[Git][NTPsec/ntpsec][master] If seccomp was requested but can't be found during configure, fail.

Tue May 16 06:17:12 UTC 2017

Matt Selsky pushed to branch master at NTPsec / ntpsec


Commits:
d22805a5 by Matt Selsky at 2017-05-16T02:09:21-04:00
If seccomp was requested but can't be found during configure, fail.

Also, consolidate on one symbol for whether seccomp is enabled in config.h
(HAVE_SECCOMP_H)

- - - - -


4 changed files:

- devel/ifdex-ignores
- ntpd/ntp_sandbox.c
- − wafhelpers/check_seccomp.py
- wscript


Changes:

=====================================
devel/ifdex-ignores
=====================================

--- a/devel/ifdex-ignores
+++ b/devel/ifdex-ignores
@@ -62,13 +62,11 @@ LIBRESSL_VERSION_NUMBER
 # Things WAF sets that don't get #undefs if they're not set
 ENABLE_EARLY_DROPROOT
 ENABLE_LEAP_SMEAR
-ENABLE_SECCOMP
 ENABLE_DEBUG_TIMING
 ENABLE_LOCKCLOCK
 ENABLE_MDNS_REGISTRATION
 ENABLE_MSSNTP
 HAVE_LINUX_CAPABILITY
-HAVE_SECCOMP
 HAVE_SECCOMP_H
 HAVE_SOLARIS_PRIVS
 ISC_PLATFORM_NORETURN_POST


=====================================
ntpd/ntp_sandbox.c
=====================================
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -34,7 +34,7 @@ static priv_set_t *highprivs = NULL;
 
 #ifdef HAVE_SECCOMP_H
 # include <seccomp.h>
-#endif /* HAVE_SECCOMP_H */
+#endif
 
 #ifdef ENABLE_DROPROOT
 static bool root_dropped;
@@ -48,11 +48,9 @@ static struct passwd *pw;
 #include "ntp_syslog.h"
 #include "ntp_stdlib.h"
 
-#ifdef ENABLE_SECCOMP
-#ifdef HAVE_SECCOMP
+#ifdef HAVE_SECCOMP_H
 static void catchTrap(int sig);
 #endif
-#endif
 
 bool sandbox(const bool droproot,
 	     char *user, const char *group,
@@ -265,11 +263,10 @@ getgroup:
 	}	/* if (droproot) */
 # endif	/* ENABLE_DROPROOT */
 
-#ifdef ENABLE_SECCOMP
 /* libssecomp sandboxing */
 // Working on ARM
-// #if defined(HAVE_SECCOMP) && (defined(__x86_64__) || defined(__i386__))
-#if defined(HAVE_SECCOMP)
+// #if defined(__x86_64__) || defined(__i386__)
+#if defined(HAVE_SECCOMP_H)
 
 #ifdef ENABLE_KILL_ON_TRAP
   #define MY_SCMP_ACT SCMP_ACT_KILL
@@ -418,14 +415,12 @@ int scmp_sc[] = {
 	else {
 		msyslog(LOG_DEBUG, "sandbox: seccomp_load() succeeded");
 	}
-#endif /* HAVE_SECCOMP */
-#endif /* ENABLE_SECCOMP */
+#endif /* HAVE_SECCOMP_H */
 
 	return nonroot;
 }
 
-#ifdef ENABLE_SECCOMP
-#ifdef HAVE_SECCOMP
+#ifdef HAVE_SECCOMP_H
 /*
  * catchTrap - get here if something missing from list above
  * (or a bad guy finds a way in)
@@ -451,8 +446,7 @@ static void catchTrap(int sig)
 	msyslog(LOG_ERR, "SIGSYS: got a trap. Probably seccomp omission. Bailing.");
 	exit(1);
 }
-#endif /* HAVE_SECCOMP */
-#endif /* ENABLE_SECCOMP */
+#endif /* HAVE_SECCOMP_H */
 
 
 /* end */


=====================================
wafhelpers/check_seccomp.py deleted
=====================================
--- a/wafhelpers/check_seccomp.py
+++ /dev/null
@@ -1,20 +0,0 @@
-from waflib.Logs import pprint
-
-
-def check_seccomp(ctx):
-
-    if not ctx.options.enable_seccomp:
-        return
-    if ctx.env.DEST_OS != "linux":
-        pprint("RED", "Warning --enable-seccomp only works on Linux")
-        return
-
-    ctx.check_cc(header_name="seccomp.h", mandatory=False)
-    ctx.check_cc(lib="seccomp", comment="seccomp library", mandatory=False)
-
-    if ctx.get_define("HAVE_SECCOMP_H") and ctx.env.LIB_SECCOMP:
-        ctx.define("HAVE_SECCOMP", 1)
-    else:
-        pprint("RED", "Warning --enable-seccomp needs libseccomp and headers")
-        pprint("RED", "Fedora needs libseccomp-devel")
-        pprint("RED", "Debian needs libseccomp-dev")


=====================================
wscript
=====================================
--- a/wscript
+++ b/wscript
@@ -754,9 +754,6 @@ int main(int argc, char **argv) {
     if ctx.options.enable_early_droproot:
         ctx.define("ENABLE_EARLY_DROPROOT", 1,
                    comment="Enable early drop root")
-    if ctx.options.enable_seccomp:
-        ctx.define("ENABLE_SECCOMP", 1,
-                   comment="Enable seccomp")
 
     if not ctx.options.disable_dns_lookup:
         ctx.define("ENABLE_DNS_LOOKUP", 1,
@@ -817,8 +814,12 @@ int main(int argc, char **argv) {
     from wafhelpers.check_cap import check_cap
     check_cap(ctx)
 
-    from wafhelpers.check_seccomp import check_seccomp
-    check_seccomp(ctx)
+    if ctx.options.enable_seccomp:
+        if ctx.env.DEST_OS != "linux":
+            ctx.fatal("seccomp is only supported on Linux")
+
+        ctx.check_cc(header_name="seccomp.h")
+        ctx.check_cc(lib="seccomp")
 
     from wafhelpers.check_pthread import check_pthread_header_lib
     check_pthread_header_lib(ctx)



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/d22805a504e2a4066a3b22f5a100319c1f72601d

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/d22805a504e2a4066a3b22f5a100319c1f72601d
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170516/223c8e0c/attachment.html>
