1
0
Fork 0
mirror of https://git.tukaani.org/xz.git synced 2024-04-04 12:36:23 +02:00

Build: Fix Linux Landlock feature test in Autotools and CMake builds.

The previous Linux Landlock feature test assumed that having the
linux/landlock.h header file was enough. The new feature tests also
requires that prctl() and the required Landlock system calls are
supported.
This commit is contained in:
Jia Tan 2024-02-26 23:02:06 +08:00 committed by Lasse Collin
parent d85efdc891
commit a100f9111c
5 changed files with 54 additions and 10 deletions

View file

@ -901,10 +901,29 @@ endif()
# Sandboxing: Landlock # Sandboxing: Landlock
if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$") if(NOT SANDBOX_FOUND AND ENABLE_SANDBOX MATCHES "^ON$|^landlock$")
check_include_file(linux/landlock.h HAVE_LINUX_LANDLOCK_H) # A compile check is done here because some systems have
# linux/landlock.h, but do not have the syscalls defined
# in order to actually use Linux Landlock.
check_c_source_compiles("
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
.
void my_sandbox(void)
{
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
(void)SYS_landlock_create_ruleset;
(void)SYS_landlock_restrict_self;
(void)LANDLOCK_CREATE_RULESET_VERSION;
return;
}
if(HAVE_LINUX_LANDLOCK_H) int main(void) { return 0; }
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK_H") "
HAVE_LINUX_LANDLOCK)
if(HAVE_LINUX_LANDLOCK)
set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK")
set(SANDBOX_FOUND ON) set(SANDBOX_FOUND ON)
# Of our three sandbox methods, only Landlock is incompatible # Of our three sandbox methods, only Landlock is incompatible

View file

@ -1177,12 +1177,37 @@ AS_CASE([$enable_sandbox],
) )
AS_CASE([$enable_sandbox], AS_CASE([$enable_sandbox],
[auto | landlock], [ [auto | landlock], [
AC_CHECK_HEADERS([linux/landlock.h], [ AC_MSG_CHECKING([if Linux Landlock is usable])
# A compile check is done here because some systems have
# linux/landlock.h, but do not have the syscalls defined
# in order to actually use Linux Landlock.
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
#include <linux/landlock.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
void my_sandbox(void)
{
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
(void)SYS_landlock_create_ruleset;
(void)SYS_landlock_restrict_self;
(void)LANDLOCK_CREATE_RULESET_VERSION;
return;
}
]])], [
enable_sandbox=found enable_sandbox=found
AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([ AS_CASE([$CFLAGS], [*-fsanitize=*], [AC_MSG_ERROR([
CFLAGS contains '-fsanitize=' which is incompatible with the Landlock CFLAGS contains '-fsanitize=' which is incompatible with the Landlock
sandboxing. Use --disable-sandbox when using '-fsanitize'.])]) sandboxing. Use --disable-sandbox when using '-fsanitize'.])])
AC_DEFINE([HAVE_LINUX_LANDLOCK], [1],
[Define to 1 if Linux Landlock is supported.
See configure.ac for details.])
AC_MSG_RESULT([yes])
], [
AC_MSG_RESULT([no])
]) ])
] ]
) )

View file

@ -109,7 +109,7 @@ sandbox_enable_strict_if_allowed(int src_fd lzma_attribute((__unused__)),
} }
#elif defined(HAVE_LINUX_LANDLOCK_H) #elif defined(HAVE_LINUX_LANDLOCK)
////////////// //////////////
// Landlock // // Landlock //

View file

@ -9,7 +9,7 @@
// //
/////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////
#if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK_H) \ #if defined(HAVE_PLEDGE) || defined(HAVE_LINUX_LANDLOCK) \
|| defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_CAP_RIGHTS_LIMIT)
# define ENABLE_SANDBOX 1 # define ENABLE_SANDBOX 1
#endif #endif

View file

@ -24,14 +24,14 @@
# include <sys/capsicum.h> # include <sys/capsicum.h>
#endif #endif
#ifdef HAVE_LINUX_LANDLOCK_H #ifdef HAVE_LINUX_LANDLOCK
# include <linux/landlock.h> # include <linux/landlock.h>
# include <sys/prctl.h> # include <sys/prctl.h>
# include <sys/syscall.h> # include <sys/syscall.h>
#endif #endif
#if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \ #if defined(HAVE_CAP_RIGHTS_LIMIT) || defined(HAVE_PLEDGE) \
|| defined(HAVE_LINUX_LANDLOCK_H) || defined(HAVE_LINUX_LANDLOCK)
# define ENABLE_SANDBOX 1 # define ENABLE_SANDBOX 1
#endif #endif
@ -325,7 +325,7 @@ sandbox_enter(int src_fd)
goto error; goto error;
(void)src_fd; (void)src_fd;
#elif defined(HAVE_LINUX_LANDLOCK_H) #elif defined(HAVE_LINUX_LANDLOCK)
int landlock_abi = syscall(SYS_landlock_create_ruleset, int landlock_abi = syscall(SYS_landlock_create_ruleset,
(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); (void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
@ -389,7 +389,7 @@ main(int argc, char **argv)
} }
#endif #endif
#ifdef HAVE_LINUX_LANDLOCK_H #ifdef HAVE_LINUX_LANDLOCK
// Prevent the process from gaining new privileges. The return // Prevent the process from gaining new privileges. The return
// is ignored to keep compatibility with old kernels. // is ignored to keep compatibility with old kernels.
(void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);