mirror of
https://git.tukaani.org/xz.git
synced 2024-04-04 12:36:23 +02:00
Build: Fix Linux Landlock feature test in Autotools and CMake builds.
The previous Linux Landlock feature test assumed that having the linux/landlock.h header file was enough. The new feature tests also requires that prctl() and the required Landlock system calls are supported.
This commit is contained in:
parent
d85efdc891
commit
a100f9111c
5 changed files with 54 additions and 10 deletions
|
@ -901,10 +901,29 @@ endif()
|
||||||
|
|
||||||
# Sandboxing: Landlock
|
# Sandboxing: Landlock
|
||||||
if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
|
if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
|
||||||
check_include_file(linux/landlock.h HAVE_LINUX_LANDLOCK_H)
|
# A compile check is done here because some systems have
|
||||||
|
# linux/landlock.h, but do not have the syscalls defined
|
||||||
|
# in order to actually use Linux Landlock.
|
||||||
|
check_c_source_compiles("
|
||||||
|
#include <linux/landlock.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
.
|
||||||
|
void my_sandbox(void)
|
||||||
|
{
|
||||||
|
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
||||||
|
(void)SYS_landlock_create_ruleset;
|
||||||
|
(void)SYS_landlock_restrict_self;
|
||||||
|
(void)LANDLOCK_CREATE_RULESET_VERSION;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if(HAVE_LINUX_LANDLOCK_H)
|
int main(void) { return 0; }
|
||||||
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK_H")
|
"
|
||||||
|
HAVE_LINUX_LANDLOCK)
|
||||||
|
|
||||||
|
if(HAVE_LINUX_LANDLOCK)
|
||||||
|
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK")
|
||||||
set(SANDBOX_FOUND ON)
|
set(SANDBOX_FOUND ON)
|
||||||
|
|
||||||
# Of our three sandbox methods, only Landlock is incompatible
|
# Of our three sandbox methods, only Landlock is incompatible
|
||||||
|
|
27
configure.ac
27
configure.ac
|
@ -1177,12 +1177,37 @@ AS_CASE([$enable_sandbox],
|
||||||
)
|
)
|
||||||
AS_CASE([$enable_sandbox],
|
AS_CASE([$enable_sandbox],
|
||||||
[auto | landlock], [
|
[auto | landlock], [
|
||||||
AC_CHECK_HEADERS([linux/landlock.h], [
|
AC_MSG_CHECKING([if Linux Landlock is usable])
|
||||||
|
|
||||||
|
# A compile check is done here because some systems have
|
||||||
|
# linux/landlock.h, but do not have the syscalls defined
|
||||||
|
# in order to actually use Linux Landlock.
|
||||||
|
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
|
||||||
|
#include <linux/landlock.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
|
||||||
|
void my_sandbox(void)
|
||||||
|
{
|
||||||
|
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
||||||
|
(void)SYS_landlock_create_ruleset;
|
||||||
|
(void)SYS_landlock_restrict_self;
|
||||||
|
(void)LANDLOCK_CREATE_RULESET_VERSION;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
]])], [
|
||||||
enable_sandbox=found
|
enable_sandbox=found
|
||||||
|
|
||||||
AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([
|
AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([
|
||||||
CFLAGS contains '-fsanitize=' which is incompatible with the Landlock
|
CFLAGS contains '-fsanitize=' which is incompatible with the Landlock
|
||||||
sandboxing. Use --disable-sandbox when using '-fsanitize'.])])
|
sandboxing. Use --disable-sandbox when using '-fsanitize'.])])
|
||||||
|
|
||||||
|
AC_DEFINE([HAVE_LINUX_LANDLOCK], [1],
|
||||||
|
[Define to 1 if Linux Landlock is supported.
|
||||||
|
See configure.ac for details.])
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
])
|
])
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
|
@ -109,7 +109,7 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#elif defined(HAVE_LINUX_LANDLOCK_H)
|
#elif defined(HAVE_LINUX_LANDLOCK)
|
||||||
|
|
||||||
//////////////
|
//////////////
|
||||||
// Landlock //
|
// Landlock //
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
//
|
//
|
||||||
///////////////////////////////////////////////////////////////////////////////
|
///////////////////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK_H) \
|
#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK) \
|
||||||
|| defined(HAVE_CAP_RIGHTS_LIMIT)
|
|| defined(HAVE_CAP_RIGHTS_LIMIT)
|
||||||
# define ENABLE_SANDBOX 1
|
# define ENABLE_SANDBOX 1
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -24,14 +24,14 @@
|
||||||
# include <sys/capsicum.h>
|
# include <sys/capsicum.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_LINUX_LANDLOCK_H
|
#ifdef HAVE_LINUX_LANDLOCK
|
||||||
# include <linux/landlock.h>
|
# include <linux/landlock.h>
|
||||||
# include <sys/prctl.h>
|
# include <sys/prctl.h>
|
||||||
# include <sys/syscall.h>
|
# include <sys/syscall.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|
||||||
|| defined(HAVE_LINUX_LANDLOCK_H)
|
|| defined(HAVE_LINUX_LANDLOCK)
|
||||||
# define ENABLE_SANDBOX 1
|
# define ENABLE_SANDBOX 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -325,7 +325,7 @@ sandbox_enter(int src_fd)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
(void)src_fd;
|
(void)src_fd;
|
||||||
#elif defined(HAVE_LINUX_LANDLOCK_H)
|
#elif defined(HAVE_LINUX_LANDLOCK)
|
||||||
int landlock_abi = syscall(SYS_landlock_create_ruleset,
|
int landlock_abi = syscall(SYS_landlock_create_ruleset,
|
||||||
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
|
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
|
||||||
|
|
||||||
|
@ -389,7 +389,7 @@ main(int argc, char **argv)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_LINUX_LANDLOCK_H
|
#ifdef HAVE_LINUX_LANDLOCK
|
||||||
// Prevent the process from gaining new privileges. The return
|
// Prevent the process from gaining new privileges. The return
|
||||||
// is ignored to keep compatibility with old kernels.
|
// is ignored to keep compatibility with old kernels.
|
||||||
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
|
||||||
|
|
Loading…
Reference in a new issue