From: Roy Marples <roy@marples.name>
Date: Wed, 5 Feb 2025 18:01:34 +0000 (+0000)
Subject: privsep: ASAN now works
X-Git-Tag: v10.2.0~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ea879d71f80c188d2fb8ba0eae14eae1aee47be;p=thirdparty%2Fdhcpcd.git

privsep: ASAN now works

On Linux at least, Fedora-41 tested.
`./configure --sanitize` sets it all up.
---

diff --git a/configure b/configure
index 1a772b02..b34227dd 100755
--- a/configure
+++ b/configure
@@ -437,6 +437,7 @@ int main(void) {
 EOF
 		if $CC -fsanitize=address _test.c -o _test 2>&3; then
 			echo "yes"
+			echo "CPPFLAGS+=	-DASAN" >>$CONFIG_MK
 			echo "CFLAGS+=	-fsanitize=address" >>$CONFIG_MK
 			echo "CFLAGS+=	-fno-omit-frame-pointer" >>$CONFIG_MK
 			echo "LDFLAGS+=	-fsanitize=address" >>$CONFIG_MK
diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index c4172c83..ca810823 100644
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -444,10 +444,6 @@ static struct sock_filter ps_seccomp_filter[] = {
 #ifdef __NR_shutdown
 	SECCOMP_ALLOW(__NR_shutdown),
 #endif
-#ifdef __NR_sigaltstack
-	/* Allows a clean exit when compiled for address sanitization. */
-	SECCOMP_ALLOW(__NR_sigaltstack),
-#endif
 #ifdef __NR_statx
 	SECCOMP_ALLOW(__NR_statx),
 #endif
@@ -470,6 +466,30 @@ static struct sock_filter ps_seccomp_filter[] = {
 	SECCOMP_ALLOW(__NR_uname),
 #endif
 
+/* These are for compiling with address sanitization */
+#ifdef ASAN
+#ifdef __NR_futex
+	SECCOMP_ALLOW(__NR_futex),
+#endif
+#ifdef __NR_openat
+	SECCOMP_ALLOW(__NR_openat),
+#endif
+#ifdef __NR_readlink
+	SECCOMP_ALLOW(__NR_readlink),
+#endif
+#ifdef __NR_sigaltstack
+	SECCOMP_ALLOW(__NR_sigaltstack),
+#endif
+
+/* coredumps */
+#ifdef __NR_gettid
+	SECCOMP_ALLOW(__NR_gettid),
+#endif
+#ifdef __NR_tgkill
+	SECCOMP_ALLOW(__NR_tgkill),
+#endif
+#endif
+
 	/* Deny everything else */
 	BPF_STMT(BPF_RET + BPF_K, SECCOMP_FILTER_FAIL),
 };
diff --git a/src/privsep.c b/src/privsep.c
index 98e8f488..20b99462 100644
--- a/src/privsep.c
+++ b/src/privsep.c
@@ -129,10 +129,16 @@ ps_dropprivs(struct dhcpcd_ctx *ctx)
 	   STDOUT_FILENO : STDERR_FILENO;
 
 	if (ctx->options & DHCPCD_LAUNCHER)
+#ifdef ASAN
+		logwarnx("not chrooting as compiled for ASAN");
+#else
 		logdebugx("chrooting as %s to %s", pw->pw_name, pw->pw_dir);
+
 	if (chroot(pw->pw_dir) == -1 &&
 	    (errno != EPERM || ctx->options & DHCPCD_FORKED))
 		logerr("%s: chroot: %s", __func__, pw->pw_dir);
+#endif
+
 	if (chdir("/") == -1)
 		logerr("%s: chdir: /", __func__);