diff --git a/bin/named/include/named/seccomp.h b/bin/named/include/named/seccomp.h deleted file mode 100644 index a0490d2e951ea169b4c6c4df6a6a616f6b98665e..0000000000000000000000000000000000000000 --- a/bin/named/include/named/seccomp.h +++ /dev/null @@ -1,245 +0,0 @@ -/* - * Copyright (C) 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -#ifndef NAMED_SECCOMP_H -#define NAMED_SECCOMP_H 1 - -/*! \file */ - -#ifdef HAVE_LIBSECCOMP -#include -#include -#include -#include -#include - -/*% - * For each architecture, the scmp_syscalls and - * scmp_syscall_names arrays MUST be kept in sync. - */ -#ifdef __x86_64__ -int scmp_syscalls[] = { - SCMP_SYS(access), - SCMP_SYS(open), - SCMP_SYS(openat), - SCMP_SYS(lseek), - SCMP_SYS(clock_gettime), - SCMP_SYS(time), - SCMP_SYS(read), - SCMP_SYS(write), - SCMP_SYS(close), - SCMP_SYS(brk), - SCMP_SYS(poll), - SCMP_SYS(select), - SCMP_SYS(madvise), - SCMP_SYS(mmap), - SCMP_SYS(munmap), - SCMP_SYS(exit_group), - SCMP_SYS(rt_sigprocmask), - SCMP_SYS(rt_sigaction), - SCMP_SYS(fsync), - SCMP_SYS(rt_sigreturn), - SCMP_SYS(setsid), - SCMP_SYS(chdir), - SCMP_SYS(futex), - SCMP_SYS(stat), - SCMP_SYS(rt_sigsuspend), - SCMP_SYS(fstat), - SCMP_SYS(epoll_ctl), - SCMP_SYS(gettimeofday), - SCMP_SYS(getpid), -#ifdef HAVE_GETRANDOM - SCMP_SYS(getrandom), -#endif - SCMP_SYS(rename), - SCMP_SYS(unlink), - SCMP_SYS(socket), - SCMP_SYS(sendto), -#ifndef ISC_PLATFORM_USETHREADS - SCMP_SYS(bind), - SCMP_SYS(accept), - SCMP_SYS(connect), - SCMP_SYS(listen), - SCMP_SYS(fcntl), - SCMP_SYS(sendmsg), - SCMP_SYS(recvmsg), - SCMP_SYS(uname), - SCMP_SYS(setrlimit), - SCMP_SYS(getrlimit), - SCMP_SYS(setsockopt), - SCMP_SYS(getsockopt), - SCMP_SYS(getsockname), - SCMP_SYS(lstat), - SCMP_SYS(getgid), - SCMP_SYS(getegid), - SCMP_SYS(getuid), - SCMP_SYS(geteuid), - SCMP_SYS(setresgid), - SCMP_SYS(setresuid), - SCMP_SYS(setgid), - SCMP_SYS(setuid), - SCMP_SYS(prctl), - SCMP_SYS(epoll_wait), - SCMP_SYS(getdents), - SCMP_SYS(utimes), - SCMP_SYS(dup), -#endif -}; -const char *scmp_syscall_names[] = { - "access", - "open", - "openat", - "lseek", - "clock_gettime", - "time", - "read", - "write", - "close", - "brk", - "poll", - "select", - "madvise", - "mmap", - "munmap", - "exit_group", - "rt_sigprocmask", - "rt_sigaction", - "fsync", - "rt_sigreturn", - "setsid", - "chdir", - "futex", - "stat", - "rt_sigsuspend", - "fstat", - "epoll_ctl", - "gettimeofday", - "getpid", -#ifdef HAVE_GETRANDOM - "getrandom", -#endif - "rename", - "unlink", - "socket", - "sendto", -#ifndef ISC_PLATFORM_USETHREADS - "bind", - "accept", - "connect", - "listen", - "fcntl", - "sendmsg", - "recvmsg", - "uname", - "setrlimit", - "getrlimit", - "setsockopt", - "getsockopt", - "getsockname", - "lstat", - "getgid", - "getegid", - "getuid", - "geteuid", - "setresgid", - "setresuid", - "setgid", - "setuid", - "prctl", - "epoll_wait", - "getdents", - "utimes", - "dup", -#endif -}; -#endif /* __x86_64__ */ -#ifdef __i386__ -int scmp_syscalls[] = { - SCMP_SYS(access), - SCMP_SYS(open), - SCMP_SYS(clock_gettime), - SCMP_SYS(time), - SCMP_SYS(read), - SCMP_SYS(write), - SCMP_SYS(close), - SCMP_SYS(brk), - SCMP_SYS(poll), - SCMP_SYS(_newselect), - SCMP_SYS(select), - SCMP_SYS(madvise), - SCMP_SYS(mmap2), - SCMP_SYS(mmap), - SCMP_SYS(munmap), - SCMP_SYS(exit_group), - SCMP_SYS(rt_sigprocmask), - SCMP_SYS(sigprocmask), - SCMP_SYS(rt_sigaction), - SCMP_SYS(socketcall), - SCMP_SYS(fsync), - SCMP_SYS(sigreturn), - SCMP_SYS(setsid), - SCMP_SYS(chdir), - SCMP_SYS(futex), - SCMP_SYS(stat64), - SCMP_SYS(rt_sigsuspend), - SCMP_SYS(fstat64), - SCMP_SYS(epoll_ctl), - SCMP_SYS(gettimeofday), - SCMP_SYS(getpid), -#ifdef HAVE_GETRANDOM - SCMP_SYS(getrandom), -#endif - SCMP_SYS(unlink), -#ifndef ISC_PLATFORM_USETHREADS - SCMP_SYS(fcntl64), -#endif -}; -const char *scmp_syscall_names[] = { - "access", - "open", - "clock_gettime", - "time", - "read", - "write", - "close", - "brk", - "poll", - "_newselect", - "select", - "madvise", - "mmap2", - "mmap", - "munmap", - "exit_group", - "rt_sigprocmask", - "sigprocmask", - "rt_sigaction", - "socketcall", - "fsync", - "sigreturn", - "setsid", - "chdir", - "futex", - "stat64", - "rt_sigsuspend", - "fstat64", - "epoll_ctl", - "gettimeofday", - "getpid", -#ifdef HAVE_GETRANDOM - "getrandom", -#endif - "unlink", -#ifndef ISC_PLATFORM_USETHREADS - "fcntl64", -#endif -}; -#endif /* __i386__ */ -#endif /* HAVE_LIBSECCOMP */ - -#endif /* NAMED_SECCOMP_H */ diff --git a/bin/named/main.c b/bin/named/main.c index 4fb056636dd29c3ccf021ddb272b1e916baaace9..30c8263d002cc71f483654ffddc9ad4c43f69444 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -69,7 +69,6 @@ #include #include #include -#include #ifdef HAVE_LIBSCF #include #endif @@ -908,60 +907,6 @@ dump_symboltable(void) { } } -#ifdef HAVE_LIBSECCOMP -static void -setup_seccomp() { - scmp_filter_ctx ctx; - unsigned int i; - int ret; - - /* Make sure the lists are in sync */ - INSIST((sizeof(scmp_syscalls) / sizeof(int)) == - (sizeof(scmp_syscall_names) / sizeof(const char *))); - - ctx = seccomp_init(SCMP_ACT_KILL); - if (ctx == NULL) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, - "libseccomp activation failed"); - return; - } - - for (i = 0 ; i < sizeof(scmp_syscalls)/sizeof(*(scmp_syscalls)); i++) { - ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, - scmp_syscalls[i], 0); - if (ret < 0) - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, - "libseccomp rule failed: %s", - scmp_syscall_names[i]); - - else - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(9), - "added libseccomp rule: %s", - scmp_syscall_names[i]); - } - - ret = seccomp_load(ctx); - if (ret < 0) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, - "libseccomp unable to load filter"); - } else { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, - "libseccomp sandboxing active"); - } - - /* - * Release filter in ctx. Filters already loaded are not - * affected. - */ - seccomp_release(ctx); -} -#endif /* HAVE_LIBSECCOMP */ - static void setup(void) { isc_result_t result; @@ -1219,9 +1164,6 @@ setup(void) { named_g_server->sctx->delay = delay; -#ifdef HAVE_LIBSECCOMP - setup_seccomp(); -#endif /* HAVE_LIBSECCOMP */ } static void diff --git a/bin/named/win32/named.vcxproj.filters.in b/bin/named/win32/named.vcxproj.filters.in index 12702e020e135bbd71a1ba2e7eaf09ea4fec278c..60b2ec26ac8cc3c418dfc7c5e56e09aa571df38c 100644 --- a/bin/named/win32/named.vcxproj.filters.in +++ b/bin/named/win32/named.vcxproj.filters.in @@ -1,4 +1,4 @@ - + @@ -99,9 +99,6 @@ Header Files - - Header Files - Header Files diff --git a/bin/named/win32/named.vcxproj.in b/bin/named/win32/named.vcxproj.in index e20e544ee537863f4fd8b7620637f65b75bb93a1..6ee57b9497d264ea7364b3e546c4b435971446c8 100644 --- a/bin/named/win32/named.vcxproj.in +++ b/bin/named/win32/named.vcxproj.in @@ -1,4 +1,4 @@ - + @@ -132,7 +132,6 @@ - diff --git a/config.h.in b/config.h.in index ce00214a74a2511f40122bf8d0c1b5ed8fe9fb66..0ce2b02668e37e3406cce8e0ad56536d83ca6861 100644 --- a/config.h.in +++ b/config.h.in @@ -325,9 +325,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `scf' library (-lscf). */ #undef HAVE_LIBSCF -/* Define to use libseccomp system call filtering. */ -#undef HAVE_LIBSECCOMP - /* Define to 1 if you have the `socket' library (-lsocket). */ #undef HAVE_LIBSOCKET diff --git a/configure b/configure index 7a53165026dfac2b78eb8f5cb582a63bc3e6cb1c..af930eaac27049a33ca8cdeb0304dac140173aaf 100755 --- a/configure +++ b/configure @@ -989,7 +989,6 @@ enable_warn_shadow enable_warn_error enable_developer enable_afl -enable_seccomp with_python with_python_install_dir enable_kqueue @@ -1699,8 +1698,6 @@ Optional Features: --enable-warn-error turn on -Werror when compiling --enable-developer enable developer build settings --enable-afl enable American Fuzzy Lop test harness [default=no] - --enable-seccomp enable support for libseccomp system call filtering - [default=no] --enable-kqueue use BSD kqueue when available [default=yes] --enable-epoll use Linux epoll when available [default=auto] --enable-devpoll use /dev/poll when available [default=yes] @@ -12014,8 +12011,6 @@ yes) ;; esac - -#libseccomp sandboxing for ac_func in getrandom do : ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom" @@ -12027,141 +12022,6 @@ _ACEOF fi done -# Check whether --enable-seccomp was given. -if test "${enable_seccomp+set}" = set; then : - enableval=$enable_seccomp; -fi - -case "$enable_seccomp" in - yes) - case $host_os in - linux*) - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&5 -$as_echo "$as_me: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&2;} - enable_seccomp=no - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing seccomp_init" >&5 -$as_echo_n "checking for library containing seccomp_init... " >&6; } -if ${ac_cv_search_seccomp_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char seccomp_init (); -int -main () -{ -return seccomp_init (); - ; - return 0; -} -_ACEOF -for ac_lib in '' seccomp; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_seccomp_init=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_seccomp_init+:} false; then : - break -fi -done -if ${ac_cv_search_seccomp_init+:} false; then : - -else - ac_cv_search_seccomp_init=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_seccomp_init" >&5 -$as_echo "$ac_cv_search_seccomp_init" >&6; } -ac_res=$ac_cv_search_seccomp_init -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -fi - - if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then - if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - #include - #include - #include - #include - #include - - int main(void) - { - int ret; - - ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); - if (ret < 0) { - switch (errno) { - case ENOSYS: - return 1; - case EINVAL: - return 1; - default: - return 1; - } - } - ret = - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); - if (ret < 0) { - switch (errno) { - case EINVAL: - return 1; - case EFAULT: - return 0; - default: - return 1; - } - } - return 1; - } - - -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - -$as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h - - -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - fi - ;; - *) - ;; -esac # # Make very sure that these are the first files processed by @@ -26725,8 +26585,6 @@ report() { echo " DNS Response Policy Service interface (--enable-dnsrps)" test "yes" = "$enable_fixed" && \ echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)" - test "yes" = "$enable_seccomp" && \ - echo " Use libseccomp system call filtering (--enable-seccomp)" test "yes" = "$want_backtrace" && \ echo " Print backtrace on crash (--enable-backtrace)" test "minimal" = "$want_symtable" && \ @@ -26793,8 +26651,6 @@ report() { test "yes" = "$want_crypto_rand" || \ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" test "yes" = "$want_backtrace" || \ echo " Print backtrace on crash (--enable-backtrace)" test "yes" = "$want_querytrace" || \ diff --git a/configure.in b/configure.in index 52d922b226eeec50b70690569e58b17c2026646e..89be2a4a86d96a8de89aae763053f209c5606e36 100644 --- a/configure.in +++ b/configure.in @@ -106,71 +106,7 @@ yes) ;; esac - -#libseccomp sandboxing AC_CHECK_FUNCS(getrandom) -AC_ARG_ENABLE(seccomp, - AS_HELP_STRING([--enable-seccomp], - [enable support for libseccomp system call - filtering [default=no]])) -case "$enable_seccomp" in - yes) - case $host_os in - linux*) - ;; - *) - AC_MSG_WARN([seccomp is not supported on non-linux platforms; disabling it]) - enable_seccomp=no - ;; - esac - AC_SEARCH_LIBS(seccomp_init, [seccomp]) - if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then - AC_TRY_RUN([ - #include - #include - #include - #include - #include - - int main(void) - { - int ret; - - ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); - if (ret < 0) { - switch (errno) { - case ENOSYS: - return 1; - case EINVAL: - return 1; - default: - return 1; - } - } - ret = - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); - if (ret < 0) { - switch (errno) { - case EINVAL: - return 1; - case EFAULT: - return 0; - default: - return 1; - } - } - return 1; - } - ] - , AC_DEFINE([HAVE_LIBSECCOMP], 1, - [Define to use libseccomp system call filtering.]) - , [] - ) - fi - ;; - *) - ;; -esac # # Make very sure that these are the first files processed by @@ -5580,8 +5516,6 @@ report() { echo " DNS Response Policy Service interface (--enable-dnsrps)" test "yes" = "$enable_fixed" && \ echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)" - test "yes" = "$enable_seccomp" && \ - echo " Use libseccomp system call filtering (--enable-seccomp)" test "yes" = "$want_backtrace" && \ echo " Print backtrace on crash (--enable-backtrace)" test "minimal" = "$want_symtable" && \ @@ -5648,8 +5582,6 @@ report() { test "yes" = "$want_crypto_rand" || \ echo " Crypto provider entropy source (--enable-crypto-rand)" - test "yes" = "$enable_seccomp" || \ - echo " Use libseccomp system call filtering (--enable-seccomp)" test "yes" = "$want_backtrace" || \ echo " Print backtrace on crash (--enable-backtrace)" test "yes" = "$want_querytrace" || \ diff --git a/util/copyrights b/util/copyrights index ff45e46b565ecd4ccbb0feb79c98f346d2fe198e..2f7b39bc16831aec3b9f40375da9b458c302f552 100644 --- a/util/copyrights +++ b/util/copyrights @@ -191,7 +191,6 @@ ./bin/named/include/named/log.h C 1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017 ./bin/named/include/named/logconf.h C 1999,2000,2001,2004,2005,2006,2007,2016,2017 ./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017 -./bin/named/include/named/seccomp.h C 2014,2016,2017 ./bin/named/include/named/server.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017 ./bin/named/include/named/smf_globals.h C 2017 ./bin/named/include/named/statschannel.h C 2008,2016,2017 diff --git a/win32utils/Configure b/win32utils/Configure index 771a8c0ba42a1e9506855ab0c8732c96c5fbe9a6..35c9593c1a6be35fe70844ac1d45edb12f1d61dd 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -3445,7 +3445,6 @@ exit 0; # --disable-rpz-nsdname supported # --enable-full-report supported by verbose # --enable-dnstap not supported (requires libfstrm support on WIN32) -# --enable-seccomp not supported (Linux specific) # --enable-afl not supported (not yet available on Visual Studio C++) # --with-python supported # --with-openssl supported