diff options
author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-21 22:30:06 +0200 |
---|---|---|
committer | Toni Uhlig <matzeton@googlemail.com> | 2018-05-21 22:30:06 +0200 |
commit | 4de442d472f33c1e6012a96c94069ef2923ea716 (patch) | |
tree | 9476b2f916467d8ae6b637ae31e8e88c76529ab4 | |
parent | 15dccd91c589cd3f376650759b42319f0f712205 (diff) |
POTD skeleton #72.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | configure.ac | 102 | ||||
-rw-r--r-- | src/Makefile.am | 4 | ||||
-rw-r--r-- | src/main.c | 7 | ||||
-rw-r--r-- | src/pseccomp.c | 10 |
5 files changed, 109 insertions, 15 deletions
@@ -0,0 +1 @@ +Toni Uhlig <matzeton@googlemail.com> diff --git a/configure.ac b/configure.ac index 719fa38..5edde66 100644 --- a/configure.ac +++ b/configure.ac @@ -38,31 +38,115 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([char foo;])], CFLAGS="$saved_CFLAGS" AC_SUBST(SYMBOL_VISIBILITY) -AC_CHECK_LIB(socket, connect) -AC_CHECK_LIB(pthread, pthread_create) +AC_CHECK_LIB([socket], [connect]) +AC_CHECK_LIB([pthread], [pthread_create]) dnl libssh-dev -PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3]) +PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3], [], + [ AC_MSG_ERROR([libssh >= 0.7.3 not found]) ]) AC_SUBST([libssh_CFLAGS]) AC_SUBST([libssh_LIBS]) dnl libseccomp-dev -PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1]) +PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1], [], + [ AC_MSG_ERROR([libseccomp >= 2.3.1 not found]) ]) AC_SUBST([libseccomp_CFLAGS]) AC_SUBST([libseccomp_LIBS]) +dnl Check for valgrind +PKG_CHECK_MODULES([valgrind], [valgrind >= 3.12.0], + [ AC_DEFINE([HAVE_VALGRIND], [1], + [Define to 1 if you have/want valgrind support]) ], + [ AC_MSG_ERROR([valgrind >= 3.12.0 not found]) ]) +AC_SUBST([valgrind_CFLAGS]) +AC_SUBST([valgrind_LIBS]) + dnl Check for std header files -AC_CHECK_HEADERS([stdio.h stdlib.h unistd.h string.h ctype.h assert.h sched.h signal.h errno.h]) +AC_CHECK_HEADERS([stdio.h ctype.h assert.h sched.h signal.h errno.h pwd.h]) dnl Check for system specific header files -AC_CHECK_HEADERS([pty.h linux/capability.h sys/types.h sys/wait.h sys/stat.h]) -AC_CHECK_HEADERS([libutil.h pthread.h pty.h strings.h syslog.h sys/prctl.h \ - sys/uio.h poll.h sys/epoll.h util.h]) +AC_CHECK_HEADERS([pty.h linux/capability.h sys/wait.h]) +AC_CHECK_HEADERS([libutil.h pthread.h syslog.h sys/prctl.h linux/limits.h \ + sys/uio.h poll.h sys/epoll.h sys/sysmacros.h sys/mount.h util.h]) + +dnl Check for GAI header +AC_CHECK_HEADERS([netdb.h]) + +AC_MSG_CHECKING([for working va_arg]) +AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([#include <stdio.h> + #include <stdarg.h> + int fn(const char *fmt, ...) \ + { char buf[[32]] = {0}; va_list arglist; \ + va_start(arglist, fmt); \ + vsnprintf(buf, sizeof buf, fmt, arglist); \ + va_end(arglist); return 0; }]) + ], + AC_MSG_RESULT([yes]), + [ AC_MSG_RESULT([no]) + AC_MSG_ERROR([va_arg does not work as expected]) ]) + +AC_MSG_CHECKING([for assert]) +AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([#include <assert.h> + int fn(void) \ + { assert(0); return 0; }]) + ], + AC_MSG_RESULT([yes]), + [ AC_MSG_RESULT([no]) + AC_MSG_ERROR([assertion macro missing]) ]) + +AC_MSG_CHECKING([for working capability drop]) +AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([#include <sys/prctl.h> + #include <linux/capability.h> + int fn(void) \ + { int caps[[]] = {CAP_SYS_MODULE,CAP_SYS_RAWIO,CAP_SYS_BOOT, \ + CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN, \ + CAP_SYS_RESOURCE, CAP_SYS_TIME, CAP_AUDIT_CONTROL, \ + CAP_AUDIT_READ, CAP_AUDIT_WRITE, CAP_SYS_PTRACE, \ + CAP_SYS_PACCT, CAP_SYS_CHROOT}; \ + int i; \ + for (i = 0; i < sizeof(caps)/sizeof(caps[[0]]); ++i) \ + prctl(PR_CAPBSET_DROP, caps[[i]], 0, 0, 0); \ + return 0; }]) + ], + AC_MSG_RESULT([yes]), + [ AC_MSG_RESULT([no]) + AC_MSG_ERROR([required capability drop does not work]) ]) + +AC_MSG_CHECKING([for working unshare]) +AC_COMPILE_IFELSE([ + AC_LANG_SOURCE([#define _GNU_SOURCE 1 + #include <sched.h> + int fn(void) \ + { int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC| \ + CLONE_NEWNS|CLONE_NEWNET; \ + return unshare(unshare_flags); }]) + ], + AC_MSG_RESULT([yes]), + [ AC_MSG_RESULT([no]) + AC_MSG_ERROR([required unshare function does not work]) ]) dnl Most systems require linking against libutil.so in order to get forkpty() -AC_CHECK_FUNCS(forkpty, [], +AC_CHECK_FUNCS([forkpty], [], [AC_CHECK_LIB(util, forkpty, [LIBS="-lutil $LIBS" AC_DEFINE(HAVE_FORKPTY)])]) +dnl minimum required functions +AC_CHECK_FUNCS([open read write close malloc free memset memcpy fork unshare \ + getpwnam getgrnam setreuid setregid \ + wait waitpid isprint remove unlink mkdir access stat chroot chdir mount umount mknod \ + strncat strncpy snprintf vsnprintf printf fprintf getpid \ + prctl signal signalfd fcntl getenv kill exit \ + setsockopt socket connect accept bind listen], [], + [ AC_MSG_ERROR([required function not available]) ]) +dnl GAI functions +AC_CHECK_FUNCS([getaddrinfo getnameinfo freeaddrinfo], [], + [ AC_MSG_ERROR([required GAI function not available]) ]) +dnl epoll functions +AC_CHECK_FUNCS([epoll_create1 epoll_ctl epoll_pwait], [], + [ AC_MSG_ERROR([required epoll function not available]) ]) + AC_OUTPUT(Makefile src/Makefile) diff --git a/src/Makefile.am b/src/Makefile.am index f3491cf..22c879f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY) -AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS) +AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(valgrind_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY) +AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS) $(valgrind_LIBS) sbin_PROGRAMS = potd potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c pseccomp.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c @@ -1,3 +1,7 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include <stdio.h> #include <assert.h> #include <sys/types.h> @@ -12,9 +16,6 @@ #include "protocol_ssh.h" #include "forward.h" #include "jail.h" -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif static void jail_preinit(const char *jail_ports[], jail_ctx *ctx[], const size_t siz); diff --git a/src/pseccomp.c b/src/pseccomp.c index c794fdb..e991d46 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -1,6 +1,12 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include <assert.h> #include <sys/prctl.h> -#include <valgrind/valgrind.h> +#ifdef HAVE_VALGRIND +#include <valgrind.h> +#endif #include "pseccomp.h" #include "log.h" @@ -75,10 +81,12 @@ static const int jail_allowed_syscalls[] = { static int pseccomp_using_valgrind(void) { +#ifdef HAVE_VALGRIND if (RUNNING_ON_VALGRIND) { W("%s", "SECCOMP: running on valgrind, disabled"); return 1; } +#endif return 0; } |