Check-in [9184a4f1b9]
Overview
Comment:Disable seccomp support by default and cleanup
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | seccomp
Files: files | file ages | folders
SHA1: 9184a4f1b9c6e71f3c5fc4ec8bb3b8eb11d58bd7
User & Date: rkeene on 2020-03-31 16:18:23
Other Links: branch diff | manifest | tags
Context
2020-03-31
16:25
Updated to not try to build seccomp dependencies unless seccomp is being used check-in: 0a04450d6f user: rkeene tags: seccomp
16:18
Disable seccomp support by default and cleanup check-in: 9184a4f1b9 user: rkeene tags: seccomp
15:44
Added seccomp support check-in: 854cb424a1 user: rkeene tags: seccomp
Changes

Modified Makefile from [c0971efb30] to [e9e57ad197].

20
21
22
23
24
25
26
27

28
29
30
31
32
33
34
20
21
22
23
24
25
26

27
28
29
30
31
32
33
34







-
+








filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
	'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
		'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
	mv filed-mime-types.h.new filed-mime-types.h

filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
	$(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
	$(srcdir)/generate-seccomp-filter $(srcdir)/filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
	mv filed.seccomp.h.new filed.seccomp.h

install: filed $(srcdir)/filed.1
	test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
	test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
	cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
	cp filed "$(DESTDIR)$(bindir)/"

Modified README from [dc3dfdd9b3] to [a70a50af88].

75
76
77
78
79
80
81





82
83
84
85
86
87
88
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93







+
+
+
+
+







        argument to the "-r" or "--root" option prepended to them.

   5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
        Normally "filed" redirects users who request a directory to the
        index.html file in that directory so that no memory allocations are
        required;  This option lets the server generate the new path.

   6. Enable seccomp (CFLAGS, -DFILED_DO_SECCOMP=1)
        Linux supports limiting the system calls that a process can make.
        This is called seccomp (SECure COMPuting).  Currently not all
        platforms have been tested with this so it is disabled by default.

   6. MIME Types (MIMETYPES)
	For single-file convenience "filed" compiles the mapping of file
	extensions (the string in the filename following its last dot ("."))
	into the executable.  This mapping comes from a file in the format of
		type1   type1_extension1 type1_extension2...
		type2   type2_extension1 type2_extension2...
		...

Modified build/build-precompiled from [46b4f35d88] to [bda883498c].

40
41
42
43
44
45
46
47

48
49
50
51
52
53
54
55
56
57
58
59
60




61
62
63
64
65
40
41
42
43
44
45
46

47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69







-
+













+
+
+
+






			case "${platform}" in
				*-musl-*|*-musl)
					make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
					;;
			esac

			make "${make_extra[@]}"
			make "${make_extra[@]}" > filed.log 2>&1 </dev/null || mv filed.log filed-failed.log
		) &
	done
done

# Wait for that to get done
wait

# Rename the files into place
mkdir -p compiled
for binary in workdir-buildPrecompiled-*/filed; do
	platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
	mv "${binary}" "compiled/filed-${version}-${platform}"
done
for errorLog in workdir-buildPrecompiled-*/filed-failed.log; do
	platform="$(echo "${errorLog}" | sed 's@^.*-platform-@@;s@/.*$@@')"
	mv "${errorLog}" "compiled/filed-${version}-${platform}-error.log"
done

# Cleanup
rm -rf workdir-buildPrecompiled-*

exit 0

Modified filed.c from [61d8dcb4f5] to [94d290b0bc].

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
21
22
23
24
25
26
27

28
29
30
31
32
33
34







-







 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 * POSSIBILITY OF SUCH DAMAGE.
 */
#include <sys/sendfile.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <pthread.h>
#include <strings.h>
#include <signal.h>
603
604
605
606
607
608
609
610

611
612
613
614
615
616
617
602
603
604
605
606
607
608

609
610
611
612
613
614
615
616







-
+








	pthread_create(&thread_id, NULL, filed_logging_thread, args);

	filed_log_msg("START");

	return(0);
}
#endif
#endif /* FILED_DONT_LOG */

#ifdef FILED_DONT_TIMEOUT
#define filed_sockettimeout_thread_init() 0
#define filed_sockettimeout_init() 0
#define filed_sockettimeout_accept(x) /**/
#define filed_sockettimeout_processing_start(x) /**/
#define filed_sockettimeout_processing_end(x) /**/
724
725
726
727
728
729
730


731
732
733
734
735
736
737
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738







+
+







	pthread_t thread_id;
	long idx;
	int count;
	int valid;
	int time_interval = 30;
	int check_period = 90;

	filed_sockettimeout_time = time(NULL);

	while (1) {
		for (count = 0; count < (check_period / time_interval); count++) {
			sleep_time.tv_sec = time_interval;
			sleep_time.tv_nsec = 0;
			nanosleep(&sleep_time, NULL);

			pthread_mutex_lock(&filed_sockettimeout_mutex);
752
753
754
755
756
757
758
759

760
761
762
763
764
765
766
753
754
755
756
757
758
759

760
761
762
763
764
765
766
767







-
+







				continue;
			}

			expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time;

			thread_id = filed_sockettimeout_sockstatus[idx].thread_id;

			if (expiration_time > now) {
			if (expiration_time > filed_sockettimeout_time) {
				continue;
			}

			filed_sockettimeout_close(idx, 1);

			dup2(filed_sockettimeout_devnull_fd, idx);

805
806
807
808
809
810
811
812

813



814
815
816
817

818
819
820
821
822
823
824
806
807
808
809
810
811
812

813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829







-
+

+
+
+




+







	filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR);
	if (filed_sockettimeout_devnull_fd < 0) {
		return(-1);
	}

	return(0);
}
#endif
#endif /* FILED_DONT_TIMEOUT */

#ifndef FILED_DO_SECCOMP
#define filed_init_seccomp() 0
#else
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <linux/audit.h>
#include <sys/ptrace.h>
#include <sys/prctl.h>
#include <stddef.h>

static int filed_init_seccomp(void) {
	struct sock_fprog filter;
	struct sock_filter rules[] = {
#include "filed.seccomp.h"
	};
836
837
838
839
840
841
842

843
844
845
846
847
848
849
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855







+







	prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter);
	if (prctl_ret != 0) {
		return(-1);
	}

	return(0);
}
#endif /* FILED_DO_SECCOMP */

/* Format time per RFC2616 */
static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) {
	struct tm timeinfo_tm, *timeinfo_tm_p;

	timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm);
	if (timeinfo_tm_p == NULL) {
1702
1703
1704
1705
1706
1707
1708
1709

1710
1711
1712
1713
1714
1715
1716
1708
1709
1710
1711
1712
1713
1714

1715
1716
1717
1718
1719
1720
1721
1722







-
+







	}

	return;
}

/* Add a getopt option */
static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) {
	opt->name     = name;
	opt->name     = (const char *) name;
	opt->has_arg  = has_arg;
	opt->flag     = NULL;
	opt->val      = val;

	return;
}

1815
1816
1817
1818
1819
1820
1821



1822
1823
1824
1825
1826
1827
1828
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837







+
+
+







	int port = PORT, thread_count = THREAD_COUNT;
	int cache_size = CACHE_SIZE;
	int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret;
	int setuid_enabled = 0, daemon_enabled = 0;
	int ch;
	int fd;

	/* Set default value */
	thread_options.fake_newroot = NULL;

	/* Process arguments */
	filed_getopt_long_setopt(&options[0], "port", required_argument, 'p');
	filed_getopt_long_setopt(&options[1], "threads", required_argument, 't');
	filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c');
	filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b');
	filed_getopt_long_setopt(&options[4], "user", required_argument, 'u');
	filed_getopt_long_setopt(&options[5], "root", required_argument, 'r');