[ntpsec commit] Set up autoconfigration of seccomp sandboxing *almost* completely...
Eric S. Raymond
esr at ntpsec.org
Wed Sep 30 10:14:54 UTC 2015
Module: ntpsec
Branch: master
Commit: 97cd179e0da3b149c80f06377e2526096035d846
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=97cd179e0da3b149c80f06377e2526096035d846
Author: Eric S. Raymond <esr at thyrsus.com>
Date: Wed Sep 30 06:11:20 2015 -0400
Set up autoconfigration of seccomp sandboxing *almost* completely...
...it fails to buld due to some confusion in the Linux headers, at
least under Ubuntu 14. Once we have that sorted, the header check can
be uncommented.
---
devel-docs/TODO | 28 ++++++++++++++++------------
ntpd/ntpd.c | 10 ++++++++--
pylib/configure.py | 1 +
3 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/devel-docs/TODO b/devel-docs/TODO
index 9666d3d..a0c8aa0 100644
--- a/devel-docs/TODO
+++ b/devel-docs/TODO
@@ -6,7 +6,6 @@
None right now. (Sep-22 2015)
-
=== Build system ===
* Document build files.
@@ -33,17 +32,6 @@ with extension *.txt.in.
be thrown out. Some (such as ntptrace) need to be translated into Python
and supported.
-Hal:
-> I think there is some interaction between when the ACTS driver calls and the
-> state of other stuff, like the connection to the net. This is probably a
-> good candidate to get cleaned up.
->
-> There is another possible tangle in this area. If you set "noselect" on the
-> server line in the config file, ntpd goes through all the action of
-> collecting the data and writing log files, but then drops the clock. I don't
-> know things well enough to be sure that this sort of logic won't pick one
-> back up.
-
=== Porting ===
* The ntpd initialization sequence is still full of platform-
@@ -135,6 +123,22 @@ reviewed, and if necessary fixed.
* We need a release checklist.
+== After first release ==
+
+* seccomp sandboxing fails to build under Ubuntu due to some confusion
+ in the Linux headers. Investigate.
+
+Hal:
+> I think there is some interaction between when the ACTS driver calls and the
+> state of other stuff, like the connection to the net. This is probably a
+> good candidate to get cleaned up.
+>
+> There is another possible tangle in this area. If you set "noselect" on the
+> server line in the config file, ntpd goes through all the action of
+> collecting the data and writing log files, but then drops the clock. I don't
+> know things well enough to be sure that this sort of logic won't pick one
+> back up.
+
== Old, sometime ancient stuff ==
*** IF YOU CAN HELP FIX ANY OF THESE THINGS, PLEASE DO! ***
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index 7159ccd..fa19f05 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -69,6 +69,12 @@
# endif /* HAVE_PRIV_H */
#endif /* ENABLE_DROPROOT */
+#ifdef HAVE_LINUX_SECCOMP_H
+# include <linux/seccomp.h>
+# include <linux/filter.h>
+# include <linux/audit.h>
+#endif /* HAVE_LINUX_SECCOMP_H */
+
#if defined(HAVE_DNS_SD_H) && defined(ENABLE_MDNS_REGISTRATION)
# include <dns_sd.h>
DNSServiceRef mdns;
@@ -1161,7 +1167,7 @@ getgroup:
# endif /* ENABLE_DROPROOT */
/* libssecomp sandboxing */
-#if defined (LIBSECCOMP) && (KERN_SECCOMP)
+#if defined(HAVE_LINUX_SECCOMP_H) && (defined(__x86_64__) || defined(__i386__))
scmp_filter_ctx ctx;
if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
@@ -1262,7 +1268,7 @@ int scmp_sc[] = {
else {
msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
}
-#endif /* LIBSECCOMP and KERN_SECCOMP */
+#endif /* HAVE_LINUX_SECCOMP_H */
# ifdef HAVE_IO_COMPLETION_PORT
diff --git a/pylib/configure.py b/pylib/configure.py
index b43cd07..db8ce16 100644
--- a/pylib/configure.py
+++ b/pylib/configure.py
@@ -226,6 +226,7 @@ def cmd_configure(ctx):
"linux/if_addr.h",
"linux/rtnetlink.h",
"linux/serial.h",
+ #"linux/seccomp.h", - Doesn't build yet, investigate
"machine/soundcard.h",
"netinet/in_systm.h",
"md5.h",
More information about the vc
mailing list