diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2012-07-03 14:48:31 +0200 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2012-07-03 14:48:31 +0200 |
| commit | d545a4b9749fef6613b556b2191f6cb898fcb60f (patch) | |
| tree | 1e8e8f1291dce0bbf7a7fbb53fd6cabed069fe1b | |
| parent | - (dtucker) [configure.ac] Detect platforms that can't use select(2) with (diff) | |
| download | openssh-d545a4b9749fef6613b556b2191f6cb898fcb60f.tar.xz openssh-d545a4b9749fef6613b556b2191f6cb898fcb60f.zip | |
- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its
benefit is minor, so it's not worth disabling the sandbox if it doesn't
work.
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | configure.ac | 23 | ||||
| -rw-r--r-- | sandbox-rlimit.c | 2 |
3 files changed, 27 insertions, 2 deletions
@@ -1,6 +1,10 @@ 20120703 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those. + - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not + setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its + benefit is minor, so it's not worth disabling the sandbox if it doesn't + work. 20120702 - (dtucker) OpenBSD CVS Sync diff --git a/configure.ac b/configure.ac index 97cf7b17c..f7033bc0b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $ +# $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.493 $) +AC_REVISION($Revision: 1.494 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -2615,6 +2615,25 @@ AC_RUN_IFELSE( [AC_MSG_WARN([cross compiling: assuming yes])] ) +AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include <sys/types.h> +#include <sys/resource.h> +#include <stdlib.h> + ]],[[ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0); + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1, + [setrlimit RLIMIT_FSIZE works])], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + if test "x$sandbox_arg" = "xsystrace" || \ ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then test "x$have_systr_policy_kill" != "x1" && \ diff --git a/sandbox-rlimit.c b/sandbox-rlimit.c index 761e9284f..a00386337 100644 --- a/sandbox-rlimit.c +++ b/sandbox-rlimit.c @@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *box) rl_zero.rlim_cur = rl_zero.rlim_max = 0; +#ifndef SANDBOX_SKIP_RLIMIT_FSIZE if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); +#endif if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); |