[Bug 2536] ntpd sandboxing support (libseccomp2) cleanup

bk: 54101225PycUoyVVZwc0hp01p1Msew

diff --git a/ChangeLog b/ChangeLog
index acf441c2567d7092b43ccfb3b250341acb1f441f..50dfb4f432ce4547f24dc7b1249fd3416334e391 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2536] ntpd sandboxing support (libseccomp2) cleanup.
 * [Bug 2649] Clean up html/ page installation.
 (4.2.7p473) 2014/09/06 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2649] Clean up html/ page installation.

diff --git a/configure.ac b/configure.ac
index 91c0318bf60997668720bdff71451984d18ac77d..1044d8c61e9a89c015568e87e329cf06bb0c8369 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -210,6 +210,46 @@ case "$ntp_ok" in
        [AC_DEFINE([LIBSECCOMP], [1],
            [Define to any value to include libseccomp sandboxing.])]
     )
+    AC_TRY_RUN([
+       #include <stdio.h>
+       #include <stdlib.h>
+       #include <errno.h>
+       #include <sys/prctl.h>
+       #include <linux/seccomp.h>
+
+       int main(void)
+       {
+               int ret;
+               ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
+               if (ret < 0) {
+                       switch (errno) {
+                       case ENOSYS:
+                               return 1;
+                       case EINVAL:
+                               return 1;
+                       default:
+                               return 1;
+                       }
+               }
+               ret = 
+               prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+               if (ret < 0) {
+                       switch (errno) {
+                       case EINVAL:
+                               return 1;
+                       case EFAULT:
+                               return 0;
+                       default:
+                               return 1;
+               }
+       }
+return 1;
+}
+]
+, AC_DEFINE([KERN_SECCOMP], 1, 
+[Define to use libseccomp system call filtering.])   
+, []
+)
     ;;
 esac
 

diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index abe3ff76cc1a8fc698aa0ea4ae5b70eeb4e8a3ad..ef1baa7037a1300c1b20b56a83c2c4d58bcb0022 100644 (file)
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -113,11 +113,11 @@
 #endif /* HAVE_PRIV_H */
 #endif /* HAVE_DROPROOT */
 
-#if defined (LIBSECCOMP)
+#if defined (LIBSECCOMP) && (KERN_SECCOMP)
 /* # include <sys/types.h> */
 # include <sys/resource.h>
 # include <seccomp.h>
-#endif /* LIBSECCOMP */
+#endif /* LIBSECCOMP and KERN_SECCOMP */
 
 #ifdef HAVE_DNSREGISTRATION
 # include <dns_sd.h>
@@ -1006,7 +1006,7 @@ getgroup:
 # endif        /* HAVE_DROPROOT */
 
 /* libssecomp sandboxing */
-#if defined (LIBSECCOMP)
+#if defined (LIBSECCOMP) && (KERN_SECCOMP)
        scmp_filter_ctx ctx;
 
        if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
@@ -1107,7 +1107,7 @@ int scmp_sc[] = {
        else {
                msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
        }
-#endif /* LIBSECCOMP */
+#endif /* LIBSECCOMP and KERN_SECCOMP */
 
 # ifdef HAVE_IO_COMPLETION_PORT