Attachment #2223 for bug #2069




	#include <sys/types.h>
	#include <linux/prctl.h>
])
if test "x$have_linux_no_new_privs" = "x1" ; then
AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
	#include <sys/types.h>
	#include <linux/seccomp.h>
])
fi
if test "x$have_seccomp_filter" = "x1" ; then
AC_MSG_CHECKING([kernel for seccomp_filter support])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		#include <errno.h>
		#include <linux/seccomp.h>
		#include <stdlib.h>
		#include <sys/prctl.h>
	]],
	[[ errno = 0;
	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
	   exit(errno == EFAULT ? 0 : 1); ]])],
	[ AC_MSG_RESULT([yes]) ], [
		AC_MSG_RESULT([no])
		# Disable seccomp filter as a target
		have_seccomp_filter=0
	]
)
fi

use_stack_protector=1
AC_ARG_WITH([stackprotect],
    [  --without-stackprotect  Don't use compiler's stack protection], [

	crypto/sha2.h \
	dirent.h \
	endian.h \
	elf.h \
	features.h \
	fcntl.h \
	floatingpoint.h \

	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
	    [], [#include <linux/types.h>])
	AC_CHECK_FUNCS([prctl])
	AC_MSG_CHECKING([for seccomp architecture])
	seccomp_audit_arch=
	case "$host" in
	x86_64-*)
		seccomp_audit_arch=AUDIT_ARCH_X86_64
		    [Specify the system call convention in use])
		;;
	i*86-*)
		seccomp_audit_arch=AUDIT_ARCH_I386
		    [Specify the system call convention in use])
		;;
	*)
		have_seccomp_audit_arch=0
		;;
        arm*-*)
		seccomp_audit_arch=AUDIT_ARCH_ARM
                ;;
	esac
	if test "x$seccomp_audit_arch" != "x" ; then
		AC_MSG_RESULT(["$seccomp_audit_arch"])
                AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
                    [Specify the system call convention in use])
	else
		AC_MSG_RESULT([architecture not supported])
	fi
	;;
mips-sony-bsd|mips-sony-newsos4)
	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])

	[non-privileged user for privilege separation])
AC_SUBST([SSH_PRIVSEP_USER])

if test "x$have_linux_no_new_privs" = "x1" ; then
AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
	#include <sys/types.h>
	#include <linux/seccomp.h>
])
fi
if test "x$have_seccomp_filter" = "x1" ; then
AC_MSG_CHECKING([kernel for seccomp_filter support])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		#include <errno.h>
		#include <elf.h>
		#include <linux/audit.h>
		#include <linux/seccomp.h>
		#include <stdlib.h>
		#include <sys/prctl.h>
	]],
	[[ int i = $seccomp_audit_arch;
	   errno = 0;
	   prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
	   exit(errno == EFAULT ? 0 : 1); ]])],
	[ AC_MSG_RESULT([yes]) ], [
		AC_MSG_RESULT([no])
		# Disable seccomp filter as a target
		have_seccomp_filter=0
	]
)
fi

# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],

elif test "x$sandbox_arg" = "xseccomp_filter" || \
     ( test -z "$sandbox_arg" && \
       test "x$have_seccomp_filter" = "x1" && \
       test "x$ac_cv_header_elf_h" = "xyes" && \
       test "x$ac_cv_header_linux_audit_h" = "xyes" && \
       test "x$ac_cv_header_linux_filter_h" = "xyes" && \
       test "x$seccomp_audit_arch" != "x" && \
       test "x$have_linux_no_new_privs" = "x1" && \
       test "x$ac_cv_func_prctl" = "xyes" ) ; then
	test "x$seccomp_audit_arch" = "x" && \
		AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
	test "x$have_linux_no_new_privs" != "x1" && \
		AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])

Lines 44-49 Link Here

(-)sandbox-seccomp-filter.c (+8 lines)
44	#include <linux/audit.h>	44	#include <linux/audit.h>
45	#include <linux/filter.h>	45	#include <linux/filter.h>
46	#include <linux/seccomp.h>	46	#include <linux/seccomp.h>
		47	#include <elf.h>
47		48
48	#include <asm/unistd.h>	49	#include <asm/unistd.h>
49		50
Lines 90-96 static const struct sock_filter preauth_ Link Here
90	SC_DENY(open, EACCES),	91	SC_DENY(open, EACCES),
91	SC_ALLOW(getpid),	92	SC_ALLOW(getpid),
92	SC_ALLOW(gettimeofday),	93	SC_ALLOW(gettimeofday),
		94	#ifdef __NR_time /* not defined on EABI ARM */
93	SC_ALLOW(time),	95	SC_ALLOW(time),
		96	#endif
94	SC_ALLOW(read),	97	SC_ALLOW(read),
95	SC_ALLOW(write),	98	SC_ALLOW(write),
96	SC_ALLOW(close),	99	SC_ALLOW(close),
Lines 102-108 static const struct sock_filter preauth_ Link Here
102	SC_ALLOW(select),	105	SC_ALLOW(select),
103	#endif	106	#endif
104	SC_ALLOW(madvise),	107	SC_ALLOW(madvise),
		108	#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
		109	SC_ALLOW(mmap2),
		110	#endif
		111	#ifdef __NR_mmap
105	SC_ALLOW(mmap),	112	SC_ALLOW(mmap),
		113	#endif
106	SC_ALLOW(munmap),	114	SC_ALLOW(munmap),
107	SC_ALLOW(exit_group),	115	SC_ALLOW(exit_group),
108	#ifdef __NR_rt_sigprocmask	116	#ifdef __NR_rt_sigprocmask

Return to bug 2069

Lines 120-150 AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha Link Here

(-)configure.ac (-35 / +47 lines)
120	#include <sys/types.h>	120	#include <sys/types.h>
121	#include <linux/prctl.h>	121	#include <linux/prctl.h>
122	])	122	])
123	if test "x$have_linux_no_new_privs" = "x1" ; then
124	AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
125	#include <sys/types.h>
126	#include <linux/seccomp.h>
127	])
128	fi
129	if test "x$have_seccomp_filter" = "x1" ; then
130	AC_MSG_CHECKING([kernel for seccomp_filter support])
131	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
132	#include <errno.h>
133	#include <linux/seccomp.h>
134	#include <stdlib.h>
135	#include <sys/prctl.h>
136	]],
137	[[ errno = 0;
138	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
139	exit(errno == EFAULT ? 0 : 1); ]])],
140	[ AC_MSG_RESULT([yes]) ], [
141	AC_MSG_RESULT([no])
142	# Disable seccomp filter as a target
143	have_seccomp_filter=0
144	]
145	)
146	fi
147
148	use_stack_protector=1	123	use_stack_protector=1
149	AC_ARG_WITH([stackprotect],	124	AC_ARG_WITH([stackprotect],
150	[ --without-stackprotect Don't use compiler's stack protection], [	125	[ --without-stackprotect Don't use compiler's stack protection], [
Lines 321-326 AC_CHECK_HEADERS([ \ Link Here
321	crypto/sha2.h \	296	crypto/sha2.h \
322	dirent.h \	297	dirent.h \
323	endian.h \	298	endian.h \
		299	elf.h \
324	features.h \	300	features.h \
325	fcntl.h \	301	fcntl.h \
326	floatingpoint.h \	302	floatingpoint.h \
Lines 700-719 main() { if (NSVersionOfRunTimeLibrary(" Link Here
700	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],	676	AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
701	[], [#include <linux/types.h>])	677	[], [#include <linux/types.h>])
702	AC_CHECK_FUNCS([prctl])	678	AC_CHECK_FUNCS([prctl])
703	have_seccomp_audit_arch=1	679	AC_MSG_CHECKING([for seccomp architecture])
		680	seccomp_audit_arch=
704	case "$host" in	681	case "$host" in
705	x86_64-*)	682	x86_64-*)
706	AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_X86_64],	683	seccomp_audit_arch=AUDIT_ARCH_X86_64
707	[Specify the system call convention in use])
708	;;	684	;;
709	i86-)	685	i86-)
710	AC_DEFINE([SECCOMP_AUDIT_ARCH], [AUDIT_ARCH_I386],	686	seccomp_audit_arch=AUDIT_ARCH_I386
711	[Specify the system call convention in use])
712	;;
713	*)
714	have_seccomp_audit_arch=0
715	;;	687	;;
		688	arm-)
		689	seccomp_audit_arch=AUDIT_ARCH_ARM
		690	;;
716	esac	691	esac
		692	if test "x$seccomp_audit_arch" != "x" ; then
		693	AC_MSG_RESULT(["$seccomp_audit_arch"])
		694	AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
		695	[Specify the system call convention in use])
		696	else
		697	AC_MSG_RESULT([architecture not supported])
		698	fi
717	;;	699	;;
718	mips-sony-bsd\|mips-sony-newsos4)	700	mips-sony-bsd\|mips-sony-newsos4)
719	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])	701	AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
Lines 2629-2634 AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [ Link Here
2629	[non-privileged user for privilege separation])	2611	[non-privileged user for privilege separation])
2630	AC_SUBST([SSH_PRIVSEP_USER])	2612	AC_SUBST([SSH_PRIVSEP_USER])
2631		2613
		2614	if test "x$have_linux_no_new_privs" = "x1" ; then
		2615	AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [
		2616	#include <sys/types.h>
		2617	#include <linux/seccomp.h>
		2618	])
		2619	fi
		2620	if test "x$have_seccomp_filter" = "x1" ; then
		2621	AC_MSG_CHECKING([kernel for seccomp_filter support])
		2622	AC_LINK_IFELSE([AC_LANG_PROGRAM([[
		2623	#include <errno.h>
		2624	#include <elf.h>
		2625	#include <linux/audit.h>
		2626	#include <linux/seccomp.h>
		2627	#include <stdlib.h>
		2628	#include <sys/prctl.h>
		2629	]],
		2630	[[ int i = $seccomp_audit_arch;
		2631	errno = 0;
		2632	prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
		2633	exit(errno == EFAULT ? 0 : 1); ]])],
		2634	[ AC_MSG_RESULT([yes]) ], [
		2635	AC_MSG_RESULT([no])
		2636	# Disable seccomp filter as a target
		2637	have_seccomp_filter=0
		2638	]
		2639	)
		2640	fi
		2641
2632	# Decide which sandbox style to use	2642	# Decide which sandbox style to use
2633	sandbox_arg=""	2643	sandbox_arg=""
2634	AC_ARG_WITH([sandbox],	2644	AC_ARG_WITH([sandbox],
Lines 2716-2726 elif test "x$sandbox_arg" = "xdarwin" \|\| Link Here
2716	elif test "x$sandbox_arg" = "xseccomp_filter" \|\| \	2726	elif test "x$sandbox_arg" = "xseccomp_filter" \|\| \
2717	( test -z "$sandbox_arg" && \	2727	( test -z "$sandbox_arg" && \
2718	test "x$have_seccomp_filter" = "x1" && \	2728	test "x$have_seccomp_filter" = "x1" && \
		2729	test "x$ac_cv_header_elf_h" = "xyes" && \
2719	test "x$ac_cv_header_linux_audit_h" = "xyes" && \	2730	test "x$ac_cv_header_linux_audit_h" = "xyes" && \
2720	test "x$have_seccomp_audit_arch" = "x1" && \	2731	test "x$ac_cv_header_linux_filter_h" = "xyes" && \
		2732	test "x$seccomp_audit_arch" != "x" && \
2721	test "x$have_linux_no_new_privs" = "x1" && \	2733	test "x$have_linux_no_new_privs" = "x1" && \
2722	test "x$ac_cv_func_prctl" = "xyes" ) ; then	2734	test "x$ac_cv_func_prctl" = "xyes" ) ; then
2723	test "x$have_seccomp_audit_arch" != "x1" && \	2735	test "x$seccomp_audit_arch" = "x" && \
2724	AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])	2736	AC_MSG_ERROR([seccomp_filter sandbox not supported on $host])
2725	test "x$have_linux_no_new_privs" != "x1" && \	2737	test "x$have_linux_no_new_privs" != "x1" && \
2726	AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])	2738	AC_MSG_ERROR([seccomp_filter sandbox requires PR_SET_NO_NEW_PRIVS])