diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-06-07 10:50:59 -0600 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-06-07 10:50:59 -0600 |
commit | 1e31f3a22a9535ba61dfd5f0aa33789b2f09aed9 (patch) | |
tree | e50116006be64b3330fe917a1c05c2fb266b4af5 | |
parent | 6d381f27a535618b7baec7da4912a7cc8cb2b524 (diff) | |
download | sudo-1e31f3a22a9535ba61dfd5f0aa33789b2f09aed9.tar.gz |
Check for SECCOMP_MODE_FILTER not SECCOMP_SET_MODE_FILTER.
This matches the actual prctl() call we use.
-rw-r--r-- | config.h.in | 6 | ||||
-rwxr-xr-x | configure | 8 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | src/sudo_exec.h | 4 | ||||
-rw-r--r-- | src/sudo_noexec.c | 6 |
5 files changed, 14 insertions, 14 deletions
diff --git a/config.h.in b/config.h.in index d0be95822..c9c024a15 100644 --- a/config.h.in +++ b/config.h.in @@ -175,9 +175,9 @@ don't. */ #undef HAVE_DECL_QUAD_MIN -/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and - to 0 if you don't. */ -#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER +/* Define to 1 if you have the declaration of `SECCOMP_MODE_FILTER', and to 0 + if you don't. */ +#undef HAVE_DECL_SECCOMP_MODE_FILTER /* Define to 1 if you have the declaration of `setauthdb', and to 0 if you don't. */ @@ -17821,8 +17821,8 @@ fi *-*-linux*|*-*-k*bsd*-gnu) shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" - # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h - ac_fn_check_decl "$LINENO" "SECCOMP_SET_MODE_FILTER" "ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" " + # Check for SECCOMP_MODE_FILTER in linux/seccomp.h + ac_fn_check_decl "$LINENO" "SECCOMP_MODE_FILTER" "ac_cv_have_decl_SECCOMP_MODE_FILTER" " #include <sys/types.h> #include <sys/prctl.h> #include <asm/unistd.h> @@ -17830,13 +17830,13 @@ fi #include <linux/filter.h> " "$ac_c_undeclared_builtin_options" "CFLAGS" -if test "x$ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" = xyes +if test "x$ac_cv_have_decl_SECCOMP_MODE_FILTER" = xyes then : ac_have_decl=1 else $as_nop ac_have_decl=0 fi -printf "%s\n" "#define HAVE_DECL_SECCOMP_SET_MODE_FILTER $ac_have_decl" >>confdefs.h +printf "%s\n" "#define HAVE_DECL_SECCOMP_MODE_FILTER $ac_have_decl" >>confdefs.h # We call getrandom via syscall(3) in case it is not in libc ac_fn_c_check_header_compile "$LINENO" "linux/random.h" "ac_cv_header_linux_random_h" "$ac_includes_default" diff --git a/configure.ac b/configure.ac index 4d4278f81..d4d5647a4 100644 --- a/configure.ac +++ b/configure.ac @@ -2065,8 +2065,8 @@ case "$host" in *-*-linux*|*-*-k*bsd*-gnu) shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" - # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h - AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [ + # Check for SECCOMP_MODE_FILTER in linux/seccomp.h + AC_CHECK_DECLS([SECCOMP_MODE_FILTER], [], [], [ #include <sys/types.h> #include <sys/prctl.h> #include <asm/unistd.h> diff --git a/src/sudo_exec.h b/src/sudo_exec.h index d225524d5..2f099a332 100644 --- a/src/sudo_exec.h +++ b/src/sudo_exec.h @@ -95,13 +95,13 @@ union sudo_token_un { * On MIPS we can't change the syscall return and only support log_subcmds. */ #if defined(_PATH_SUDO_INTERCEPT) && defined(__linux__) -# if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER +# if defined(HAVE_DECL_SECCOMP_MODE_FILTER) && HAVE_DECL_SECCOMP_MODE_FILTER # if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || defined(__arm__) || defined(__mips__) || defined(__powerpc__) || (defined(__riscv) && __riscv_xlen == 64) || defined(__s390__) # ifndef HAVE_PTRACE_INTERCEPT # define HAVE_PTRACE_INTERCEPT 1 # endif /* HAVE_PTRACE_INTERCEPT */ # endif /* __amd64__ || __i386__ || __aarch64__ || __riscv || __s390__ */ -# endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */ +# endif /* HAVE_DECL_SECCOMP_MODE_FILTER */ #endif /* _PATH_SUDO_INTERCEPT && __linux__ */ /* diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c index 3a2abdfdd..fd8117226 100644 --- a/src/sudo_noexec.c +++ b/src/sudo_noexec.c @@ -25,7 +25,7 @@ #include <sys/types.h> -#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER +#if defined(HAVE_DECL_SECCOMP_MODE_FILTER) && HAVE_DECL_SECCOMP_MODE_FILTER # include <sys/prctl.h> # include <asm/unistd.h> # include <linux/filter.h> @@ -213,7 +213,7 @@ INTERPOSE(wordexp) /* * On Linux we can use a seccomp() filter to disable exec. */ -#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER +#if defined(HAVE_DECL_SECCOMP_MODE_FILTER) && HAVE_DECL_SECCOMP_MODE_FILTER /* Older systems may not support execveat(2). */ #ifndef __NR_execveat @@ -248,4 +248,4 @@ noexec_ctor(void) if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog); } -#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */ +#endif /* HAVE_DECL_SECCOMP_MODE_FILTER */ |