Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
c2c1e253
Commit
c2c1e253
authored
Feb 22, 2018
by
Ondřej Surý
Browse files
Remove libseccomp based system-call filtering.
parent
01d41d5b
Changes
9
Hide whitespace changes
Inline
Side-by-side
bin/named/include/named/seccomp.h
deleted
100644 → 0
View file @
01d41d5b
/*
* Copyright (C) 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef NAMED_SECCOMP_H
#define NAMED_SECCOMP_H 1
/*! \file */
#ifdef HAVE_LIBSECCOMP
#include
<sys/types.h>
#include
<sys/resource.h>
#include
<unistd.h>
#include
<seccomp.h>
#include
<isc/platform.h>
/*%
* For each architecture, the scmp_syscalls and
* scmp_syscall_names arrays MUST be kept in sync.
*/
#ifdef __x86_64__
int
scmp_syscalls
[]
=
{
SCMP_SYS
(
access
),
SCMP_SYS
(
open
),
SCMP_SYS
(
openat
),
SCMP_SYS
(
lseek
),
SCMP_SYS
(
clock_gettime
),
SCMP_SYS
(
time
),
SCMP_SYS
(
read
),
SCMP_SYS
(
write
),
SCMP_SYS
(
close
),
SCMP_SYS
(
brk
),
SCMP_SYS
(
poll
),
SCMP_SYS
(
select
),
SCMP_SYS
(
madvise
),
SCMP_SYS
(
mmap
),
SCMP_SYS
(
munmap
),
SCMP_SYS
(
exit_group
),
SCMP_SYS
(
rt_sigprocmask
),
SCMP_SYS
(
rt_sigaction
),
SCMP_SYS
(
fsync
),
SCMP_SYS
(
rt_sigreturn
),
SCMP_SYS
(
setsid
),
SCMP_SYS
(
chdir
),
SCMP_SYS
(
futex
),
SCMP_SYS
(
stat
),
SCMP_SYS
(
rt_sigsuspend
),
SCMP_SYS
(
fstat
),
SCMP_SYS
(
epoll_ctl
),
SCMP_SYS
(
gettimeofday
),
SCMP_SYS
(
getpid
),
#ifdef HAVE_GETRANDOM
SCMP_SYS
(
getrandom
),
#endif
SCMP_SYS
(
rename
),
SCMP_SYS
(
unlink
),
SCMP_SYS
(
socket
),
SCMP_SYS
(
sendto
),
#ifndef ISC_PLATFORM_USETHREADS
SCMP_SYS
(
bind
),
SCMP_SYS
(
accept
),
SCMP_SYS
(
connect
),
SCMP_SYS
(
listen
),
SCMP_SYS
(
fcntl
),
SCMP_SYS
(
sendmsg
),
SCMP_SYS
(
recvmsg
),
SCMP_SYS
(
uname
),
SCMP_SYS
(
setrlimit
),
SCMP_SYS
(
getrlimit
),
SCMP_SYS
(
setsockopt
),
SCMP_SYS
(
getsockopt
),
SCMP_SYS
(
getsockname
),
SCMP_SYS
(
lstat
),
SCMP_SYS
(
getgid
),
SCMP_SYS
(
getegid
),
SCMP_SYS
(
getuid
),
SCMP_SYS
(
geteuid
),
SCMP_SYS
(
setresgid
),
SCMP_SYS
(
setresuid
),
SCMP_SYS
(
setgid
),
SCMP_SYS
(
setuid
),
SCMP_SYS
(
prctl
),
SCMP_SYS
(
epoll_wait
),
SCMP_SYS
(
getdents
),
SCMP_SYS
(
utimes
),
SCMP_SYS
(
dup
),
#endif
};
const
char
*
scmp_syscall_names
[]
=
{
"access"
,
"open"
,
"openat"
,
"lseek"
,
"clock_gettime"
,
"time"
,
"read"
,
"write"
,
"close"
,
"brk"
,
"poll"
,
"select"
,
"madvise"
,
"mmap"
,
"munmap"
,
"exit_group"
,
"rt_sigprocmask"
,
"rt_sigaction"
,
"fsync"
,
"rt_sigreturn"
,
"setsid"
,
"chdir"
,
"futex"
,
"stat"
,
"rt_sigsuspend"
,
"fstat"
,
"epoll_ctl"
,
"gettimeofday"
,
"getpid"
,
#ifdef HAVE_GETRANDOM
"getrandom"
,
#endif
"rename"
,
"unlink"
,
"socket"
,
"sendto"
,
#ifndef ISC_PLATFORM_USETHREADS
"bind"
,
"accept"
,
"connect"
,
"listen"
,
"fcntl"
,
"sendmsg"
,
"recvmsg"
,
"uname"
,
"setrlimit"
,
"getrlimit"
,
"setsockopt"
,
"getsockopt"
,
"getsockname"
,
"lstat"
,
"getgid"
,
"getegid"
,
"getuid"
,
"geteuid"
,
"setresgid"
,
"setresuid"
,
"setgid"
,
"setuid"
,
"prctl"
,
"epoll_wait"
,
"getdents"
,
"utimes"
,
"dup"
,
#endif
};
#endif
/* __x86_64__ */
#ifdef __i386__
int
scmp_syscalls
[]
=
{
SCMP_SYS
(
access
),
SCMP_SYS
(
open
),
SCMP_SYS
(
clock_gettime
),
SCMP_SYS
(
time
),
SCMP_SYS
(
read
),
SCMP_SYS
(
write
),
SCMP_SYS
(
close
),
SCMP_SYS
(
brk
),
SCMP_SYS
(
poll
),
SCMP_SYS
(
_newselect
),
SCMP_SYS
(
select
),
SCMP_SYS
(
madvise
),
SCMP_SYS
(
mmap2
),
SCMP_SYS
(
mmap
),
SCMP_SYS
(
munmap
),
SCMP_SYS
(
exit_group
),
SCMP_SYS
(
rt_sigprocmask
),
SCMP_SYS
(
sigprocmask
),
SCMP_SYS
(
rt_sigaction
),
SCMP_SYS
(
socketcall
),
SCMP_SYS
(
fsync
),
SCMP_SYS
(
sigreturn
),
SCMP_SYS
(
setsid
),
SCMP_SYS
(
chdir
),
SCMP_SYS
(
futex
),
SCMP_SYS
(
stat64
),
SCMP_SYS
(
rt_sigsuspend
),
SCMP_SYS
(
fstat64
),
SCMP_SYS
(
epoll_ctl
),
SCMP_SYS
(
gettimeofday
),
SCMP_SYS
(
getpid
),
#ifdef HAVE_GETRANDOM
SCMP_SYS
(
getrandom
),
#endif
SCMP_SYS
(
unlink
),
#ifndef ISC_PLATFORM_USETHREADS
SCMP_SYS
(
fcntl64
),
#endif
};
const
char
*
scmp_syscall_names
[]
=
{
"access"
,
"open"
,
"clock_gettime"
,
"time"
,
"read"
,
"write"
,
"close"
,
"brk"
,
"poll"
,
"_newselect"
,
"select"
,
"madvise"
,
"mmap2"
,
"mmap"
,
"munmap"
,
"exit_group"
,
"rt_sigprocmask"
,
"sigprocmask"
,
"rt_sigaction"
,
"socketcall"
,
"fsync"
,
"sigreturn"
,
"setsid"
,
"chdir"
,
"futex"
,
"stat64"
,
"rt_sigsuspend"
,
"fstat64"
,
"epoll_ctl"
,
"gettimeofday"
,
"getpid"
,
#ifdef HAVE_GETRANDOM
"getrandom"
,
#endif
"unlink"
,
#ifndef ISC_PLATFORM_USETHREADS
"fcntl64"
,
#endif
};
#endif
/* __i386__ */
#endif
/* HAVE_LIBSECCOMP */
#endif
/* NAMED_SECCOMP_H */
bin/named/main.c
View file @
c2c1e253
...
...
@@ -69,7 +69,6 @@
#include
<named/os.h>
#include
<named/server.h>
#include
<named/main.h>
#include
<named/seccomp.h>
#ifdef HAVE_LIBSCF
#include
<named/smf_globals.h>
#endif
...
...
@@ -908,60 +907,6 @@ dump_symboltable(void) {
}
}
#ifdef HAVE_LIBSECCOMP
static
void
setup_seccomp
()
{
scmp_filter_ctx
ctx
;
unsigned
int
i
;
int
ret
;
/* Make sure the lists are in sync */
INSIST
((
sizeof
(
scmp_syscalls
)
/
sizeof
(
int
))
==
(
sizeof
(
scmp_syscall_names
)
/
sizeof
(
const
char
*
)));
ctx
=
seccomp_init
(
SCMP_ACT_KILL
);
if
(
ctx
==
NULL
)
{
isc_log_write
(
named_g_lctx
,
NAMED_LOGCATEGORY_GENERAL
,
NAMED_LOGMODULE_MAIN
,
ISC_LOG_WARNING
,
"libseccomp activation failed"
);
return
;
}
for
(
i
=
0
;
i
<
sizeof
(
scmp_syscalls
)
/
sizeof
(
*
(
scmp_syscalls
));
i
++
)
{
ret
=
seccomp_rule_add
(
ctx
,
SCMP_ACT_ALLOW
,
scmp_syscalls
[
i
],
0
);
if
(
ret
<
0
)
isc_log_write
(
named_g_lctx
,
NAMED_LOGCATEGORY_GENERAL
,
NAMED_LOGMODULE_MAIN
,
ISC_LOG_WARNING
,
"libseccomp rule failed: %s"
,
scmp_syscall_names
[
i
]);
else
isc_log_write
(
named_g_lctx
,
NAMED_LOGCATEGORY_GENERAL
,
NAMED_LOGMODULE_MAIN
,
ISC_LOG_DEBUG
(
9
),
"added libseccomp rule: %s"
,
scmp_syscall_names
[
i
]);
}
ret
=
seccomp_load
(
ctx
);
if
(
ret
<
0
)
{
isc_log_write
(
named_g_lctx
,
NAMED_LOGCATEGORY_GENERAL
,
NAMED_LOGMODULE_MAIN
,
ISC_LOG_WARNING
,
"libseccomp unable to load filter"
);
}
else
{
isc_log_write
(
named_g_lctx
,
NAMED_LOGCATEGORY_GENERAL
,
NAMED_LOGMODULE_MAIN
,
ISC_LOG_NOTICE
,
"libseccomp sandboxing active"
);
}
/*
* Release filter in ctx. Filters already loaded are not
* affected.
*/
seccomp_release
(
ctx
);
}
#endif
/* HAVE_LIBSECCOMP */
static
void
setup
(
void
)
{
isc_result_t
result
;
...
...
@@ -1219,9 +1164,6 @@ setup(void) {
named_g_server
->
sctx
->
delay
=
delay
;
#ifdef HAVE_LIBSECCOMP
setup_seccomp
();
#endif
/* HAVE_LIBSECCOMP */
}
static
void
...
...
bin/named/win32/named.vcxproj.filters.in
View file @
c2c1e253
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<Project
ToolsVersion=
"4.0"
xmlns=
"http://schemas.microsoft.com/developer/msbuild/2003"
>
<ItemGroup>
<Filter
Include=
"Source Files"
>
...
...
@@ -99,9 +99,6 @@
<ClInclude
Include=
"..\include\named\main.h"
>
<Filter>
Header Files
</Filter>
</ClInclude>
<ClInclude
Include=
"..\include\named\seccomp.h"
>
<Filter>
Header Files
</Filter>
</ClInclude>
<ClInclude
Include=
"..\include\named\server.h"
>
<Filter>
Header Files
</Filter>
</ClInclude>
...
...
bin/named/win32/named.vcxproj.in
View file @
c2c1e253
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<Project
DefaultTargets=
"Build"
ToolsVersion=
"4.0"
xmlns=
"http://schemas.microsoft.com/developer/msbuild/2003"
>
<ItemGroup
Label=
"ProjectConfigurations"
>
<ProjectConfiguration
Include=
"Debug|@PLATFORM@"
>
...
...
@@ -132,7 +132,6 @@
<ClInclude
Include=
"..\include\named\log.h"
/>
<ClInclude
Include=
"..\include\named\logconf.h"
/>
<ClInclude
Include=
"..\include\named\main.h"
/>
<ClInclude
Include=
"..\include\named\seccomp.h"
/>
<ClInclude
Include=
"..\include\named\server.h"
/>
<ClInclude
Include=
"..\include\named\statschannel.h"
/>
<ClInclude
Include=
"..\include\named\tkeyconf.h"
/>
...
...
config.h.in
View file @
c2c1e253
...
...
@@ -325,9 +325,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the `scf' library (-lscf). */
#undef HAVE_LIBSCF
/* Define to use libseccomp system call filtering. */
#undef HAVE_LIBSECCOMP
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
...
...
configure
View file @
c2c1e253
...
...
@@ -989,7 +989,6 @@ enable_warn_shadow
enable_warn_error
enable_developer
enable_afl
enable_seccomp
with_python
with_python_install_dir
enable_kqueue
...
...
@@ -1699,8 +1698,6 @@ Optional Features:
--enable-warn-error turn on -Werror when compiling
--enable-developer enable developer build settings
--enable-afl enable American Fuzzy Lop test harness [default=no]
--enable-seccomp enable support for libseccomp system call filtering
[default=no]
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
...
...
@@ -12014,8 +12011,6 @@ yes)
;;
esac
#libseccomp sandboxing
for ac_func in getrandom
do :
ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
...
...
@@ -12027,141 +12022,6 @@ _ACEOF
fi
done
# Check whether --enable-seccomp was given.
if test "${enable_seccomp+set}" = set; then :
enableval=$enable_seccomp;
fi
case "$enable_seccomp" in
yes)
case $host_os in
linux*)
;;
*)
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&5
$as_echo "$as_me: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&2;}
enable_seccomp=no
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing seccomp_init" >&5
$as_echo_n "checking for library containing seccomp_init... " >&6; }
if ${ac_cv_search_seccomp_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char seccomp_init ();
int
main ()
{
return seccomp_init ();
;
return 0;
}
_ACEOF
for ac_lib in '' seccomp; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search_seccomp_init=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search_seccomp_init+:} false; then :
break
fi
done
if ${ac_cv_search_seccomp_init+:} false; then :
else
ac_cv_search_seccomp_init=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_seccomp_init" >&5
$as_echo "$ac_cv_search_seccomp_init" >&6; }
ac_res=$ac_cv_search_seccomp_init
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
if test "$cross_compiling" = yes; then :
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "cannot run test program while cross compiling
See \`config.log' for more details" "$LINENO" 5; }
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
int main(void)
{
int ret;
ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
if (ret < 0) {
switch (errno) {
case ENOSYS:
return 1;
case EINVAL:
return 1;
default:
return 1;
}
}
ret =
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
if (ret < 0) {
switch (errno) {
case EINVAL:
return 1;
case EFAULT:
return 0;
default:
return 1;
}
}
return 1;
}
_ACEOF
if ac_fn_c_try_run "$LINENO"; then :
$as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
fi
;;
*)
;;
esac
#
# Make very sure that these are the first files processed by
...
...
@@ -26725,8 +26585,6 @@ report() {
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
...
...
@@ -26793,8 +26651,6 @@ report() {
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
...
...
configure.in
View file @
c2c1e253
...
...
@@ -106,71 +106,7 @@ yes)
;;
esac
#libseccomp sandboxing
AC_CHECK_FUNCS(getrandom)
AC_ARG_ENABLE(seccomp,
AS_HELP_STRING([--enable-seccomp],
[enable support for libseccomp system call
filtering [default=no]]))
case "$enable_seccomp" in
yes)
case $host_os in
linux*)
;;
*)
AC_MSG_WARN([seccomp is not supported on non-linux platforms; disabling it])
enable_seccomp=no
;;
esac
AC_SEARCH_LIBS(seccomp_init, [seccomp])
if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
AC_TRY_RUN([
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
int main(void)
{
int ret;
ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
if (ret < 0) {
switch (errno) {
case ENOSYS:
return 1;
case EINVAL:
return 1;
default:
return 1;
}
}
ret =
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
if (ret < 0) {
switch (errno) {
case EINVAL:
return 1;
case EFAULT:
return 0;
default:
return 1;
}
}
return 1;
}
]
, AC_DEFINE([HAVE_LIBSECCOMP], 1,
[Define to use libseccomp system call filtering.])
, []
)
fi
;;
*)
;;
esac
#
# Make very sure that these are the first files processed by
...
...
@@ -5580,8 +5516,6 @@ report() {
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "yes" = "$enable_seccomp" && \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
...
...
@@ -5648,8 +5582,6 @@ report() {
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
...
...
util/copyrights
View file @
c2c1e253
...
...
@@ -191,7 +191,6 @@
./bin/named/include/named/log.h C 1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017
./bin/named/include/named/logconf.h C 1999,2000,2001,2004,2005,2006,2007,2016,2017
./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017
./bin/named/include/named/seccomp.h C 2014,2016,2017
./bin/named/include/named/server.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017