privsep: Allow diabling of SECCOMP on Linux

This allows a POSIX resource limited sandbox to be used at least
with privilege separation, which is better than just disabling
privilege separation entirely for when SECCOMP stops working due to
libc/kernel changes.

diff --git a/BUILDING.md b/BUILDING.md
index 75aa5f04e0f37fe04dede86ce458977d1b89f4f2..1d6be2b18139b3aa955bb66dc073392a0598240e 100644 (file)
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -120,6 +120,16 @@ so don't set either `ipv6ra_own` or `slaac private` in `dhcpcd.conf` if you
 want to have working IPv6 temporary addresses.
 SLAAC private addresses are just as private, just stable.
 
+Linux SECCOMP is very dependant on libc vs kernel.
+When libc is changed and uses a syscall that dhcpcd is unaware of,
+SECCOMP may break dhcpcd.
+When this happens you can configure dhcpcd with --disable-seccomp
+so dhcpcd can use a POSIX resource limited sandbox with privilege separation
+still. If you do this, please report the issue so that we can adjust the
+SECCOMP filter so that dhcpcd can use SECCOMP once more.
+Or convince the libc/kernel people to adpot something more maintainable
+like FreeBSD's capsicum or OpenBSD's pledge.
+
 ## Init systems
 We try and detect how dhcpcd should interact with system services at runtime.
 If we cannot auto-detect how do to this, or it is wrong then

diff --git a/configure b/configure
index d225cadf6fce805e56485ff0c6c23b80c26188e0..d959668838d3fbb953c2b77e7b0a4376ff13bbdf 100755 (executable)
--- a/configure
+++ b/configure
@@ -13,6 +13,7 @@ IPV4LL=
 INET6=
 PRIVSEP=
 PRIVSEP_USER=
+SECCOMP=
 ARC4RANDOM=
 CLOSEFROM=
 RBTREE=
@@ -70,6 +71,8 @@ for x do
        --enable-auth) AUTH=yes;;
        --disable-privsep) PRIVSEP=no;;
        --enable-privsep) PRIVSEP=yes;;
+       --disable-seccomp) SECCOMP=no;;
+       --enable-seccomp) SECCOMP=yes;;
        --privsepuser) PRIVSEP_USER=$var;;
        --prefix) PREFIX=$var;prefix=$var;; # prefix is set for autotools compat
        --sysconfdir) SYSCONFDIR=$var;;
@@ -585,7 +588,12 @@ if [ "$PRIVSEP" = yes ]; then
                echo "PRIVSEP_SRCS+=    privsep-bpf.c" >>$CONFIG_MK
        fi
        case "$OS" in
-       linux*)          echo "PRIVSEP_SRCS+=   privsep-linux.c" >>$CONFIG_MK;;
+       linux*)
+                        echo "PRIVSEP_SRCS+=   privsep-linux.c" >>$CONFIG_MK
+                        if [ -n "$SECCOMP" ] && [ "$SECCOMP" != no ]; then
+                                echo "#define  DISABLE_SECCOMP" >>$CONFIG_H
+                        fi
+                        ;;
        solaris*|sunos*) echo "PRIVSEP_SRCS+=   privsep-sun.c" >>$CONFIG_MK;;
        *)               echo "PRIVSEP_SRCS+=   privsep-bsd.c" >>$CONFIG_MK;;
        esac

diff --git a/src/privsep-linux.c b/src/privsep-linux.c
index 8270056e1723280ba63386318a6a5f59736b4058..67ed0d73da4e0ed4d2d2659fb25f0169c25a77fe 100644 (file)
--- a/src/privsep-linux.c
+++ b/src/privsep-linux.c
@@ -113,6 +113,10 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg)
        return ps_root_readerror(ctx, NULL, 0);
 }
 
+#ifdef DISABLE_SECCOMP
+#warning SECCOMP has been disabled
+#else
+
 #if (BYTE_ORDER == LITTLE_ENDIAN)
 # define SECCOMP_ARG_LO        0
 # define SECCOMP_ARG_HI        sizeof(uint32_t)
@@ -500,3 +504,4 @@ ps_seccomp_enter(void)
        }
        return 0;
 }
+#endif /* !DISABLE_SECCOMP */

diff --git a/src/privsep.h b/src/privsep.h
index 34d18dcf7b503f7f0ee342414030c77b739907de..00e8fc4f10ae518ec472a35d86c30c0585ce00fa 100644 (file)
--- a/src/privsep.h
+++ b/src/privsep.h
@@ -115,7 +115,7 @@
 
 #define PS_ROOT_FD(ctx) ((ctx)->ps_root ? (ctx)->ps_root->psp_fd : -1)
 
-#ifdef __linux__
+#if !defined(DISABLE_SECCOMP) && defined(__linux__)
 # include <linux/version.h>
 # if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
 #  define HAVE_SECCOMP