summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--configure.ac51
2 files changed, 51 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 483741555..bd174a476 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
120120703
2 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
3 setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
4
120120702 520120702
2- (dtucker) OpenBSD CVS Sync 6- (dtucker) OpenBSD CVS Sync
3 - naddy@cvs.openbsd.org 2012/06/29 13:57:25 7 - naddy@cvs.openbsd.org 2012/06/29 13:57:25
diff --git a/configure.ac b/configure.ac
index 02f8bf858..97cf7b17c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.492 2012/05/19 05:24:37 dtucker Exp $ 1# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.492 $) 18AC_REVISION($Revision: 1.493 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -686,7 +686,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
686 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 686 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
687 [Prepend the address family to IP tunnel traffic]) 687 [Prepend the address family to IP tunnel traffic])
688 fi 688 fi
689 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h]) 689 AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
690 [], [#include <linux/types.h>])
690 AC_CHECK_FUNCS([prctl]) 691 AC_CHECK_FUNCS([prctl])
691 have_seccomp_audit_arch=1 692 have_seccomp_audit_arch=1
692 case "$host" in 693 case "$host" in
@@ -2575,6 +2576,45 @@ AC_ARG_WITH([sandbox],
2575 fi 2576 fi
2576 ] 2577 ]
2577) 2578)
2579
2580# Some platforms (seems to be the ones that have a kernel poll(2)-type
2581# function with which they implement select(2)) use an extra file descriptor
2582# when calling select(2), which means we can't use the rlimit sandbox.
2583AC_MSG_CHECKING([if select works with descriptor rlimit])
2584AC_RUN_IFELSE(
2585 [AC_LANG_PROGRAM([[
2586#include <sys/types.h>
2587#ifdef HAVE_SYS_TIME_H
2588# include <sys/time.h>
2589#endif
2590#include <sys/resource.h>
2591#ifdef HAVE_SYS_SELECT_H
2592# include <sys/select.h>
2593#endif
2594#include <errno.h>
2595#include <fcntl.h>
2596#include <stdlib.h>
2597 ]],[[
2598 struct rlimit rl_zero;
2599 int fd, r;
2600 fd_set fds;
2601
2602 fd = open("/dev/null", O_RDONLY);
2603 FD_ZERO(&fds);
2604 FD_SET(fd, &fds);
2605 rl_zero.rlim_cur = rl_zero.rlim_max = 0;
2606 setrlimit(RLIMIT_FSIZE, &rl_zero);
2607 setrlimit(RLIMIT_NOFILE, &rl_zero);
2608 r = select(fd+1, &fds, NULL, NULL, NULL);
2609 exit (r == -1 ? 1 : 0);
2610 ]])],
2611 [AC_MSG_RESULT([yes])
2612 select_works_with_rlimit=yes],
2613 [AC_MSG_RESULT([no])
2614 select_works_with_rlimit=no],
2615 [AC_MSG_WARN([cross compiling: assuming yes])]
2616)
2617
2578if test "x$sandbox_arg" = "xsystrace" || \ 2618if test "x$sandbox_arg" = "xsystrace" || \
2579 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then 2619 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
2580 test "x$have_systr_policy_kill" != "x1" && \ 2620 test "x$have_systr_policy_kill" != "x1" && \
@@ -2607,9 +2647,12 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
2607 SANDBOX_STYLE="seccomp_filter" 2647 SANDBOX_STYLE="seccomp_filter"
2608 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) 2648 AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
2609elif test "x$sandbox_arg" = "xrlimit" || \ 2649elif test "x$sandbox_arg" = "xrlimit" || \
2610 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then 2650 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
2651 test "x$select_works_with_rlimit" == "xyes" ) ; then
2611 test "x$ac_cv_func_setrlimit" != "xyes" && \ 2652 test "x$ac_cv_func_setrlimit" != "xyes" && \
2612 AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) 2653 AC_MSG_ERROR([rlimit sandbox requires setrlimit function])
2654 test "x$select_works_with_rlimit" != "xyes" && \
2655 AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
2613 SANDBOX_STYLE="rlimit" 2656 SANDBOX_STYLE="rlimit"
2614 AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) 2657 AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
2615elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ 2658elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \