POTD skeleton #72.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 22:30:06 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-05-21 22:30:06 +0200
commit: 4de442d472f33c1e6012a96c94069ef2923ea716 (patch)
tree: 9476b2f916467d8ae6b637ae31e8e88c76529ab4
parent: 15dccd91c589cd3f376650759b42319f0f712205 (diff)
5 files changed, 109 insertions, 15 deletions
diff --git a/AUTHORS b/AUTHORS
index e69de29..d562d9b 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -0,0 +1 @@
+Toni Uhlig <matzeton@googlemail.com>
diff --git a/configure.ac b/configure.ac
index 719fa38..5edde66 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,31 +38,115 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([char foo;])],
 CFLAGS="$saved_CFLAGS"
 AC_SUBST(SYMBOL_VISIBILITY)
 
-AC_CHECK_LIB(socket, connect)
-AC_CHECK_LIB(pthread, pthread_create)
+AC_CHECK_LIB([socket], [connect])
+AC_CHECK_LIB([pthread], [pthread_create])
 
 dnl libssh-dev
-PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3])
+PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3], [],
+      [ AC_MSG_ERROR([libssh >= 0.7.3 not found]) ])
 AC_SUBST([libssh_CFLAGS])
 AC_SUBST([libssh_LIBS])
 
 dnl libseccomp-dev
-PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1])
+PKG_CHECK_MODULES([libseccomp], [libseccomp >= 2.3.1], [],
+      [ AC_MSG_ERROR([libseccomp >= 2.3.1 not found]) ])
 AC_SUBST([libseccomp_CFLAGS])
 AC_SUBST([libseccomp_LIBS])
 
+dnl Check for valgrind
+PKG_CHECK_MODULES([valgrind], [valgrind >= 3.12.0],
+      [ AC_DEFINE([HAVE_VALGRIND], [1],
+        [Define to 1 if you have/want valgrind support]) ],
+      [ AC_MSG_ERROR([valgrind >= 3.12.0 not found]) ])
+AC_SUBST([valgrind_CFLAGS])
+AC_SUBST([valgrind_LIBS])
+
 dnl Check for std header files
-AC_CHECK_HEADERS([stdio.h stdlib.h unistd.h string.h ctype.h assert.h sched.h signal.h errno.h])
+AC_CHECK_HEADERS([stdio.h ctype.h assert.h sched.h signal.h errno.h pwd.h])
 
 dnl Check for system specific header files
-AC_CHECK_HEADERS([pty.h linux/capability.h sys/types.h sys/wait.h sys/stat.h])
-AC_CHECK_HEADERS([libutil.h pthread.h pty.h strings.h syslog.h sys/prctl.h \
-                  sys/uio.h poll.h sys/epoll.h util.h])
+AC_CHECK_HEADERS([pty.h linux/capability.h sys/wait.h])
+AC_CHECK_HEADERS([libutil.h pthread.h syslog.h sys/prctl.h linux/limits.h \
+                  sys/uio.h poll.h sys/epoll.h sys/sysmacros.h sys/mount.h util.h])
+
+dnl Check for GAI header
+AC_CHECK_HEADERS([netdb.h])
+
+AC_MSG_CHECKING([for working va_arg])
+AC_COMPILE_IFELSE([
+      AC_LANG_SOURCE([#include <stdio.h>
+                      #include <stdarg.h>
+        int fn(const char *fmt, ...) \
+        { char buf[[32]] = {0}; va_list arglist; \
+          va_start(arglist, fmt); \
+          vsnprintf(buf, sizeof buf, fmt, arglist); \
+          va_end(arglist); return 0; }])
+      ],
+      AC_MSG_RESULT([yes]),
+      [ AC_MSG_RESULT([no])
+        AC_MSG_ERROR([va_arg does not work as expected]) ])
+
+AC_MSG_CHECKING([for assert])
+AC_COMPILE_IFELSE([
+      AC_LANG_SOURCE([#include <assert.h>
+        int fn(void) \
+        { assert(0); return 0; }])
+      ],
+      AC_MSG_RESULT([yes]),
+      [ AC_MSG_RESULT([no])
+        AC_MSG_ERROR([assertion macro missing]) ])
+
+AC_MSG_CHECKING([for working capability drop])
+AC_COMPILE_IFELSE([
+      AC_LANG_SOURCE([#include <sys/prctl.h>
+                      #include <linux/capability.h>
+        int fn(void) \
+        { int caps[[]] = {CAP_SYS_MODULE,CAP_SYS_RAWIO,CAP_SYS_BOOT, \
+            CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_MKNOD, CAP_SYS_ADMIN, \
+            CAP_SYS_RESOURCE, CAP_SYS_TIME, CAP_AUDIT_CONTROL, \
+            CAP_AUDIT_READ, CAP_AUDIT_WRITE, CAP_SYS_PTRACE, \
+            CAP_SYS_PACCT, CAP_SYS_CHROOT}; \
+          int i; \
+          for (i = 0; i < sizeof(caps)/sizeof(caps[[0]]); ++i) \
+              prctl(PR_CAPBSET_DROP, caps[[i]], 0, 0, 0); \
+          return 0; }])
+      ],
+      AC_MSG_RESULT([yes]),
+      [ AC_MSG_RESULT([no])
+        AC_MSG_ERROR([required capability drop does not work]) ])
+
+AC_MSG_CHECKING([for working unshare])
+AC_COMPILE_IFELSE([
+      AC_LANG_SOURCE([#define _GNU_SOURCE 1
+                      #include <sched.h>
+        int fn(void) \
+        { int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC| \
+			CLONE_NEWNS|CLONE_NEWNET; \
+          return unshare(unshare_flags); }])
+      ],
+      AC_MSG_RESULT([yes]),
+      [ AC_MSG_RESULT([no])
+        AC_MSG_ERROR([required unshare function does not work]) ])
 
 dnl Most systems require linking against libutil.so in order to get forkpty()
-AC_CHECK_FUNCS(forkpty, [],
+AC_CHECK_FUNCS([forkpty], [],
                [AC_CHECK_LIB(util, forkpty,
                [LIBS="-lutil $LIBS"
                 AC_DEFINE(HAVE_FORKPTY)])])
+dnl minimum required functions
+AC_CHECK_FUNCS([open read write close malloc free memset memcpy fork unshare \
+                getpwnam getgrnam setreuid setregid \
+                wait waitpid isprint remove unlink mkdir access stat chroot chdir mount umount mknod \
+                strncat strncpy snprintf vsnprintf printf fprintf getpid \
+                prctl signal signalfd fcntl getenv kill exit \
+                setsockopt socket connect accept bind listen], [],
+      [ AC_MSG_ERROR([required function not available]) ])
+dnl GAI functions
+AC_CHECK_FUNCS([getaddrinfo getnameinfo freeaddrinfo], [],
+      [ AC_MSG_ERROR([required GAI function not available]) ])
+dnl epoll functions
+AC_CHECK_FUNCS([epoll_create1 epoll_ctl epoll_pwait], [],
+      [ AC_MSG_ERROR([required epoll function not available]) ])
+
 
 AC_OUTPUT(Makefile src/Makefile)
diff --git a/src/Makefile.am b/src/Makefile.am
index f3491cf..22c879f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,5 +1,5 @@
-AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
-AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS)
+AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(libseccomp_CFLAGS) $(valgrind_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
+AM_LDFLAGS = $(libssh_LIBS) $(libseccomp_LIBS) $(valgrind_LIBS)
 
 sbin_PROGRAMS = potd
 potd_SOURCES = utils.c log.c log_colored.c socket.c pevent.c capabilities.c pseccomp.c jail.c forward.c redirector.c protocol.c protocol_ssh.c main.c
diff --git a/src/main.c b/src/main.c
index 65d4eb3..9d7b6f7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1,3 +1,7 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include <stdio.h>
 #include <assert.h>
 #include <sys/types.h>
@@ -12,9 +16,6 @@
 #include "protocol_ssh.h"
 #include "forward.h"
 #include "jail.h"
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
 
 static void jail_preinit(const char *jail_ports[], jail_ctx *ctx[],
                          const size_t siz);
diff --git a/src/pseccomp.c b/src/pseccomp.c
index c794fdb..e991d46 100644
--- a/src/pseccomp.c
+++ b/src/pseccomp.c
@@ -1,6 +1,12 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
 #include <assert.h>
 #include <sys/prctl.h>
-#include <valgrind/valgrind.h>
+#ifdef HAVE_VALGRIND
+#include <valgrind.h>
+#endif
 
 #include "pseccomp.h"
 #include "log.h"
@@ -75,10 +81,12 @@ static const int jail_allowed_syscalls[] = {
 
 static int pseccomp_using_valgrind(void)
 {
+#ifdef HAVE_VALGRIND
     if (RUNNING_ON_VALGRIND) {
         W("%s", "SECCOMP: running on valgrind, disabled");
         return 1;
     }
+#endif
     return 0;
 }
author	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 22:30:06 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-05-21 22:30:06 +0200
commit	4de442d472f33c1e6012a96c94069ef2923ea716 (patch)
tree	9476b2f916467d8ae6b637ae31e8e88c76529ab4
parent	15dccd91c589cd3f376650759b42319f0f712205 (diff)