From 2aa9da1a3b360cf7b13e96fe1521534b91501fb5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 24 Mar 2015 01:29:19 +0000 Subject: upstream commit Compile-time disable SSH protocol 1. You can turn it back on using the Makefile.inc knob if you need it to talk to ancient devices. --- configure.ac | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index b4d6598d5..5c9e0f87a 100644 --- a/configure.ac +++ b/configure.ac @@ -122,7 +122,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ ]) openssl=yes -ssh1=yes +ssh1=no AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then @@ -140,12 +140,13 @@ else fi AC_ARG_WITH([ssh1], - [ --without-ssh1 Disable support for SSH protocol 1], + [ --with-ssh1 Enable support for SSH protocol 1], [ - if test "x$withval" = "xno" ; then - ssh1=no - elif test "x$openssl" = "xno" ; then - AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) + if test "x$withval" = "xyes" ; then + if test "x$openssl" = "xno" ; then + AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) + fi + ssh1=yes fi ] ) -- cgit v1.2.3 From 408f4c2ad4a4c41baa7b9b2b7423d875abbfa70b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 Apr 2015 09:39:58 +1000 Subject: Look for '${host}-ar' before 'ar'. This changes configure.ac to look for '${host}-ar' as set by AC_CANONICAL_HOST before looking for the unprefixed 'ar'. Useful when cross-compiling when all your binutils are prefixed. Patch from moben at exherbo org via astrand at lysator liu se and bz#2352. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 5c9e0f87a..606c7363b 100644 --- a/configure.ac +++ b/configure.ac @@ -30,7 +30,7 @@ AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL AC_PROG_EGREP -AC_PATH_PROG([AR], [ar]) +AC_CHECK_TOOLS([AR], [ar]) AC_PATH_PROG([CAT], [cat]) AC_PATH_PROG([KILL], [kill]) AC_PATH_PROGS([PERL], [perl5 perl]) -- cgit v1.2.3 From 0c2a81dfc21822f2423edd30751e5ec53467b347 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 29 May 2015 17:08:28 +1000 Subject: re-enable SSH protocol 1 at compile time --- configure.ac | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 606c7363b..68ce7d674 100644 --- a/configure.ac +++ b/configure.ac @@ -122,7 +122,7 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ ]) openssl=yes -ssh1=no +ssh1=yes AC_ARG_WITH([openssl], [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], [ if test "x$withval" = "xno" ; then @@ -147,6 +147,10 @@ AC_ARG_WITH([ssh1], AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) fi ssh1=yes + elif test "x$withval" = "xno" ; then + ssh1=no + else + AC_MSG_ERROR([unknown --with-ssh1 argument]) fi ] ) -- cgit v1.2.3 From 6397eedf953b2b973d2d7cbb504ab501a07f8ddc Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 3 Jun 2015 21:41:11 -0700 Subject: Remove unneeded backslashes. Patch from Ángel González MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 68ce7d674..b6f930201 100644 --- a/configure.ac +++ b/configure.ac @@ -4356,7 +4356,7 @@ if test ! -z "$IPADDR_IN_DISPLAY" ; then else DISPLAY_HACK_MSG="no" AC_ARG_WITH([ipaddr-display], - [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], + [ --with-ipaddr-display Use ip address instead of hostname in $DISPLAY], [ if test "x$withval" != "xno" ; then AC_DEFINE([IPADDR_IN_DISPLAY]) @@ -4402,7 +4402,7 @@ fi # Whether to mess with the default path SERVER_PATH_MSG="(default)" AC_ARG_WITH([default-path], - [ --with-default-path= Specify default \$PATH environment for server], + [ --with-default-path= Specify default $PATH environment for server], [ if test "x$external_path_file" = "x/etc/login.conf" ; then AC_MSG_WARN([ -- cgit v1.2.3 From 99f33d7304893bd9fa04d227cb6e870171cded19 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Jun 2015 10:50:51 +1000 Subject: aarch64 support for seccomp-bpf sandbox Also resort and tidy syscall list. Based on patches by Jakub Jelen bz#2361; ok dtucker@ --- configure.ac | 11 +++-- sandbox-seccomp-filter.c | 105 ++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 92 insertions(+), 24 deletions(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index b6f930201..a1a29a657 100644 --- a/configure.ac +++ b/configure.ac @@ -781,14 +781,17 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) i*86-*) seccomp_audit_arch=AUDIT_ARCH_I386 ;; - arm*-*) + arm*-*) seccomp_audit_arch=AUDIT_ARCH_ARM - ;; + ;; + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ; esac if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) - AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], - [Specify the system call convention in use]) + AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch], + [Specify the system call convention in use]) else AC_MSG_RESULT([architecture not supported]) fi diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258f2..badfee2ec 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -43,6 +43,7 @@ #include #include +#include #include #include #include @@ -79,6 +80,16 @@ #define SC_ALLOW(_nr) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) +#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \ + /* load first syscall argument */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, args[(_arg_nr)])), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ + /* reload syscall number; all rules expect it in accumulator */ \ + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ + offsetof(struct seccomp_data, nr)) /* Syscall filtering set for preauth. */ static const struct sock_filter preauth_insns[] = { @@ -90,45 +101,99 @@ static const struct sock_filter preauth_insns[] = { /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), + + /* Syscalls to non-fatally deny */ +#ifdef __NR_fstat + SC_DENY(fstat, EACCES), +#endif +#ifdef __NR_fstat64 + SC_DENY(fstat64, EACCES), +#endif +#ifdef __NR_open SC_DENY(open, EACCES), +#endif +#ifdef __NR_openat + SC_DENY(openat, EACCES), +#endif +#ifdef __NR_newfstatat + SC_DENY(newfstatat, EACCES), +#endif +#ifdef __NR_stat SC_DENY(stat, EACCES), - SC_ALLOW(getpid), - SC_ALLOW(gettimeofday), +#endif +#ifdef __NR_stat64 + SC_DENY(stat64, EACCES), +#endif + + /* Syscalls to permit */ +#ifdef __NR_brk + SC_ALLOW(brk), +#endif +#ifdef __NR_clock_gettime SC_ALLOW(clock_gettime), -#ifdef __NR_time /* not defined on EABI ARM */ - SC_ALLOW(time), #endif - SC_ALLOW(read), - SC_ALLOW(write), +#ifdef __NR_close SC_ALLOW(close), -#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ - SC_ALLOW(shutdown), #endif - SC_ALLOW(brk), - SC_ALLOW(poll), -#ifdef __NR__newselect - SC_ALLOW(_newselect), -#else - SC_ALLOW(select), +#ifdef __NR_exit + SC_ALLOW(exit), +#endif +#ifdef __NR_exit_group + SC_ALLOW(exit_group), +#endif +#ifdef __NR_getpid + SC_ALLOW(getpid), #endif +#ifdef __NR_gettimeofday + SC_ALLOW(gettimeofday), +#endif +#ifdef __NR_madvise SC_ALLOW(madvise), -#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ - SC_ALLOW(mmap2), #endif #ifdef __NR_mmap SC_ALLOW(mmap), #endif -#ifdef __dietlibc__ +#ifdef __NR_mmap2 + SC_ALLOW(mmap2), +#endif +#ifdef __NR_mremap SC_ALLOW(mremap), - SC_ALLOW(exit), #endif +#ifdef __NR_munmap SC_ALLOW(munmap), - SC_ALLOW(exit_group), +#endif +#ifdef __NR__newselect + SC_ALLOW(_newselect), +#endif +#ifdef __NR_poll + SC_ALLOW(poll), +#endif +#ifdef __NR_read + SC_ALLOW(read), +#endif #ifdef __NR_rt_sigprocmask SC_ALLOW(rt_sigprocmask), -#else +#endif +#ifdef __NR_select + SC_ALLOW(select), +#endif +#ifdef __NR_shutdown + SC_ALLOW(shutdown), +#endif +#ifdef __NR_sigprocmask SC_ALLOW(sigprocmask), #endif +#ifdef __NR_time + SC_ALLOW(time), +#endif +#ifdef __NR_write + SC_ALLOW(write), +#endif +#ifdef __NR_socketcall + SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), +#endif + + /* Default deny */ BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), }; -- cgit v1.2.3 From 5c15e22c691c79a47747bcf5490126656f97cecd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Jun 2015 15:07:56 +1000 Subject: fix syntax error --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index a1a29a657..729524ea5 100644 --- a/configure.ac +++ b/configure.ac @@ -786,7 +786,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) ;; aarch64*-*) seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ; + ;; esac if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) -- cgit v1.2.3 From 37035c07d4f26bb1fbe000d2acf78efdb008681d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 1 Jul 2015 10:49:37 +1000 Subject: s/--with-ssh1/--without-ssh1/ --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 729524ea5..bb0095f64 100644 --- a/configure.ac +++ b/configure.ac @@ -140,7 +140,7 @@ else fi AC_ARG_WITH([ssh1], - [ --with-ssh1 Enable support for SSH protocol 1], + [ --without-ssh1 Enable support for SSH protocol 1], [ if test "x$withval" = "xyes" ; then if test "x$openssl" = "xno" ; then -- cgit v1.2.3