additional autoconf check for ambient raise securebit to support kernels prior 4.3

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 19 insertions, 1 deletions

diff --git a/configure.ac b/configure.ac
index f97323d..c157c89 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,7 @@ AC_CHECK_HEADERS([stdio.h ctype.h assert.h sched.h signal.h time.h errno.h pwd.h
       [ AC_MSG_ERROR([required std header not available]) ])
 
 dnl Check for system specific header files
-AC_CHECK_HEADERS([linux/capability.h sys/wait.h sys/ioctl.h net/if.h netinet/in.h libgen.h], [],
+AC_CHECK_HEADERS([linux/capability.h linux/securebits.h sys/signalfd.h sys/wait.h sys/ioctl.h net/if.h netinet/in.h libgen.h], [],
       [ AC_MSG_ERROR([required system specific header not available]) ])
 AC_CHECK_HEADERS([libutil.h pthread.h semaphore.h syslog.h sys/prctl.h linux/limits.h \
                   sys/uio.h poll.h sys/epoll.h sys/sysmacros.h sys/mount.h sys/mman.h \
@@ -342,6 +342,20 @@ AC_COMPILE_IFELSE([
       [ AC_MSG_RESULT([no])
         AC_MSG_ERROR([assertion macro missing]) ])
 
+AC_MSG_CHECKING([if ambient raise securebits available])
+AC_COMPILE_IFELSE([
+      AC_LANG_SOURCE([#include <sys/prctl.h>
+                      #include <linux/securebits.h>
+        int fn(void) \
+        { prctl(SECBIT_NO_CAP_AMBIENT_RAISE | \
+                SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED); \
+          return 0; }])
+      ],
+      [ AC_MSG_RESULT([yes])
+        AC_DEFINE([HAVE_SECUREBITS_AMBIENT], [1],
+                  [Set to 1 if securebits are available.]) ],
+      [ AC_MSG_RESULT([no]) ])
+
 AC_MSG_CHECKING([for working capability drop])
 AC_COMPILE_IFELSE([
       AC_LANG_SOURCE([#include <sys/prctl.h>
diff --git a/src/jail.c b/src/jail.c
index b307706..1b35cc7 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -42,7 +42,9 @@
 #include <pty.h>
 #include <utmp.h>
 #include <limits.h>
+#ifdef HAVE_SECUREBITS_AMBIENT
 #include <linux/securebits.h>
+#endif
 #include <sys/signalfd.h>
 #include <sys/wait.h>
 #include <sys/prctl.h>
@@ -310,10 +312,12 @@ static int jail_childfn(prisoner_process *ctx)
     set_procname("[potd] jail-client");
     if (prctl(PR_SET_PDEATHSIG, SIGTERM) != 0)
         FATAL("%s", "Jail child setting deathsig");
+#ifdef HAVE_SECUREBITS_AMBIENT
     if (prctl(PR_SET_SECUREBITS,
               SECBIT_NOROOT | SECBIT_NOROOT_LOCKED |
               SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED))
         FATAL("%s", "Jail child setting securebits");
+#endif
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
         FATAL("%s", "Jail child setting no new privs");