From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sun, 9 Oct 2016 17:24:29 +0000 (-0600)
Subject: Fix configure check for seccomp filter on Linux
X-Git-Tag: SUDO_1_8_18p1^2~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8e49ce07f677b5dfd5308a70746e1b182fa4510e;p=sudo

Fix configure check for seccomp filter on Linux
---

diff --git a/config.h.in b/config.h.in
index 1e7858fa7..6586fb74e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -124,6 +124,10 @@
    don't. */
 #undef HAVE_DECL_QUAD_MIN
 
+/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and
+   to 0 if you don't. */
+#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER
+
 /* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
    don't. */
 #undef HAVE_DECL_SETAUTHDB
@@ -526,9 +530,6 @@
 /* Define to 1 if you have the `posix_spawnp' function. */
 #undef HAVE_POSIX_SPAWNP
 
-/* Define to 1 if you have the `prctl' function. */
-#undef HAVE_PRCTL
-
 /* Define to 1 if you have the `pread' function. */
 #undef HAVE_PREAD
 
diff --git a/configure b/configure
index d54692966..27da39095 100755
--- a/configure
+++ b/configure
@@ -15223,22 +15223,24 @@ fi
     *-*-linux*|*-*-k*bsd*-gnu)
 		shadow_funcs="getspnam"
 		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-		# Check for linux/filter.h and prctl to use seccomp(2)
-		ac_fn_c_check_header_mongrel "$LINENO" "linux/filter.h" "ac_cv_header_linux_filter_h" "$ac_includes_default"
-if test "x$ac_cv_header_linux_filter_h" = xyes; then :
-  for ac_func in prctl
-do :
-  ac_fn_c_check_func "$LINENO" "prctl" "ac_cv_func_prctl"
-if test "x$ac_cv_func_prctl" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_PRCTL 1
-_ACEOF
-
-fi
-done
+		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+		ac_fn_c_check_decl "$LINENO" "SECCOMP_SET_MODE_FILTER" "ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" "
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <asm/unistd.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
 
+"
+if test "x$ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
 fi
 
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SECCOMP_SET_MODE_FILTER $ac_have_decl
+_ACEOF
 
 		;;
     *-*-gnu*)
diff --git a/configure.ac b/configure.ac
index 64a3fc080..45c76cf90 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1962,8 +1962,14 @@ case "$host" in
     *-*-linux*|*-*-k*bsd*-gnu)
 		shadow_funcs="getspnam"
 		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-		# Check for linux/filter.h and prctl to use seccomp(2)
-		AC_CHECK_HEADER([linux/filter.h], [AC_CHECK_FUNCS([prctl])])
+		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+		AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <asm/unistd.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+		])
 		;;
     *-*-gnu*)
 		# lockf() is broken on the Hurd
diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c
index b2c3c3829..c2ddfa9b1 100644
--- a/src/sudo_noexec.c
+++ b/src/sudo_noexec.c
@@ -18,10 +18,9 @@
 
 #include <sys/types.h>
 
-#if defined(__linux__) && defined(HAVE_PRCTL)
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
 # include <sys/prctl.h>
 # include <asm/unistd.h>
-# include <linux/audit.h>
 # include <linux/filter.h>
 # include <linux/seccomp.h>
 #endif
@@ -216,7 +215,7 @@ INTERPOSE(wordexp)
 /*
  * On Linux we can use a seccomp() filter to disable exec.
  */
-#if defined(__linux) && defined(HAVE_PRCTL)
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
 
 /* Older systems may not support execveat(2). */
 #ifndef __NR_execveat
@@ -251,4 +250,4 @@ noexec_ctor(void)
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
 	(void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
 }
-#endif /* __linux__ && HAVE_PRCTL */
+#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */