MIME-Version: 1.0
X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f
In-Reply-To: <rt-3.8.6-3090-1409018228-1567.35184-5-0@isc.org>
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
Content-Disposition: inline
References: <RT-Ticket-35184@isc.org> <rt-3.8.6-58876-1393246287-176.35184-5-0@isc.org> <rt-3.8.6-3090-1409018228-1567.35184-5-0@isc.org>
Message-ID: <20140915074810.GA7441@mx.elandsys.com>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id CE9B42D20571 for <dhcp-bugs@bugs.isc.org>; Mon, 15 Sep 2014 07:48:16 +0000 (UTC)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx.pao1.isc.org (Postfix) with ESMTP id 02B963493AD for <dhcp-bugs@isc.org>; Mon, 15 Sep 2014 07:48:13 +0000 (UTC)
Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s8F7mAVQ029702 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dhcp-bugs@isc.org>; Mon, 15 Sep 2014 00:48:11 -0700 (PDT)
Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id s8F7mAuL026410 for dhcp-bugs@isc.org; Mon, 15 Sep 2014 00:48:10 -0700 (PDT)
Delivered-To: dhcp-bugs@bugs.isc.org
Subject: Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
User-Agent: Mutt/1.5.21 (2010-09-15)
Return-Path: <logan@elandsys.com>
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1410767291; x=1410853691; bh=4peDDDizj7sboY/txwbVjk0p8GPzFRNSF3/7gQC4TEo=; h=Date:From:To:Subject:References:In-Reply-To; b=Rcl57H6guXVhxfevr2v/oNZRnyoVXoA+hVbky6g2QYamS90o1mHfquvaY6X3wZJa4 NVJ2iEwqT0VGQUCzqsyiVBqIEl3bf9CJ5eCLJZ260hnTADhfaVLYTzxJ88HaBd4aTd kPcOFJXa2uPnQxh/TlHwFjTPAM23Z3Zi00aoOfCg=
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1410767291; x=1410853691; i=@elandsys.com; bh=4peDDDizj7sboY/txwbVjk0p8GPzFRNSF3/7gQC4TEo=; h=Date:From:To:Subject:References:In-Reply-To; b=SMd7i7AJH8T8GXy5zEoNBxGwJ/gIk8nB7dYT4XtvtNisTZoKySb50jGPGr7fq5TQu seHzvBmb1EBGxKMHOmwYvvzEUZHf6Ipqpp/D2zJdrrJ5mOXcOBWVC+X+BJr0eNL8kJ CWZOtDrmewDA7BqU7ektd46/trSCUOYGK2dKKSLo=
X-Original-To: dhcp-bugs@bugs.isc.org
Date: Mon, 15 Sep 2014 00:48:10 -0700
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
To: Shawn Routhier via RT <dhcp-bugs@isc.org>
From: Loganaden Velvindron <logan@elandsys.com>
RT-Message-ID: <rt-3.8.6-2430-1410767297-999.35184-0-0@isc.org>
Content-Length: 2350

On Tue, Aug 26, 2014 at 01:57:08AM +0000, Shawn Routhier via RT wrote:
> On Fri Aug 22 08:06:28 2014, logan@elandsys.com wrote:
> 
> > Hi Shawn, Can I upload the diff now ?
> >
> 
> Yes, we are working on the ticket list for 4.3.2 now
> uploading the proposed patch would be fine.
> 
> thanks,
> Shawn
> 

Hi Shawn, please find the first patch for the configure.ac script.

(I'll upload the rest soon -- I'm still debugging a few stuff).

diff --git a/configure.ac b/configure.ac
index d5bd6de..239fe03 100644
--- a/configure.ac
+++ b/configure.ac
@@ -145,6 +145,60 @@ if test "$enable_early_chroot" = "yes" ; then
 		  [Define to any value to chroot() prior to loading config.])
 fi
 
+# LIBSECCOMP is off by default -- needs testing with all the features
+AC_ARG_ENABLE(seccomp,
+	AS_HELP_STRING([--enable-seccomp],[enable support for seccomp sandboxing using libseccomp (default is no)]))
+if test "$enable_libseccomp" = "yes" ; then
+	AC_SEARCH_LIBS(seccomp_init, [seccomp])
+	if test "$ac_cv_search_seccomp_init" = "-lseccomp" ; then
+		AC_DEFINE([LIBSECCOMP], [1],
+			[Define to any value to include libseccomp sandboxing.])
+	fi
+	# Test for kernel seccomp v2 support
+	AC_TRY_RUN([
+	#include <stdio.h>
+	#include <stdlib.h>
+	#include <errno.h>
+	#include <sys/prctl.h>
+	#include <linux/seccomp.h>
+
+	int main(void)
+	{
+		int ret;
+		ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
+		if (ret < 0) {
+			switch (errno) {
+			case ENOSYS:
+				return 1;
+			case EINVAL:
+				return 1;
+			default:
+				return 1;
+			}
+		}
+		ret = 
+		prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+		if (ret < 0) {
+			switch (errno) {
+			case EINVAL:
+				return 1;
+			case EFAULT:
+				return 0;
+			default:
+				return 1;
+			}
+		}
+		return 1;
+	}
+]
+, AC_DEFINE([KERN_SECCOMP], 1, 
+[Define to use libseccomp system call filtering.])   
+, []
+)
+
+fi
+
+
 AC_ARG_ENABLE(ipv4_pktinfo,
 	AS_HELP_STRING([--enable-ipv4-pktinfo],[enable use of pktinfo on IPv4 sockets (default is no)]))
 
@@ -655,9 +709,10 @@ Flags:
   CFLAGS:        $CFLAGS
 
 Features:
-  debug:         $enable_debug
-  failover:      $enable_failover
-  execute:       $enable_execute
+  debug:         	$enable_debug
+  failover:      	$enable_failover
+  execute:       	$enable_execute
+  seccomp sandbox:	$enable_seccomp
 
 Developer:
   ATF unittests : $atf_path