- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not

setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported.  Its
   benefit is minor, so it's not worth disabling the sandbox if it doesn't
   work.
This commit is contained in:
Darren Tucker 2012-07-03 22:48:31 +10:00
parent 60395f91c6
commit d545a4b974
3 changed files with 27 additions and 2 deletions

View File

@ -1,6 +1,10 @@
20120703 20120703
- (dtucker) [configure.ac] Detect platforms that can't use select(2) with - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
20120702 20120702
- (dtucker) OpenBSD CVS Sync - (dtucker) OpenBSD CVS Sync

View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $ # $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $
# #
# Copyright (c) 1999-2004 Damien Miller # Copyright (c) 1999-2004 Damien Miller
# #
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
AC_REVISION($Revision: 1.493 $) AC_REVISION($Revision: 1.494 $)
AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C]) AC_LANG([C])
@ -2615,6 +2615,25 @@ AC_RUN_IFELSE(
[AC_MSG_WARN([cross compiling: assuming yes])] [AC_MSG_WARN([cross compiling: assuming yes])]
) )
AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/resource.h>
#include <stdlib.h>
]],[[
struct rlimit rl_zero;
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])
AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
[setrlimit RLIMIT_FSIZE works])],
[AC_MSG_WARN([cross compiling: assuming yes])]
)
if test "x$sandbox_arg" = "xsystrace" || \ if test "x$sandbox_arg" = "xsystrace" || \
( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
test "x$have_systr_policy_kill" != "x1" && \ test "x$have_systr_policy_kill" != "x1" && \

View File

@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
rl_zero.rlim_cur = rl_zero.rlim_max = 0; rl_zero.rlim_cur = rl_zero.rlim_max = 0;
#ifndef SANDBOX_SKIP_RLIMIT_FSIZE
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
__func__, strerror(errno)); __func__, strerror(errno));
#endif
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
__func__, strerror(errno)); __func__, strerror(errno));