _ACEOF | ||
5627 | if ac_fn_c_try_run "$LINENO"; then : | ||
5628 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
5629 | $as_echo "yes" >&6; } | ||
5630 | else | ||
5631 | |||
5632 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
5633 | $as_echo "no" >&6; } | ||
5634 | # Disable seccomp filter as a target | ||
5635 | have_seccomp_filter=0 | ||
5636 | |||
5637 | fi | ||
5638 | rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ | ||
5639 | conftest.$ac_objext conftest.beam conftest.$ac_ext | ||
5640 | fi | ||
5641 | |||
5642 | fi | ||
5643 | 5601 | ||
5644 | use_stack_protector=1 | 5602 | use_stack_protector=1 |
5645 | 5603 | ||
@@ -11898,25 +11856,28 @@ if test "${with_sandbox+set}" = set; then : | |||
11898 | 11856 | ||
11899 | fi | 11857 | fi |
11900 | 11858 | ||
11859 | SANDBOX_STYLE="" | ||
11901 | if test "x$sandbox_arg" = "xsystrace" || \ | 11860 | if test "x$sandbox_arg" = "xsystrace" || \ |
11902 | ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then | 11861 | ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then |
11903 | test "x$have_systr_policy_kill" != "x1" && \ | 11862 | test "x$have_systr_policy_kill" != "x1" && \ |
11904 | as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5 | 11863 | as_fn_error $? "systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support" "$LINENO" 5 |
11905 | SANDBOX_STYLE="systrace" | 11864 | SANDBOX_STYLE="$SANDBOX_STYLE systrace" |
11906 | 11865 | ||
11907 | $as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h | 11866 | $as_echo "#define SANDBOX_SYSTRACE 1" >>confdefs.h |
11908 | 11867 | ||
11909 | elif test "x$sandbox_arg" = "xdarwin" || \ | 11868 | fi |
11869 | if test "x$sandbox_arg" = "xdarwin" || \ | ||
11910 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ | 11870 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ |
11911 | test "x$ac_cv_header_sandbox_h" = "xyes") ; then | 11871 | test "x$ac_cv_header_sandbox_h" = "xyes") ; then |
11912 | test "x$ac_cv_func_sandbox_init" != "xyes" -o \ | 11872 | test "x$ac_cv_func_sandbox_init" != "xyes" -o \ |
11913 | "x$ac_cv_header_sandbox_h" != "xyes" && \ | 11873 | "x$ac_cv_header_sandbox_h" != "xyes" && \ |
11914 | as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5 | 11874 | as_fn_error $? "Darwin seatbelt sandbox requires sandbox.h and sandbox_init function" "$LINENO" 5 |
11915 | SANDBOX_STYLE="darwin" | 11875 | SANDBOX_STYLE="$SANDBOX_STYLE darwin" |
11916 | 11876 | ||
11917 | $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h | 11877 | $as_echo "#define SANDBOX_DARWIN 1" >>confdefs.h |
11918 | 11878 | ||
11919 | elif test "x$sandbox_arg" = "xseccomp_filter" || \ | 11879 | fi |
11880 | if test "x$sandbox_arg" = "xseccomp_filter" || \ | ||
11920 | ( test -z "$sandbox_arg" && \ | 11881 | ( test -z "$sandbox_arg" && \ |
11921 | test "x$have_seccomp_filter" = "x1" && \ | 11882 | test "x$have_seccomp_filter" = "x1" && \ |
11922 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ | 11883 | test "x$ac_cv_header_linux_audit_h" = "xyes" && \ |
@@ -11931,27 +11892,28 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \ | |||
11931 | as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 | 11892 | as_fn_error $? "seccomp_filter sandbox requires seccomp headers" "$LINENO" 5 |
11932 | test "x$ac_cv_func_prctl" != "xyes" && \ | 11893 | test "x$ac_cv_func_prctl" != "xyes" && \ |
11933 | as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 | 11894 | as_fn_error $? "seccomp_filter sandbox requires prctl function" "$LINENO" 5 |
11934 | SANDBOX_STYLE="seccomp_filter" | 11895 | SANDBOX_STYLE="$SANDBOX_STYLE seccomp_filter" |
11935 | 11896 | ||
11936 | $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h | 11897 | $as_echo "#define SANDBOX_SECCOMP_FILTER 1" >>confdefs.h |
11937 | 11898 | ||
11938 | elif test "x$sandbox_arg" = "xrlimit" || \ | 11899 | fi |
11900 | if test "x$sandbox_arg" = "xrlimit" || \ | ||
11939 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then | 11901 | ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then |
11940 | test "x$ac_cv_func_setrlimit" != "xyes" && \ | 11902 | test "x$ac_cv_func_setrlimit" != "xyes" && \ |
11941 | as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 | 11903 | as_fn_error $? "rlimit sandbox requires setrlimit function" "$LINENO" 5 |
11942 | SANDBOX_STYLE="rlimit" | 11904 | SANDBOX_STYLE="$SANDBOX_STYLE rlimit" |
11943 | 11905 | ||
11944 | $as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h | 11906 | $as_echo "#define SANDBOX_RLIMIT 1" >>confdefs.h |
11945 | 11907 | ||
11946 | elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | 11908 | fi |
11909 | if test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ | ||
11947 | test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then | 11910 | test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then |
11948 | SANDBOX_STYLE="none" | 11911 | SANDBOX_STYLE="$SANDBOX_STYLE none" |
11949 | 11912 | fi | |
11950 | $as_echo "#define SANDBOX_NULL 1" >>confdefs.h | 11913 | if test -z "$SANDBOX_STYLE" ; then |
11951 | |||
11952 | else | ||
11953 | as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5 | 11914 | as_fn_error $? "unsupported --with-sandbox" "$LINENO" 5 |
11954 | fi | 11915 | fi |
11916 | SANDBOX_STYLE="${SANDBOX_STYLE# }" | ||
11955 | 11917 | ||
11956 | # Cheap hack to ensure NEWS-OS libraries are arranged right. | 11918 | # Cheap hack to ensure NEWS-OS libraries are arranged right. |
11957 | if test ! -z "$SONY" ; then | 11919 | if test ! -z "$SONY" ; then |