Overview
| Comment: | Disable seccomp support by default and cleanup |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | seccomp |
| Files: | files | file ages | folders |
| SHA1: | 9184a4f1b9c6e71f3c5fc4ec8bb3b8eb11d58bd7 |
| User & Date: | rkeene on 2020-03-31 16:18:23 |
| Other Links: | manifest | tags |
Context
|
2020-03-31
| ||
| 16:25 | Updated to not try to build seccomp dependencies unless seccomp is being used check-in: 0a04450d6f user: rkeene tags: seccomp | |
| 16:18 | Disable seccomp support by default and cleanup check-in: 9184a4f1b9 user: rkeene tags: seccomp | |
| 15:44 | Added seccomp support check-in: 854cb424a1 user: rkeene tags: seccomp | |
Changes
Modified Makefile from [c0971efb30] to [e9e57ad197].
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types '$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \ '$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new mv filed-mime-types.h.new filed-mime-types.h filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter $(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new mv filed.seccomp.h.new filed.seccomp.h install: filed $(srcdir)/filed.1 test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1" test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)" cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/" cp filed "$(DESTDIR)$(bindir)/" |
| |
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
mv filed-mime-types.h.new filed-mime-types.h
filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
$(srcdir)/generate-seccomp-filter $(srcdir)/filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
mv filed.seccomp.h.new filed.seccomp.h
install: filed $(srcdir)/filed.1
test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
cp filed "$(DESTDIR)$(bindir)/"
|
Modified README from [dc3dfdd9b3] to [a70a50af88].
75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
argument to the "-r" or "--root" option prepended to them.
5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
Normally "filed" redirects users who request a directory to the
index.html file in that directory so that no memory allocations are
required; This option lets the server generate the new path.
6. MIME Types (MIMETYPES)
For single-file convenience "filed" compiles the mapping of file
extensions (the string in the filename following its last dot ("."))
into the executable. This mapping comes from a file in the format of
type1 type1_extension1 type1_extension2...
type2 type2_extension1 type2_extension2...
...
|
> > > > > |
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
argument to the "-r" or "--root" option prepended to them.
5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
Normally "filed" redirects users who request a directory to the
index.html file in that directory so that no memory allocations are
required; This option lets the server generate the new path.
6. Enable seccomp (CFLAGS, -DFILED_DO_SECCOMP=1)
Linux supports limiting the system calls that a process can make.
This is called seccomp (SECure COMPuting). Currently not all
platforms have been tested with this so it is disabled by default.
6. MIME Types (MIMETYPES)
For single-file convenience "filed" compiles the mapping of file
extensions (the string in the filename following its last dot ("."))
into the executable. This mapping comes from a file in the format of
type1 type1_extension1 type1_extension2...
type2 type2_extension1 type2_extension2...
...
|
Modified build/build-precompiled from [46b4f35d88] to [bda883498c].
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
case "${platform}" in
*-musl-*|*-musl)
make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
;;
esac
make "${make_extra[@]}"
) &
done
done
# Wait for that to get done
wait
# Rename the files into place
mkdir -p compiled
for binary in workdir-buildPrecompiled-*/filed; do
platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
mv "${binary}" "compiled/filed-${version}-${platform}"
done
# Cleanup
rm -rf workdir-buildPrecompiled-*
exit 0
|
| > > > > |
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
case "${platform}" in
*-musl-*|*-musl)
make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
;;
esac
make "${make_extra[@]}" > filed.log 2>&1 </dev/null || mv filed.log filed-failed.log
) &
done
done
# Wait for that to get done
wait
# Rename the files into place
mkdir -p compiled
for binary in workdir-buildPrecompiled-*/filed; do
platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
mv "${binary}" "compiled/filed-${version}-${platform}"
done
for errorLog in workdir-buildPrecompiled-*/filed-failed.log; do
platform="$(echo "${errorLog}" | sed 's@^.*-platform-@@;s@/.*$@@')"
mv "${errorLog}" "compiled/filed-${version}-${platform}-error.log"
done
# Cleanup
rm -rf workdir-buildPrecompiled-*
exit 0
|
Modified filed.c from [61d8dcb4f5] to [94d290b0bc].
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 ... 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 ... 724 725 726 727 728 729 730 731 732 733 734 735 736 737 ... 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 ... 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 ... 836 837 838 839 840 841 842 843 844 845 846 847 848 849 .... 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 .... 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 |
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/sendfile.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/prctl.h> #include <arpa/inet.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/wait.h> #include <pthread.h> #include <strings.h> #include <signal.h> ................................................................................ pthread_create(&thread_id, NULL, filed_logging_thread, args); filed_log_msg("START"); return(0); } #endif #ifdef FILED_DONT_TIMEOUT #define filed_sockettimeout_thread_init() 0 #define filed_sockettimeout_init() 0 #define filed_sockettimeout_accept(x) /**/ #define filed_sockettimeout_processing_start(x) /**/ #define filed_sockettimeout_processing_end(x) /**/ ................................................................................ pthread_t thread_id; long idx; int count; int valid; int time_interval = 30; int check_period = 90; while (1) { for (count = 0; count < (check_period / time_interval); count++) { sleep_time.tv_sec = time_interval; sleep_time.tv_nsec = 0; nanosleep(&sleep_time, NULL); pthread_mutex_lock(&filed_sockettimeout_mutex); ................................................................................ continue; } expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time; thread_id = filed_sockettimeout_sockstatus[idx].thread_id; if (expiration_time > now) { continue; } filed_sockettimeout_close(idx, 1); dup2(filed_sockettimeout_devnull_fd, idx); ................................................................................ filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR); if (filed_sockettimeout_devnull_fd < 0) { return(-1); } return(0); } #endif #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <sys/ptrace.h> #include <stddef.h> static int filed_init_seccomp(void) { struct sock_fprog filter; struct sock_filter rules[] = { #include "filed.seccomp.h" }; ................................................................................ prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter); if (prctl_ret != 0) { return(-1); } return(0); } /* Format time per RFC2616 */ static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) { struct tm timeinfo_tm, *timeinfo_tm_p; timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm); if (timeinfo_tm_p == NULL) { ................................................................................ } return; } /* Add a getopt option */ static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) { opt->name = name; opt->has_arg = has_arg; opt->flag = NULL; opt->val = val; return; } ................................................................................ int port = PORT, thread_count = THREAD_COUNT; int cache_size = CACHE_SIZE; int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret; int setuid_enabled = 0, daemon_enabled = 0; int ch; int fd; /* Process arguments */ filed_getopt_long_setopt(&options[0], "port", required_argument, 'p'); filed_getopt_long_setopt(&options[1], "threads", required_argument, 't'); filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c'); filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b'); filed_getopt_long_setopt(&options[4], "user", required_argument, 'u'); filed_getopt_long_setopt(&options[5], "root", required_argument, 'r'); |
< | > > | | > > > > > | > > > |
21 22 23 24 25 26 27 28 29 30 31 32 33 34 ... 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 ... 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 ... 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 ... 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 ... 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 .... 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 .... 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 |
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/sendfile.h> #include <sys/socket.h> #include <sys/types.h> #include <arpa/inet.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/wait.h> #include <pthread.h> #include <strings.h> #include <signal.h> ................................................................................ pthread_create(&thread_id, NULL, filed_logging_thread, args); filed_log_msg("START"); return(0); } #endif /* FILED_DONT_LOG */ #ifdef FILED_DONT_TIMEOUT #define filed_sockettimeout_thread_init() 0 #define filed_sockettimeout_init() 0 #define filed_sockettimeout_accept(x) /**/ #define filed_sockettimeout_processing_start(x) /**/ #define filed_sockettimeout_processing_end(x) /**/ ................................................................................ pthread_t thread_id; long idx; int count; int valid; int time_interval = 30; int check_period = 90; filed_sockettimeout_time = time(NULL); while (1) { for (count = 0; count < (check_period / time_interval); count++) { sleep_time.tv_sec = time_interval; sleep_time.tv_nsec = 0; nanosleep(&sleep_time, NULL); pthread_mutex_lock(&filed_sockettimeout_mutex); ................................................................................ continue; } expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time; thread_id = filed_sockettimeout_sockstatus[idx].thread_id; if (expiration_time > filed_sockettimeout_time) { continue; } filed_sockettimeout_close(idx, 1); dup2(filed_sockettimeout_devnull_fd, idx); ................................................................................ filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR); if (filed_sockettimeout_devnull_fd < 0) { return(-1); } return(0); } #endif /* FILED_DONT_TIMEOUT */ #ifndef FILED_DO_SECCOMP #define filed_init_seccomp() 0 #else #include <linux/seccomp.h> #include <linux/filter.h> #include <linux/audit.h> #include <sys/ptrace.h> #include <sys/prctl.h> #include <stddef.h> static int filed_init_seccomp(void) { struct sock_fprog filter; struct sock_filter rules[] = { #include "filed.seccomp.h" }; ................................................................................ prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter); if (prctl_ret != 0) { return(-1); } return(0); } #endif /* FILED_DO_SECCOMP */ /* Format time per RFC2616 */ static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) { struct tm timeinfo_tm, *timeinfo_tm_p; timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm); if (timeinfo_tm_p == NULL) { ................................................................................ } return; } /* Add a getopt option */ static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) { opt->name = (const char *) name; opt->has_arg = has_arg; opt->flag = NULL; opt->val = val; return; } ................................................................................ int port = PORT, thread_count = THREAD_COUNT; int cache_size = CACHE_SIZE; int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret; int setuid_enabled = 0, daemon_enabled = 0; int ch; int fd; /* Set default value */ thread_options.fake_newroot = NULL; /* Process arguments */ filed_getopt_long_setopt(&options[0], "port", required_argument, 'p'); filed_getopt_long_setopt(&options[1], "threads", required_argument, 't'); filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c'); filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b'); filed_getopt_long_setopt(&options[4], "user", required_argument, 'u'); filed_getopt_long_setopt(&options[5], "root", required_argument, 'r'); |