POTD skeleton #60.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-05-18 09:42:22 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-05-18 09:42:22 +0200
commit: ac5acb542df4b9e449dc2413388890ca1e30984e (patch)
tree: 05727509d14dec485135f70647a75971a9aea1bf
parent: fce057d9dbce7719749c72b4ed8fe1a2ea99e6c3 (diff)
3 files changed, 61 insertions, 8 deletions
diff --git a/configure.ac b/configure.ac
index 4474d40..790329c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4,11 +4,40 @@ AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE
 AM_SILENT_RULES([yes])
 AM_MAINTAINER_MODE
+
+if test -z "$CFLAGS"; then
+    CFLAGS="-Os"
+fi
+
+AC_CANONICAL_HOST
 AC_PROG_CC
 AC_PROG_CC_STDC
+AC_PROG_INSTALL
 
 AC_TYPE_SIZE_T
 
+# check for spectre mitigation
+saved_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -mindirect-branch=thunk"
+AC_MSG_CHECKING([if ${CC} supports -mindirect-branch=thunk spectre mitigation])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([char foo;])],
+      [ AC_MSG_RESULT([yes])
+        SPECTRE_MIT="-mindirect-branch=thunk" ],
+        AC_MSG_RESULT([no]))
+CFLAGS="$saved_CFLAGS"
+AC_SUBST(SPECTRE_MIT)
+
+# check for -fvisibility=hidden compiler support (GCC >= 4)
+saved_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -fvisibility=hidden -fvisibility-inlines-hidden"
+AC_MSG_CHECKING([if ${CC} supports -fvisibility=hidden -fvisibility-inlines-hidden])
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([char foo;])],
+      [ AC_MSG_RESULT([yes])
+        SYMBOL_VISIBILITY="-fvisibility=hidden" ],
+        AC_MSG_RESULT([no]))
+CFLAGS="$saved_CFLAGS"
+AC_SUBST(SYMBOL_VISIBILITY)
+
 AC_CHECK_LIB(socket, connect)
 AC_CHECK_LIB(pthread, pthread_create)
 
@@ -16,14 +45,18 @@ PKG_CHECK_MODULES([libssh], [libssh >= 0.7.3])
 AC_SUBST([libssh_CFLAGS])
 AC_SUBST([libssh_LIBS])
 
-dnl Check for header files that do not exist on all platforms
+dnl Check for std header files
+AC_CHECK_HEADERS([stdio.h stdlib.h unistd.h string.h ctype.h assert.h sched.h signal.h errno.h])
+
+dnl Check for system specific header files
+AC_CHECK_HEADERS([pty.h linux/capability.h sys/types.h sys/wait.h sys/stat.h])
 AC_CHECK_HEADERS([libutil.h pthread.h pty.h strings.h syslog.h sys/prctl.h \
-                  sys/uio.h util.h])
+                  sys/uio.h poll.h sys/epoll.h util.h])
 
-dnl Most systems require linking against libutil.so in order to get login_tty()
-AC_CHECK_FUNCS(login_tty, [],
-               [AC_CHECK_LIB(util, login_tty,
+dnl Most systems require linking against libutil.so in order to get forkpty()
+AC_CHECK_FUNCS(forkpty, [],
+               [AC_CHECK_LIB(util, forkpty,
                [LIBS="-lutil $LIBS"
-                AC_DEFINE(HAVE_LOGIN_TTY)])])
+                AC_DEFINE(HAVE_FORKPTY)])])
 
 AC_OUTPUT(Makefile src/Makefile)
diff --git a/src/Makefile.am b/src/Makefile.am
index 07cfaff..61272a6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,4 +1,4 @@
-AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS)
+AM_CFLAGS = -pedantic -Wall -std=gnu99 -fstrict-aliasing -D_GNU_SOURCE=1 $(libssh_CFLAGS) $(SPECTRE_MIT) $(SYMBOL_VISIBILITY)
 AM_LDFLAGS = $(libssh_LIBS)
 
 sbin_PROGRAMS = potd
diff --git a/src/jail.c b/src/jail.c
index ff45bad..ad26b8e 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -10,6 +10,7 @@
 
 #include "jail.h"
 #include "socket.h"
+#include "capabilities.h"
 #include "utils.h"
 #include "log.h"
 
@@ -229,7 +230,6 @@ static int jail_childfn(prisoner_process *ctx)
     const char *path_devpts = "/dev/pts";
     const char *path_proc = "/proc";
     const char *path_shell = "/bin/sh";
-    //const char *path_self = "/proc/self/%s";
     int s, master_fd;
     int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|
         CLONE_NEWNS|CLONE_NEWNET/*|CLONE_NEWUSER*/;
@@ -250,6 +250,8 @@ static int jail_childfn(prisoner_process *ctx)
     if (clearenv())
         FATAL("Clearing ENV for pid %d", self_pid);
 
+    caps_drop_dac_override(0);
+
     D2("Unshare prisoner %d", self_pid);
     if (unshare(unshare_flags))
         FATAL("Unshare prisoner %d", self_pid);
@@ -319,6 +321,24 @@ static int jail_childfn(prisoner_process *ctx)
 */
             if (close_fds_except(0, 1, 2, -1))
                 exit(EXIT_FAILURE);
+            printf("%s",
+                "  _______                     ________        __\n"
+                " |       |.-----.-----.-----.|  |  |  |.----.|  |_\n"
+                " |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|\n"
+                " |_______||   __|_____|__|__||________||__|  |____|\n"
+                "          |__| W I R E L E S S   F R E E D O M\n"
+                " -----------------------------------------------------\n"
+                " ATTITUDE ADJUSTMENT\n"
+                " -----------------------------------------------------\n"
+                "  * 1/4 oz Vodka      Pour all ingredients into mixing\n"
+                "  * 1/4 oz Gin        tin with ice, strain into glass.\n"
+                "  * 1/4 oz Amaretto\n"
+                "  * 1/4 oz Triple sec\n"
+                "  * 1/4 oz Peach schnapps\n"
+                "  * 1/4 oz Sour mix\n"
+                "  * 1 splash Cranberry juice\n"
+                " -----------------------------------------------------\n"
+            );
             if (execl(path_shell, path_shell, (char *) NULL))
                 exit(EXIT_FAILURE);
         default:
author	Toni Uhlig <matzeton@googlemail.com>	2018-05-18 09:42:22 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-05-18 09:42:22 +0200
commit	ac5acb542df4b9e449dc2413388890ca1e30984e (patch)
tree	05727509d14dec485135f70647a75971a9aea1bf
parent	fce057d9dbce7719749c72b4ed8fe1a2ea99e6c3 (diff)