diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | configure.ac | 7 | ||||
| -rw-r--r-- | sandbox-capsicum.c | 2 | ||||
| -rw-r--r-- | sandbox-rlimit.c | 2 |
4 files changed, 13 insertions, 2 deletions
| @@ -12,6 +12,10 @@ | |||
| 12 | [kex.c] | 12 | [kex.c] |
| 13 | dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) | 13 | dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len) |
| 14 | ok dtucker@, noted by mancha | 14 | ok dtucker@, noted by mancha |
| 15 | - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable | ||
| 16 | RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations, | ||
| 17 | libc will attempt to open additional file descriptors for crypto | ||
| 18 | offload and crash if they cannot be opened. | ||
| 15 | 19 | ||
| 16 | 20130125 | 20 | 20130125 |
| 17 | - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD | 21 | - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD |
diff --git a/configure.ac b/configure.ac index 5e5e4d135..4a398418a 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.562 2014/01/25 02:16:59 djm Exp $ | 1 | # $Id: configure.ac,v 1.563 2014/01/25 22:39:53 djm Exp $ |
| 2 | # | 2 | # |
| 3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
| 4 | # | 4 | # |
| @@ -15,7 +15,7 @@ | |||
| 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | 16 | ||
| 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
| 18 | AC_REVISION($Revision: 1.562 $) | 18 | AC_REVISION($Revision: 1.563 $) |
| 19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
| 20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
| 21 | 21 | ||
| @@ -780,6 +780,9 @@ mips-sony-bsd|mips-sony-newsos4) | |||
| 780 | AC_DEFINE([BROKEN_STRNVIS], [1], | 780 | AC_DEFINE([BROKEN_STRNVIS], [1], |
| 781 | [FreeBSD strnvis argument order is swapped compared to OpenBSD]) | 781 | [FreeBSD strnvis argument order is swapped compared to OpenBSD]) |
| 782 | TEST_MALLOC_OPTIONS="AJRX" | 782 | TEST_MALLOC_OPTIONS="AJRX" |
| 783 | # Preauth crypto occasionally uses file descriptors for crypto offload | ||
| 784 | # and will crash if they cannot be opened. | ||
| 785 | AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE]) | ||
| 783 | ;; | 786 | ;; |
| 784 | *-*-bsdi*) | 787 | *-*-bsdi*) |
| 785 | AC_DEFINE([SETEUID_BREAKS_SETUID]) | 788 | AC_DEFINE([SETEUID_BREAKS_SETUID]) |
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c index f648c6ece..ee2a7e79e 100644 --- a/sandbox-capsicum.c +++ b/sandbox-capsicum.c | |||
| @@ -75,9 +75,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) | |||
| 75 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) | 75 | if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) |
| 76 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | 76 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", |
| 77 | __func__, strerror(errno)); | 77 | __func__, strerror(errno)); |
| 78 | #ifndef SANDBOX_SKIP_RLIMIT_NOFILE | ||
| 78 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | 79 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) |
| 79 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", | 80 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", |
| 80 | __func__, strerror(errno)); | 81 | __func__, strerror(errno)); |
| 82 | #endif | ||
| 81 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) | 83 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) |
| 82 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", | 84 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", |
| 83 | __func__, strerror(errno)); | 85 | __func__, strerror(errno)); |
diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index da91eb1b9..bba80778b 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c | |||
| @@ -69,9 +69,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) | |||
| 69 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", | 69 | fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", |
| 70 | __func__, strerror(errno)); | 70 | __func__, strerror(errno)); |
| 71 | #endif | 71 | #endif |
| 72 | #ifndef SANDBOX_SKIP_RLIMIT_NOFILE | ||
| 72 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) | 73 | if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) |
| 73 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", | 74 | fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", |
| 74 | __func__, strerror(errno)); | 75 | __func__, strerror(errno)); |
| 76 | #endif | ||
| 75 | #ifdef HAVE_RLIMIT_NPROC | 77 | #ifdef HAVE_RLIMIT_NPROC |
| 76 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) | 78 | if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) |
| 77 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", | 79 | fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", |