Check-in [9184a4f1b9]
Overview
Comment:Disable seccomp support by default and cleanup
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | seccomp
Files: files | file ages | folders
SHA1: 9184a4f1b9c6e71f3c5fc4ec8bb3b8eb11d58bd7
User & Date: rkeene on 2020-03-31 16:18:23
Other Links: branch diff | manifest | tags
Context
2020-03-31
16:25
Updated to not try to build seccomp dependencies unless seccomp is being used check-in: 0a04450d6f user: rkeene tags: seccomp
16:18
Disable seccomp support by default and cleanup check-in: 9184a4f1b9 user: rkeene tags: seccomp
15:44
Added seccomp support check-in: 854cb424a1 user: rkeene tags: seccomp
Changes

Modified Makefile from [c0971efb30] to [e9e57ad197].

20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
	'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
		'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
	mv filed-mime-types.h.new filed-mime-types.h

filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
	$(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
	mv filed.seccomp.h.new filed.seccomp.h

install: filed $(srcdir)/filed.1
	test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
	test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
	cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
	cp filed "$(DESTDIR)$(bindir)/"







|







20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
	'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
		'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
	mv filed-mime-types.h.new filed-mime-types.h

filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
	$(srcdir)/generate-seccomp-filter $(srcdir)/filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
	mv filed.seccomp.h.new filed.seccomp.h

install: filed $(srcdir)/filed.1
	test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
	test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
	cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
	cp filed "$(DESTDIR)$(bindir)/"

Modified README from [dc3dfdd9b3] to [a70a50af88].

75
76
77
78
79
80
81





82
83
84
85
86
87
88
        argument to the "-r" or "--root" option prepended to them.

   5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
        Normally "filed" redirects users who request a directory to the
        index.html file in that directory so that no memory allocations are
        required;  This option lets the server generate the new path.






   6. MIME Types (MIMETYPES)
	For single-file convenience "filed" compiles the mapping of file
	extensions (the string in the filename following its last dot ("."))
	into the executable.  This mapping comes from a file in the format of
		type1   type1_extension1 type1_extension2...
		type2   type2_extension1 type2_extension2...
		...







>
>
>
>
>







75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
        argument to the "-r" or "--root" option prepended to them.

   5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
        Normally "filed" redirects users who request a directory to the
        index.html file in that directory so that no memory allocations are
        required;  This option lets the server generate the new path.

   6. Enable seccomp (CFLAGS, -DFILED_DO_SECCOMP=1)
        Linux supports limiting the system calls that a process can make.
        This is called seccomp (SECure COMPuting).  Currently not all
        platforms have been tested with this so it is disabled by default.

   6. MIME Types (MIMETYPES)
	For single-file convenience "filed" compiles the mapping of file
	extensions (the string in the filename following its last dot ("."))
	into the executable.  This mapping comes from a file in the format of
		type1   type1_extension1 type1_extension2...
		type2   type2_extension1 type2_extension2...
		...

Modified build/build-precompiled from [46b4f35d88] to [bda883498c].

40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60




61
62
63
64
65

			case "${platform}" in
				*-musl-*|*-musl)
					make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
					;;
			esac

			make "${make_extra[@]}"
		) &
	done
done

# Wait for that to get done
wait

# Rename the files into place
mkdir -p compiled
for binary in workdir-buildPrecompiled-*/filed; do
	platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
	mv "${binary}" "compiled/filed-${version}-${platform}"
done





# Cleanup
rm -rf workdir-buildPrecompiled-*

exit 0







|













>
>
>
>





40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

			case "${platform}" in
				*-musl-*|*-musl)
					make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
					;;
			esac

			make "${make_extra[@]}" > filed.log 2>&1 </dev/null || mv filed.log filed-failed.log
		) &
	done
done

# Wait for that to get done
wait

# Rename the files into place
mkdir -p compiled
for binary in workdir-buildPrecompiled-*/filed; do
	platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
	mv "${binary}" "compiled/filed-${version}-${platform}"
done
for errorLog in workdir-buildPrecompiled-*/filed-failed.log; do
	platform="$(echo "${errorLog}" | sed 's@^.*-platform-@@;s@/.*$@@')"
	mv "${errorLog}" "compiled/filed-${version}-${platform}-error.log"
done

# Cleanup
rm -rf workdir-buildPrecompiled-*

exit 0

Modified filed.c from [61d8dcb4f5] to [94d290b0bc].

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 * POSSIBILITY OF SUCH DAMAGE.
 */
#include <sys/sendfile.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <pthread.h>
#include <strings.h>
#include <signal.h>







<







21
22
23
24
25
26
27

28
29
30
31
32
33
34
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 * POSSIBILITY OF SUCH DAMAGE.
 */
#include <sys/sendfile.h>
#include <sys/socket.h>
#include <sys/types.h>

#include <arpa/inet.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <pthread.h>
#include <strings.h>
#include <signal.h>
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617

	pthread_create(&thread_id, NULL, filed_logging_thread, args);

	filed_log_msg("START");

	return(0);
}
#endif

#ifdef FILED_DONT_TIMEOUT
#define filed_sockettimeout_thread_init() 0
#define filed_sockettimeout_init() 0
#define filed_sockettimeout_accept(x) /**/
#define filed_sockettimeout_processing_start(x) /**/
#define filed_sockettimeout_processing_end(x) /**/







|







602
603
604
605
606
607
608
609
610
611
612
613
614
615
616

	pthread_create(&thread_id, NULL, filed_logging_thread, args);

	filed_log_msg("START");

	return(0);
}
#endif /* FILED_DONT_LOG */

#ifdef FILED_DONT_TIMEOUT
#define filed_sockettimeout_thread_init() 0
#define filed_sockettimeout_init() 0
#define filed_sockettimeout_accept(x) /**/
#define filed_sockettimeout_processing_start(x) /**/
#define filed_sockettimeout_processing_end(x) /**/
724
725
726
727
728
729
730


731
732
733
734
735
736
737
	pthread_t thread_id;
	long idx;
	int count;
	int valid;
	int time_interval = 30;
	int check_period = 90;



	while (1) {
		for (count = 0; count < (check_period / time_interval); count++) {
			sleep_time.tv_sec = time_interval;
			sleep_time.tv_nsec = 0;
			nanosleep(&sleep_time, NULL);

			pthread_mutex_lock(&filed_sockettimeout_mutex);







>
>







723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
	pthread_t thread_id;
	long idx;
	int count;
	int valid;
	int time_interval = 30;
	int check_period = 90;

	filed_sockettimeout_time = time(NULL);

	while (1) {
		for (count = 0; count < (check_period / time_interval); count++) {
			sleep_time.tv_sec = time_interval;
			sleep_time.tv_nsec = 0;
			nanosleep(&sleep_time, NULL);

			pthread_mutex_lock(&filed_sockettimeout_mutex);
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
				continue;
			}

			expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time;

			thread_id = filed_sockettimeout_sockstatus[idx].thread_id;

			if (expiration_time > now) {
				continue;
			}

			filed_sockettimeout_close(idx, 1);

			dup2(filed_sockettimeout_devnull_fd, idx);








|







753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
				continue;
			}

			expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time;

			thread_id = filed_sockettimeout_sockstatus[idx].thread_id;

			if (expiration_time > filed_sockettimeout_time) {
				continue;
			}

			filed_sockettimeout_close(idx, 1);

			dup2(filed_sockettimeout_devnull_fd, idx);

805
806
807
808
809
810
811
812
813



814
815
816
817

818
819
820
821
822
823
824
	filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR);
	if (filed_sockettimeout_devnull_fd < 0) {
		return(-1);
	}

	return(0);
}
#endif




#include <linux/seccomp.h>
#include <linux/filter.h>
#include <linux/audit.h>
#include <sys/ptrace.h>

#include <stddef.h>

static int filed_init_seccomp(void) {
	struct sock_fprog filter;
	struct sock_filter rules[] = {
#include "filed.seccomp.h"
	};







|

>
>
>




>







806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
	filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR);
	if (filed_sockettimeout_devnull_fd < 0) {
		return(-1);
	}

	return(0);
}
#endif /* FILED_DONT_TIMEOUT */

#ifndef FILED_DO_SECCOMP
#define filed_init_seccomp() 0
#else
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <linux/audit.h>
#include <sys/ptrace.h>
#include <sys/prctl.h>
#include <stddef.h>

static int filed_init_seccomp(void) {
	struct sock_fprog filter;
	struct sock_filter rules[] = {
#include "filed.seccomp.h"
	};
836
837
838
839
840
841
842

843
844
845
846
847
848
849
	prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter);
	if (prctl_ret != 0) {
		return(-1);
	}

	return(0);
}


/* Format time per RFC2616 */
static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) {
	struct tm timeinfo_tm, *timeinfo_tm_p;

	timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm);
	if (timeinfo_tm_p == NULL) {







>







841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
	prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter);
	if (prctl_ret != 0) {
		return(-1);
	}

	return(0);
}
#endif /* FILED_DO_SECCOMP */

/* Format time per RFC2616 */
static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) {
	struct tm timeinfo_tm, *timeinfo_tm_p;

	timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm);
	if (timeinfo_tm_p == NULL) {
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
	}

	return;
}

/* Add a getopt option */
static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) {
	opt->name     = name;
	opt->has_arg  = has_arg;
	opt->flag     = NULL;
	opt->val      = val;

	return;
}








|







1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
	}

	return;
}

/* Add a getopt option */
static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) {
	opt->name     = (const char *) name;
	opt->has_arg  = has_arg;
	opt->flag     = NULL;
	opt->val      = val;

	return;
}

1815
1816
1817
1818
1819
1820
1821



1822
1823
1824
1825
1826
1827
1828
	int port = PORT, thread_count = THREAD_COUNT;
	int cache_size = CACHE_SIZE;
	int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret;
	int setuid_enabled = 0, daemon_enabled = 0;
	int ch;
	int fd;




	/* Process arguments */
	filed_getopt_long_setopt(&options[0], "port", required_argument, 'p');
	filed_getopt_long_setopt(&options[1], "threads", required_argument, 't');
	filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c');
	filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b');
	filed_getopt_long_setopt(&options[4], "user", required_argument, 'u');
	filed_getopt_long_setopt(&options[5], "root", required_argument, 'r');







>
>
>







1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
	int port = PORT, thread_count = THREAD_COUNT;
	int cache_size = CACHE_SIZE;
	int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret;
	int setuid_enabled = 0, daemon_enabled = 0;
	int ch;
	int fd;

	/* Set default value */
	thread_options.fake_newroot = NULL;

	/* Process arguments */
	filed_getopt_long_setopt(&options[0], "port", required_argument, 'p');
	filed_getopt_long_setopt(&options[1], "threads", required_argument, 't');
	filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c');
	filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b');
	filed_getopt_long_setopt(&options[4], "user", required_argument, 'u');
	filed_getopt_long_setopt(&options[5], "root", required_argument, 'r');