diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-06-25 02:02:56 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-06-25 10:51:24 +0200 |
| commit | 4bc4a786e8a4107494070d033cec0550bfd08085 (patch) | |
| tree | f673d33fd0895b587456278a84580f9a1c5a1151 | |
| parent | 51e041fddb5f00bde2001fca8ff6b8cf3e728a89 (diff) | |
libseccomp is now optional but still recommended
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | .gitlab-ci.yml | 18 | ||||
| -rw-r--r-- | configure.ac | 14 | ||||
| -rw-r--r-- | src/Makefile.am | 5 | ||||
| -rw-r--r-- | src/jail.c | 15 | ||||
| -rw-r--r-- | src/main.c | 8 | ||||
| -rw-r--r-- | src/protocol_ssh.c | 16 |
6 files changed, 69 insertions, 7 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c78f1ad..b3c929d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,12 +8,20 @@ build-debian: script: - apt-get update -qq && apt-get install -y -qq coreutils make autoconf automake gcc pkg-config libseccomp-dev libssh-dev valgrind - ./autogen.sh + - CFLAGS="-DHAVE_SECCOMP=1" ./configure + - make V=s + - TERM=linux valgrind --error-exitcode=1 ./src/potd --test --redirect 127.0.0.1:2222:127.0.0.1:22222 --protocol 127.0.0.1:22222:127.0.0.1:33333 --jail 127.0.0.1:33333 + - cp ./src/potd ./src/potd-full + - cp ./config.log ./config-full.log + - apt-get purge -y -qq libseccomp2 libseccomp-dev - ./configure - make V=s - TERM=linux valgrind --error-exitcode=1 ./src/potd --test --redirect 127.0.0.1:2222:127.0.0.1:22222 --protocol 127.0.0.1:22222:127.0.0.1:33333 --jail 127.0.0.1:33333 stage: build artifacts: paths: + - ./src/potd-full + - ./config-full.log - ./src/potd - ./config.log @@ -22,12 +30,20 @@ build-arch: script: - pacman -Syu --noconfirm coreutils make autoconf automake gcc pkg-config libseccomp libssh valgrind - ./autogen.sh - - ./configure + - CFLAGS="-DHAVE_SECCOMP=1" ./configure - make V=s - TERM=linux valgrind --error-exitcode=1 ./src/potd --test --redirect 127.0.0.1:2222:127.0.0.1:22222 --protocol 127.0.0.1:22222:127.0.0.1:33333 --jail 127.0.0.1:33333 + - cp ./src/potd ./src/potd-full + - cp ./config.log ./config-full.log + - pacman -Rsn --noconfirm libseccomp + - ./configure + - make V=s + - TERM=linux valgrind --error-exitcode=1 ./src/potd --test --redirect 127.0.0.1:2222:127.0.0.1:22222 --protocol 127.0.0.1:22222:127.0.0.1:33333 --jail 127.0.0.1:33332 stage: test artifacts: paths: + - ./src/potd-full + - ./config-full.log - ./src/potd - ./config.log diff --git a/configure.ac b/configure.ac index 5385593..92b5d11 100644 --- a/configure.ac +++ b/configure.ac @@ -68,7 +68,7 @@ AC_CHECK_HEADERS([linux/capability.h sys/wait.h sys/ioctl.h net/if.h netinet/in. [ AC_MSG_ERROR([required system specific header not available]) ]) AC_CHECK_HEADERS([libutil.h pthread.h syslog.h sys/prctl.h linux/limits.h \ sys/uio.h poll.h sys/epoll.h sys/sysmacros.h sys/mount.h \ - util.h execinfo]) + util.h execinfo.h]) dnl Check for GAI header AC_CHECK_HEADERS([netdb.h]) @@ -212,11 +212,17 @@ AS_IF([test "x${libssh_require_gssapi}" = xyes], ]) dnl libseccomp-dev -PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.2.1], [], - [ AC_MSG_ERROR([pkg-config: libseccomp >= 2.2.1 not found]) ]) +PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.2.1], + [ have_seccomp="yes" ], + [ have_seccomp="no" ]) saved_CFLAGS="$CFLAGS $libseccomp_CFLAGS" saved_LIBS="$LIBS $libseccomp_LIBS" -AC_CHECK_LIB([seccomp], [seccomp_init], [], [AC_MSG_ERROR([final link against libseccomp failed])]) +AC_CHECK_LIB([seccomp], [seccomp_init], + [ have_seccomp="yes" + AC_DEFINE([HAVE_SECCOMP], [1], [Define to 1 if you have a working libseccomp]) + ], + [ have_seccomp="no" ]) +AM_CONDITIONAL([HAVE_SECCOMP], [test "x${have_seccomp}" = xyes]) CFLAGS="$saved_CFLAGS" LIBS="$saved_LIBS" diff --git a/src/Makefile.am b/src/Makefile.am index 9992659..1ac657b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,2 +1,5 @@ sbin_PROGRAMS = potd -potd_SOURCES = utils.c options.c log.c log_colored.c log_file.c socket.c pevent.c capabilities.c pseccomp.c filesystem.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c +potd_SOURCES = utils.c options.c log.c log_colored.c log_file.c socket.c pevent.c capabilities.c filesystem.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c +if HAVE_SECCOMP +potd_SOURCES += pseccomp.c +endif @@ -1,3 +1,7 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include <stdio.h> #include <stdlib.h> #include <sched.h> @@ -13,7 +17,9 @@ #include "jail.h" #include "socket.h" +#ifdef HAVE_SECCOMP #include "pseccomp.h" +#endif #include "capabilities.h" #include "filesystem.h" #include "utils.h" @@ -261,7 +267,9 @@ static int jail_childfn(prisoner_process *ctx) CLONE_NEWNS/*|CLONE_NEWUSER*/; //unsigned int ug_map[3] = { 0, 10000, 65535 }; pid_t self_pid, child_pid; +#ifdef HAVE_SECCOMP pseccomp_ctx *psc = NULL; +#endif assert(ctx); self_pid = getpid(); @@ -285,7 +293,6 @@ static int jail_childfn(prisoner_process *ctx) FATAL("Setup network namespace for pid %d", self_pid); caps_drop_dac_override(0); - //caps_drop_all(); /* TODO: If seccomp not avail, drop all caps! */ D2("Unshare prisoner %d", self_pid); if (unshare(unshare_flags)) @@ -391,12 +398,18 @@ static int jail_childfn(prisoner_process *ctx) " -----------------------------------------------------\n" ); +#ifdef HAVE_SECCOMP pseccomp_set_immutable(); pseccomp_init(&psc, (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0)); if (pseccomp_jail_rules(psc)) FATAL("%s", "SECCOMP: adding jail rules"); pseccomp_free(&psc); +#else + /* libseccomp is not available, so drop at least all caps */ + W2("%s", "Compiled without libseccomp, dropping ALL capabilities"); + caps_drop_all(); +#endif sethostname("openwrt", SIZEOF("openwrt")); if (execl(path_shell, path_shell, (char *) NULL)) @@ -7,7 +7,9 @@ #include <sys/types.h> #include <sys/wait.h> +#ifdef HAVE_SECCOMP #include "pseccomp.h" +#endif #include "capabilities.h" #include "log.h" #include "log_colored.h" @@ -285,7 +287,9 @@ int main(int argc, char *argv[]) char *value; int proc_status; pid_t daemon_pid, child_pid; +#ifdef HAVE_SECCOMP pseccomp_ctx *psc = NULL; +#endif (void) argc; (void) argv; @@ -341,11 +345,15 @@ int main(int argc, char *argv[]) } caps_default_filter(); +#ifdef HAVE_SECCOMP pseccomp_init(&psc, (getopt_used(OPT_SECCOMP_MINIMAL) ? PS_MINIMUM : 0)); if (pseccomp_default_rules(psc)) FATAL("%s", "SECCOMP: adding default rules"); pseccomp_free(&psc); +#else + W("%s", "Compiled without libseccomp, this may have a security impact."); +#endif D("%s", "Forking into background/foreground"); daemon_pid = daemonize(!getopt_used(OPT_DAEMON)); diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c index 2ae0a07..bc33e66 100644 --- a/src/protocol_ssh.c +++ b/src/protocol_ssh.c @@ -1,3 +1,7 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include <stdio.h> #include <stdlib.h> #include <assert.h> @@ -13,7 +17,9 @@ #include "protocol_ssh.h" #include "protocol.h" +#ifdef HAVE_SECCOMP #include "pseccomp.h" +#endif #include "options.h" #include "utils.h" #include "log.h" @@ -126,7 +132,9 @@ int ssh_on_listen(protocol_ctx *ctx) pid_t p; int s; ssh_data *d = (ssh_data *) ctx->src.data; +#ifdef HAVE_SECCOMP pseccomp_ctx *psc = NULL; +#endif if (ssh_bind_options_set(d->sshbind, SSH_BIND_OPTIONS_BINDADDR, ctx->src.host_buf)) @@ -153,10 +161,12 @@ int ssh_on_listen(protocol_ctx *ctx) ssh_bind_get_fd(d->sshbind)); return 1; case 0: +#ifdef HAVE_SECCOMP pseccomp_set_immutable(); pseccomp_init(&psc, PS_ALLOW|PS_MINIMUM); s = pseccomp_protocol_rules(psc); pseccomp_free(&psc); +#endif if (s) { E_STRERR("%s", "Could not add seccomp rules"); return -1; @@ -346,6 +356,9 @@ static int gen_export_sshkey(enum ssh_keytypes_e type, int length, const char *p static void ssh_log_cb(int priority, const char *function, const char *buffer, void *userdata) { + (void) function; + (void) userdata; + switch (priority) { case 0: W("libssh: %s", buffer); @@ -538,6 +551,9 @@ static int authenticate(ssh_session session) static int auth_password(const char *user, const char *password) { + (void) user; + (void) password; + /* if(strcmp(user, SSHD_USER)) return 0; |