From: Harlan Stenn <stenn@ntp.org>
Date: Wed, 10 Sep 2014 08:56:05 +0000 (+0000)
Subject: [Bug 2536] ntpd sandboxing support (libseccomp2) cleanup
X-Git-Tag: NTP_4_2_7P474~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fff995dde7dce968051267e430e7d248035f713e;p=thirdparty%2Fntp.git

[Bug 2536] ntpd sandboxing support (libseccomp2) cleanup

bk: 54101225PycUoyVVZwc0hp01p1Msew
---

diff --git a/ChangeLog b/ChangeLog
index acf441c25..50dfb4f43 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* [Bug 2536] ntpd sandboxing support (libseccomp2) cleanup.
 * [Bug 2649] Clean up html/ page installation.
 (4.2.7p473) 2014/09/06 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 2649] Clean up html/ page installation.
diff --git a/configure.ac b/configure.ac
index 91c0318bf..1044d8c61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -210,6 +210,46 @@ case "$ntp_ok" in
 	[AC_DEFINE([LIBSECCOMP], [1],
 	    [Define to any value to include libseccomp sandboxing.])]
     )
+    AC_TRY_RUN([
+	#include <stdio.h>
+	#include <stdlib.h>
+	#include <errno.h>
+	#include <sys/prctl.h>
+	#include <linux/seccomp.h>
+
+	int main(void)
+	{
+		int ret;
+		ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
+		if (ret < 0) {
+			switch (errno) {
+			case ENOSYS:
+				return 1;
+			case EINVAL:
+				return 1;
+			default:
+				return 1;
+			}
+		}
+		ret = 
+		prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+		if (ret < 0) {
+			switch (errno) {
+			case EINVAL:
+				return 1;
+			case EFAULT:
+				return 0;
+			default:
+				return 1;
+		}
+	}
+return 1;
+}
+]
+, AC_DEFINE([KERN_SECCOMP], 1, 
+[Define to use libseccomp system call filtering.])   
+, []
+)
     ;;
 esac
 
diff --git a/ntpd/ntpd.c b/ntpd/ntpd.c
index abe3ff76c..ef1baa703 100644
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -113,11 +113,11 @@
 #endif /* HAVE_PRIV_H */
 #endif /* HAVE_DROPROOT */
 
-#if defined (LIBSECCOMP)
+#if defined (LIBSECCOMP) && (KERN_SECCOMP)
 /* # include <sys/types.h> */
 # include <sys/resource.h>
 # include <seccomp.h>
-#endif /* LIBSECCOMP */
+#endif /* LIBSECCOMP and KERN_SECCOMP */
 
 #ifdef HAVE_DNSREGISTRATION
 # include <dns_sd.h>
@@ -1006,7 +1006,7 @@ getgroup:
 # endif	/* HAVE_DROPROOT */
 
 /* libssecomp sandboxing */
-#if defined (LIBSECCOMP)
+#if defined (LIBSECCOMP) && (KERN_SECCOMP)
 	scmp_filter_ctx ctx;
 
 	if ((ctx = seccomp_init(SCMP_ACT_KILL)) < 0)
@@ -1107,7 +1107,7 @@ int scmp_sc[] = {
 	else {
 		msyslog(LOG_DEBUG, "%s: seccomp_load() succeeded", __func__);
 	}
-#endif /* LIBSECCOMP */
+#endif /* LIBSECCOMP and KERN_SECCOMP */
 
 # ifdef HAVE_IO_COMPLETION_PORT