On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:> Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e > > * Cache timezone data via caph_cache_tzdata() as we cannot access the > timezone file. > > caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and > 11.2 and later), although I suspect there is a desire to build OpenSSH > on older versions as well. This could be addressed with an autoconf > check for the existence of capsicum_helpers.h -- I'll create a patch > for that, if desired.Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline function so AC_CHECK_FUNCS doesn't work: static __inline void caph_cache_tzdata(void) { tzset(); } Is an inline in the other versions and is it likely to remain so in future? diff --git a/configure.ac b/configure.ac index c285ea32..f25a638e 100644 --- a/configure.ac +++ b/configure.ac @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [ ]) # sys/capsicum.h requires sys/types.h -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [ +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [ #ifdef HAVE_SYS_TYPES_H # include <sys/types.h> #endif ]) +AC_MSG_CHECKING([for caph_cache_tzdata]) +AC_LINK_IFELSE( + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]], + [[caph_cache_tzdata();]])], + [ AC_MSG_RESULT([yes]) ], + [ AC_MSG_RESULT([no]) ] +) + # net/route.h requires sys/socket.h and sys/types.h. # sys/sysctl.h also requires sys/param.h AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [ diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c index 883be185..11045251 100644 --- a/sandbox-capsicum.c +++ b/sandbox-capsicum.c @@ -29,6 +29,9 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#ifdef HAVE_CAPSICUM_HELPERS_H +#include <capsicum_helpers.h> +#endif #include "log.h" #include "monitor.h" @@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box) struct rlimit rl_zero; cap_rights_t rights; +#ifdef HAVE_CAPH_CACHE_TZDATA + caph_cache_tzdata(); +#endif + rl_zero.rlim_cur = rl_zero.rlim_max = 0; if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Mon, 18 Apr 2022 at 03:03, Darren Tucker <dtucker at dtucker.net> wrote:> > On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote: > > Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e > > > > * Cache timezone data via caph_cache_tzdata() as we cannot access the > > timezone file. > > > > caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and > > 11.2 and later), although I suspect there is a desire to build OpenSSH > > on older versions as well. This could be addressed with an autoconf > > check for the existence of capsicum_helpers.h -- I'll create a patch > > for that, if desired. > > Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline > function so AC_CHECK_FUNCS doesn't work:Ah, indeed. I expect it will remain as an inline.> diff --git a/configure.ac b/configure.ac > index c285ea32..f25a638e 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [ > ]) > > # sys/capsicum.h requires sys/types.h > -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [ > +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [ > #ifdef HAVE_SYS_TYPES_H > # include <sys/types.h> > #endif > ]) > > +AC_MSG_CHECKING([for caph_cache_tzdata]) > +AC_LINK_IFELSE( > + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]], > + [[caph_cache_tzdata();]])], > + [ AC_MSG_RESULT([yes]) ], > + [ AC_MSG_RESULT([no]) ] > +) > + > # net/route.h requires sys/socket.h and sys/types.h. > # sys/sysctl.h also requires sys/param.h > AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [ > diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c > index 883be185..11045251 100644 > --- a/sandbox-capsicum.c > +++ b/sandbox-capsicum.c > @@ -29,6 +29,9 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#ifdef HAVE_CAPSICUM_HELPERS_H > +#include <capsicum_helpers.h> > +#endif > > #include "log.h" > #include "monitor.h" > @@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box) > struct rlimit rl_zero; > cap_rights_t rights; > > +#ifdef HAVE_CAPH_CACHE_TZDATA > + caph_cache_tzdata(); > +#endif > + > rl_zero.rlim_cur = rl_zero.rlim_max = 0; > > if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)This patch LGTM thanks.
On 4/18/2022 12:02 AM, Darren Tucker wrote:> On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote: >> Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e >> >> * Cache timezone data via caph_cache_tzdata() as we cannot access the >> timezone file. >> >> caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and >> 11.2 and later), although I suspect there is a desire to build OpenSSH >> on older versions as well. This could be addressed with an autoconf >> check for the existence of capsicum_helpers.h -- I'll create a patch >> for that, if desired. > Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline > function so AC_CHECK_FUNCS doesn't work: > > static __inline void > caph_cache_tzdata(void) > { > tzset(); > } > > Is an inline in the other versions and is it likely to remain so in > future? > > diff --git a/configure.ac b/configure.ac > index c285ea32..f25a638e 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [ > ]) > > # sys/capsicum.h requires sys/types.h > -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [ > +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [ > #ifdef HAVE_SYS_TYPES_H > # include <sys/types.h> > #endif > ]) > > +AC_MSG_CHECKING([for caph_cache_tzdata]) > +AC_LINK_IFELSE( > + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]], > + [[caph_cache_tzdata();]])], > + [ AC_MSG_RESULT([yes]) ], > + [ AC_MSG_RESULT([no]) ] > +) > +I think something is missing here. There is no HAVE_CAPH_CACHE_TZDATA in config.h.in. checking for caph_cache_tzdata... yes # grep CAPH * sandbox-capsicum.c:#ifdef HAVE_CAPH_CACHE_TZDATA -- Bryan Drewery -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220523/a7e964af/attachment-0001.asc>