From: Roy Marples Date: Thu, 20 Jul 2023 09:32:26 +0000 (+0100) Subject: privsep: Allow diabling of SECCOMP on Linux X-Git-Tag: v10.0.3~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b65e2d6c7da1688df00753f872d8805631e07cb;p=thirdparty%2Fdhcpcd.git privsep: Allow diabling of SECCOMP on Linux This allows a POSIX resource limited sandbox to be used at least with privilege separation, which is better than just disabling privilege separation entirely for when SECCOMP stops working due to libc/kernel changes. --- diff --git a/BUILDING.md b/BUILDING.md index 75aa5f04..1d6be2b1 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -120,6 +120,16 @@ so don't set either `ipv6ra_own` or `slaac private` in `dhcpcd.conf` if you want to have working IPv6 temporary addresses. SLAAC private addresses are just as private, just stable. +Linux SECCOMP is very dependant on libc vs kernel. +When libc is changed and uses a syscall that dhcpcd is unaware of, +SECCOMP may break dhcpcd. +When this happens you can configure dhcpcd with --disable-seccomp +so dhcpcd can use a POSIX resource limited sandbox with privilege separation +still. If you do this, please report the issue so that we can adjust the +SECCOMP filter so that dhcpcd can use SECCOMP once more. +Or convince the libc/kernel people to adpot something more maintainable +like FreeBSD's capsicum or OpenBSD's pledge. + ## Init systems We try and detect how dhcpcd should interact with system services at runtime. If we cannot auto-detect how do to this, or it is wrong then diff --git a/configure b/configure index d225cadf..d9596688 100755 --- a/configure +++ b/configure @@ -13,6 +13,7 @@ IPV4LL= INET6= PRIVSEP= PRIVSEP_USER= +SECCOMP= ARC4RANDOM= CLOSEFROM= RBTREE= @@ -70,6 +71,8 @@ for x do --enable-auth) AUTH=yes;; --disable-privsep) PRIVSEP=no;; --enable-privsep) PRIVSEP=yes;; + --disable-seccomp) SECCOMP=no;; + --enable-seccomp) SECCOMP=yes;; --privsepuser) PRIVSEP_USER=$var;; --prefix) PREFIX=$var;prefix=$var;; # prefix is set for autotools compat --sysconfdir) SYSCONFDIR=$var;; @@ -585,7 +588,12 @@ if [ "$PRIVSEP" = yes ]; then echo "PRIVSEP_SRCS+= privsep-bpf.c" >>$CONFIG_MK fi case "$OS" in - linux*) echo "PRIVSEP_SRCS+= privsep-linux.c" >>$CONFIG_MK;; + linux*) + echo "PRIVSEP_SRCS+= privsep-linux.c" >>$CONFIG_MK + if [ -n "$SECCOMP" ] && [ "$SECCOMP" != no ]; then + echo "#define DISABLE_SECCOMP" >>$CONFIG_H + fi + ;; solaris*|sunos*) echo "PRIVSEP_SRCS+= privsep-sun.c" >>$CONFIG_MK;; *) echo "PRIVSEP_SRCS+= privsep-bsd.c" >>$CONFIG_MK;; esac diff --git a/src/privsep-linux.c b/src/privsep-linux.c index 8270056e..67ed0d73 100644 --- a/src/privsep-linux.c +++ b/src/privsep-linux.c @@ -113,6 +113,10 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg) return ps_root_readerror(ctx, NULL, 0); } +#ifdef DISABLE_SECCOMP +#warning SECCOMP has been disabled +#else + #if (BYTE_ORDER == LITTLE_ENDIAN) # define SECCOMP_ARG_LO 0 # define SECCOMP_ARG_HI sizeof(uint32_t) @@ -500,3 +504,4 @@ ps_seccomp_enter(void) } return 0; } +#endif /* !DISABLE_SECCOMP */ diff --git a/src/privsep.h b/src/privsep.h index 34d18dcf..00e8fc4f 100644 --- a/src/privsep.h +++ b/src/privsep.h @@ -115,7 +115,7 @@ #define PS_ROOT_FD(ctx) ((ctx)->ps_root ? (ctx)->ps_root->psp_fd : -1) -#ifdef __linux__ +#if !defined(DISABLE_SECCOMP) && defined(__linux__) # include # if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) # define HAVE_SECCOMP