+++ /dev/null
-/*
- * Copyright (C) 2014, 2016, 2017 Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-#ifndef NAMED_SECCOMP_H
-#define NAMED_SECCOMP_H 1
-
-/*! \file */
-
-#ifdef HAVE_LIBSECCOMP
-#include <sys/types.h>
-#include <sys/resource.h>
-#include <unistd.h>
-#include <seccomp.h>
-#include <isc/platform.h>
-
-/*%
- * For each architecture, the scmp_syscalls and
- * scmp_syscall_names arrays MUST be kept in sync.
- */
-#ifdef __x86_64__
-int scmp_syscalls[] = {
- SCMP_SYS(access),
- SCMP_SYS(open),
- SCMP_SYS(openat),
- SCMP_SYS(lseek),
- SCMP_SYS(clock_gettime),
- SCMP_SYS(time),
- SCMP_SYS(read),
- SCMP_SYS(write),
- SCMP_SYS(close),
- SCMP_SYS(brk),
- SCMP_SYS(poll),
- SCMP_SYS(select),
- SCMP_SYS(madvise),
- SCMP_SYS(mmap),
- SCMP_SYS(munmap),
- SCMP_SYS(exit_group),
- SCMP_SYS(rt_sigprocmask),
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(fsync),
- SCMP_SYS(rt_sigreturn),
- SCMP_SYS(setsid),
- SCMP_SYS(chdir),
- SCMP_SYS(futex),
- SCMP_SYS(stat),
- SCMP_SYS(rt_sigsuspend),
- SCMP_SYS(fstat),
- SCMP_SYS(epoll_ctl),
- SCMP_SYS(gettimeofday),
- SCMP_SYS(getpid),
-#ifdef HAVE_GETRANDOM
- SCMP_SYS(getrandom),
-#endif
- SCMP_SYS(rename),
- SCMP_SYS(unlink),
- SCMP_SYS(socket),
- SCMP_SYS(sendto),
-#ifndef ISC_PLATFORM_USETHREADS
- SCMP_SYS(bind),
- SCMP_SYS(accept),
- SCMP_SYS(connect),
- SCMP_SYS(listen),
- SCMP_SYS(fcntl),
- SCMP_SYS(sendmsg),
- SCMP_SYS(recvmsg),
- SCMP_SYS(uname),
- SCMP_SYS(setrlimit),
- SCMP_SYS(getrlimit),
- SCMP_SYS(setsockopt),
- SCMP_SYS(getsockopt),
- SCMP_SYS(getsockname),
- SCMP_SYS(lstat),
- SCMP_SYS(getgid),
- SCMP_SYS(getegid),
- SCMP_SYS(getuid),
- SCMP_SYS(geteuid),
- SCMP_SYS(setresgid),
- SCMP_SYS(setresuid),
- SCMP_SYS(setgid),
- SCMP_SYS(setuid),
- SCMP_SYS(prctl),
- SCMP_SYS(epoll_wait),
- SCMP_SYS(getdents),
- SCMP_SYS(utimes),
- SCMP_SYS(dup),
-#endif
-};
-const char *scmp_syscall_names[] = {
- "access",
- "open",
- "openat",
- "lseek",
- "clock_gettime",
- "time",
- "read",
- "write",
- "close",
- "brk",
- "poll",
- "select",
- "madvise",
- "mmap",
- "munmap",
- "exit_group",
- "rt_sigprocmask",
- "rt_sigaction",
- "fsync",
- "rt_sigreturn",
- "setsid",
- "chdir",
- "futex",
- "stat",
- "rt_sigsuspend",
- "fstat",
- "epoll_ctl",
- "gettimeofday",
- "getpid",
-#ifdef HAVE_GETRANDOM
- "getrandom",
-#endif
- "rename",
- "unlink",
- "socket",
- "sendto",
-#ifndef ISC_PLATFORM_USETHREADS
- "bind",
- "accept",
- "connect",
- "listen",
- "fcntl",
- "sendmsg",
- "recvmsg",
- "uname",
- "setrlimit",
- "getrlimit",
- "setsockopt",
- "getsockopt",
- "getsockname",
- "lstat",
- "getgid",
- "getegid",
- "getuid",
- "geteuid",
- "setresgid",
- "setresuid",
- "setgid",
- "setuid",
- "prctl",
- "epoll_wait",
- "getdents",
- "utimes",
- "dup",
-#endif
-};
-#endif /* __x86_64__ */
-#ifdef __i386__
-int scmp_syscalls[] = {
- SCMP_SYS(access),
- SCMP_SYS(open),
- SCMP_SYS(clock_gettime),
- SCMP_SYS(time),
- SCMP_SYS(read),
- SCMP_SYS(write),
- SCMP_SYS(close),
- SCMP_SYS(brk),
- SCMP_SYS(poll),
- SCMP_SYS(_newselect),
- SCMP_SYS(select),
- SCMP_SYS(madvise),
- SCMP_SYS(mmap2),
- SCMP_SYS(mmap),
- SCMP_SYS(munmap),
- SCMP_SYS(exit_group),
- SCMP_SYS(rt_sigprocmask),
- SCMP_SYS(sigprocmask),
- SCMP_SYS(rt_sigaction),
- SCMP_SYS(socketcall),
- SCMP_SYS(fsync),
- SCMP_SYS(sigreturn),
- SCMP_SYS(setsid),
- SCMP_SYS(chdir),
- SCMP_SYS(futex),
- SCMP_SYS(stat64),
- SCMP_SYS(rt_sigsuspend),
- SCMP_SYS(fstat64),
- SCMP_SYS(epoll_ctl),
- SCMP_SYS(gettimeofday),
- SCMP_SYS(getpid),
-#ifdef HAVE_GETRANDOM
- SCMP_SYS(getrandom),
-#endif
- SCMP_SYS(unlink),
-#ifndef ISC_PLATFORM_USETHREADS
- SCMP_SYS(fcntl64),
-#endif
-};
-const char *scmp_syscall_names[] = {
- "access",
- "open",
- "clock_gettime",
- "time",
- "read",
- "write",
- "close",
- "brk",
- "poll",
- "_newselect",
- "select",
- "madvise",
- "mmap2",
- "mmap",
- "munmap",
- "exit_group",
- "rt_sigprocmask",
- "sigprocmask",
- "rt_sigaction",
- "socketcall",
- "fsync",
- "sigreturn",
- "setsid",
- "chdir",
- "futex",
- "stat64",
- "rt_sigsuspend",
- "fstat64",
- "epoll_ctl",
- "gettimeofday",
- "getpid",
-#ifdef HAVE_GETRANDOM
- "getrandom",
-#endif
- "unlink",
-#ifndef ISC_PLATFORM_USETHREADS
- "fcntl64",
-#endif
-};
-#endif /* __i386__ */
-#endif /* HAVE_LIBSECCOMP */
-
-#endif /* NAMED_SECCOMP_H */
#include <named/os.h>
#include <named/server.h>
#include <named/main.h>
-#include <named/seccomp.h>
#ifdef HAVE_LIBSCF
#include <named/smf_globals.h>
#endif
}
}
-#ifdef HAVE_LIBSECCOMP
-static void
-setup_seccomp() {
- scmp_filter_ctx ctx;
- unsigned int i;
- int ret;
-
- /* Make sure the lists are in sync */
- INSIST((sizeof(scmp_syscalls) / sizeof(int)) ==
- (sizeof(scmp_syscall_names) / sizeof(const char *)));
-
- ctx = seccomp_init(SCMP_ACT_KILL);
- if (ctx == NULL) {
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
- "libseccomp activation failed");
- return;
- }
-
- for (i = 0 ; i < sizeof(scmp_syscalls)/sizeof(*(scmp_syscalls)); i++) {
- ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW,
- scmp_syscalls[i], 0);
- if (ret < 0)
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
- "libseccomp rule failed: %s",
- scmp_syscall_names[i]);
-
- else
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_MAIN, ISC_LOG_DEBUG(9),
- "added libseccomp rule: %s",
- scmp_syscall_names[i]);
- }
-
- ret = seccomp_load(ctx);
- if (ret < 0) {
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING,
- "libseccomp unable to load filter");
- } else {
- isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
- "libseccomp sandboxing active");
- }
-
- /*
- * Release filter in ctx. Filters already loaded are not
- * affected.
- */
- seccomp_release(ctx);
-}
-#endif /* HAVE_LIBSECCOMP */
-
static void
setup(void) {
isc_result_t result;
named_g_server->sctx->delay = delay;
-#ifdef HAVE_LIBSECCOMP
- setup_seccomp();
-#endif /* HAVE_LIBSECCOMP */
}
static void
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<ClInclude Include="..\include\named\main.h">
<Filter>Header Files</Filter>
</ClInclude>
- <ClInclude Include="..\include\named\seccomp.h">
- <Filter>Header Files</Filter>
- </ClInclude>
<ClInclude Include="..\include\named\server.h">
<Filter>Header Files</Filter>
</ClInclude>
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<ClInclude Include="..\include\named\log.h" />
<ClInclude Include="..\include\named\logconf.h" />
<ClInclude Include="..\include\named\main.h" />
- <ClInclude Include="..\include\named\seccomp.h" />
<ClInclude Include="..\include\named\server.h" />
<ClInclude Include="..\include\named\statschannel.h" />
<ClInclude Include="..\include\named\tkeyconf.h" />
/* Define to 1 if you have the `scf' library (-lscf). */
#undef HAVE_LIBSCF
-/* Define to use libseccomp system call filtering. */
-#undef HAVE_LIBSECCOMP
-
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
enable_warn_error
enable_developer
enable_afl
-enable_seccomp
with_python
with_python_install_dir
enable_kqueue
--enable-warn-error turn on -Werror when compiling
--enable-developer enable developer build settings
--enable-afl enable American Fuzzy Lop test harness [default=no]
- --enable-seccomp enable support for libseccomp system call filtering
- [default=no]
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
;;
esac
-
-#libseccomp sandboxing
for ac_func in getrandom
do :
ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
fi
done
-# Check whether --enable-seccomp was given.
-if test "${enable_seccomp+set}" = set; then :
- enableval=$enable_seccomp;
-fi
-
-case "$enable_seccomp" in
- yes)
- case $host_os in
- linux*)
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&5
-$as_echo "$as_me: WARNING: seccomp is not supported on non-linux platforms; disabling it" >&2;}
- enable_seccomp=no
- ;;
- esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing seccomp_init" >&5
-$as_echo_n "checking for library containing seccomp_init... " >&6; }
-if ${ac_cv_search_seccomp_init+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char seccomp_init ();
-int
-main ()
-{
-return seccomp_init ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' seccomp; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_seccomp_init=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_seccomp_init+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_seccomp_init+:} false; then :
-
-else
- ac_cv_search_seccomp_init=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_seccomp_init" >&5
-$as_echo "$ac_cv_search_seccomp_init" >&6; }
-ac_res=$ac_cv_search_seccomp_init
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-fi
-
- if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
- if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <sys/prctl.h>
- #include <linux/seccomp.h>
-
- int main(void)
- {
- int ret;
-
- ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
- if (ret < 0) {
- switch (errno) {
- case ENOSYS:
- return 1;
- case EINVAL:
- return 1;
- default:
- return 1;
- }
- }
- ret =
- prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
- if (ret < 0) {
- switch (errno) {
- case EINVAL:
- return 1;
- case EFAULT:
- return 0;
- default:
- return 1;
- }
- }
- return 1;
- }
-
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-
-$as_echo "#define HAVE_LIBSECCOMP 1" >>confdefs.h
-
-
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
- fi
- ;;
- *)
- ;;
-esac
#
# Make very sure that these are the first files processed by
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
- test "yes" = "$enable_seccomp" && \
- echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
- test "yes" = "$enable_seccomp" || \
- echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
;;
esac
-
-#libseccomp sandboxing
AC_CHECK_FUNCS(getrandom)
-AC_ARG_ENABLE(seccomp,
- AS_HELP_STRING([--enable-seccomp],
- [enable support for libseccomp system call
- filtering [default=no]]))
-case "$enable_seccomp" in
- yes)
- case $host_os in
- linux*)
- ;;
- *)
- AC_MSG_WARN([seccomp is not supported on non-linux platforms; disabling it])
- enable_seccomp=no
- ;;
- esac
- AC_SEARCH_LIBS(seccomp_init, [seccomp])
- if test "X$ac_cv_search_seccomp_init" = "X-lseccomp" ; then
- AC_TRY_RUN([
- #include <stdio.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <sys/prctl.h>
- #include <linux/seccomp.h>
-
- int main(void)
- {
- int ret;
-
- ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
- if (ret < 0) {
- switch (errno) {
- case ENOSYS:
- return 1;
- case EINVAL:
- return 1;
- default:
- return 1;
- }
- }
- ret =
- prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
- if (ret < 0) {
- switch (errno) {
- case EINVAL:
- return 1;
- case EFAULT:
- return 0;
- default:
- return 1;
- }
- }
- return 1;
- }
- ]
- , AC_DEFINE([HAVE_LIBSECCOMP], 1,
- [Define to use libseccomp system call filtering.])
- , []
- )
- fi
- ;;
- *)
- ;;
-esac
#
# Make very sure that these are the first files processed by
echo " DNS Response Policy Service interface (--enable-dnsrps)"
test "yes" = "$enable_fixed" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
- test "yes" = "$enable_seccomp" && \
- echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" && \
echo " Print backtrace on crash (--enable-backtrace)"
test "minimal" = "$want_symtable" && \
test "yes" = "$want_crypto_rand" || \
echo " Crypto provider entropy source (--enable-crypto-rand)"
- test "yes" = "$enable_seccomp" || \
- echo " Use libseccomp system call filtering (--enable-seccomp)"
test "yes" = "$want_backtrace" || \
echo " Print backtrace on crash (--enable-backtrace)"
test "yes" = "$want_querytrace" || \
./bin/named/include/named/log.h C 1999,2000,2001,2002,2004,2005,2007,2009,2015,2016,2017
./bin/named/include/named/logconf.h C 1999,2000,2001,2004,2005,2006,2007,2016,2017
./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007,2009,2013,2015,2016,2017
-./bin/named/include/named/seccomp.h C 2014,2016,2017
./bin/named/include/named/server.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017
./bin/named/include/named/smf_globals.h C 2017
./bin/named/include/named/statschannel.h C 2008,2016,2017
# --disable-rpz-nsdname supported
# --enable-full-report supported by verbose
# --enable-dnstap not supported (requires libfstrm support on WIN32)
-# --enable-seccomp not supported (Linux specific)
# --enable-afl not supported (not yet available on Visual Studio C++)
# --with-python supported
# --with-openssl supported
projects / thirdparty / bind9.git / commitdiff
