Check-in [9184a4f1b9]
Overview
Comment:Disable seccomp support by default and cleanup
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | seccomp
Files: files | file ages | folders
SHA1:9184a4f1b9c6e71f3c5fc4ec8bb3b8eb11d58bd7
User & Date: rkeene on 2020-03-31 16:18:23
Other Links: manifest | tags
Context
2020-03-31
16:25
Updated to not try to build seccomp dependencies unless seccomp is being used check-in: 0a04450d6f user: rkeene tags: seccomp
16:18
Disable seccomp support by default and cleanup check-in: 9184a4f1b9 user: rkeene tags: seccomp
15:44
Added seccomp support check-in: 854cb424a1 user: rkeene tags: seccomp
Changes

Modified Makefile from [c0971efb30] to [e9e57ad197].

    20     20   
    21     21   filed-mime-types.h: $(srcdir)/generate-mime-types $(srcdir)/mime.types
    22     22   	'$(srcdir)/generate-mime-types' '$(MIMETYPES)' > filed-mime-types.h.new || \
    23     23   		'$(srcdir)/generate-mime-types' '$(srcdir)/mime.types' > filed-mime-types.h.new
    24     24   	mv filed-mime-types.h.new filed-mime-types.h
    25     25   
    26     26   filed.seccomp.h: $(srcdir)/filed.seccomp $(srcdir)/generate-seccomp-filter
    27         -	$(srcdir)/generate-seccomp-filter filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
           27  +	$(srcdir)/generate-seccomp-filter $(srcdir)/filed.seccomp x86_64 "" i386 "" > filed.seccomp.h.new
    28     28   	mv filed.seccomp.h.new filed.seccomp.h
    29     29   
    30     30   install: filed $(srcdir)/filed.1
    31     31   	test -d "$(DESTDIR)$(mandir)/man1" || mkdir -p "$(DESTDIR)$(mandir)/man1"
    32     32   	test -d "$(DESTDIR)$(bindir)" || mkdir -p "$(DESTDIR)$(bindir)"
    33     33   	cp '$(srcdir)/filed.1' "$(DESTDIR)$(mandir)/man1/"
    34     34   	cp filed "$(DESTDIR)$(bindir)/"

Modified README from [dc3dfdd9b3] to [a70a50af88].

    75     75           argument to the "-r" or "--root" option prepended to them.
    76     76   
    77     77      5. Differing "index.html" handling (CFLAGS, -DFILED_DONT_REDIRECT_DIRECTORIES=1)
    78     78           Normally "filed" redirects users who request a directory to the
    79     79           index.html file in that directory so that no memory allocations are
    80     80           required;  This option lets the server generate the new path.
    81     81   
           82  +   6. Enable seccomp (CFLAGS, -DFILED_DO_SECCOMP=1)
           83  +        Linux supports limiting the system calls that a process can make.
           84  +        This is called seccomp (SECure COMPuting).  Currently not all
           85  +        platforms have been tested with this so it is disabled by default.
           86  +
    82     87      6. MIME Types (MIMETYPES)
    83     88   	For single-file convenience "filed" compiles the mapping of file
    84     89   	extensions (the string in the filename following its last dot ("."))
    85     90   	into the executable.  This mapping comes from a file in the format of
    86     91   		type1   type1_extension1 type1_extension2...
    87     92   		type2   type2_extension1 type2_extension2...
    88     93   		...

Modified build/build-precompiled from [46b4f35d88] to [bda883498c].

    40     40   
    41     41   			case "${platform}" in
    42     42   				*-musl-*|*-musl)
    43     43   					make_extra=("${make_extra[@]}" FILED_EXTRA_LDFLAGS="-static")
    44     44   					;;
    45     45   			esac
    46     46   
    47         -			make "${make_extra[@]}"
           47  +			make "${make_extra[@]}" > filed.log 2>&1 </dev/null || mv filed.log filed-failed.log
    48     48   		) &
    49     49   	done
    50     50   done
    51     51   
    52     52   # Wait for that to get done
    53     53   wait
    54     54   
    55     55   # Rename the files into place
    56     56   mkdir -p compiled
    57     57   for binary in workdir-buildPrecompiled-*/filed; do
    58     58   	platform="$(echo "${binary}" | sed 's@^.*-platform-@@;s@/.*$@@')"
    59     59   	mv "${binary}" "compiled/filed-${version}-${platform}"
    60     60   done
           61  +for errorLog in workdir-buildPrecompiled-*/filed-failed.log; do
           62  +	platform="$(echo "${errorLog}" | sed 's@^.*-platform-@@;s@/.*$@@')"
           63  +	mv "${errorLog}" "compiled/filed-${version}-${platform}-error.log"
           64  +done
    61     65   
    62     66   # Cleanup
    63     67   rm -rf workdir-buildPrecompiled-*
    64     68   
    65     69   exit 0

Modified filed.c from [61d8dcb4f5] to [94d290b0bc].

    21     21    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
    22     22    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
    23     23    * POSSIBILITY OF SUCH DAMAGE.
    24     24    */
    25     25   #include <sys/sendfile.h>
    26     26   #include <sys/socket.h>
    27     27   #include <sys/types.h>
    28         -#include <sys/prctl.h>
    29     28   #include <arpa/inet.h>
    30     29   #include <sys/mman.h>
    31     30   #include <sys/stat.h>
    32     31   #include <sys/wait.h>
    33     32   #include <pthread.h>
    34     33   #include <strings.h>
    35     34   #include <signal.h>
................................................................................
   603    602   
   604    603   	pthread_create(&thread_id, NULL, filed_logging_thread, args);
   605    604   
   606    605   	filed_log_msg("START");
   607    606   
   608    607   	return(0);
   609    608   }
   610         -#endif
          609  +#endif /* FILED_DONT_LOG */
   611    610   
   612    611   #ifdef FILED_DONT_TIMEOUT
   613    612   #define filed_sockettimeout_thread_init() 0
   614    613   #define filed_sockettimeout_init() 0
   615    614   #define filed_sockettimeout_accept(x) /**/
   616    615   #define filed_sockettimeout_processing_start(x) /**/
   617    616   #define filed_sockettimeout_processing_end(x) /**/
................................................................................
   724    723   	pthread_t thread_id;
   725    724   	long idx;
   726    725   	int count;
   727    726   	int valid;
   728    727   	int time_interval = 30;
   729    728   	int check_period = 90;
   730    729   
          730  +	filed_sockettimeout_time = time(NULL);
          731  +
   731    732   	while (1) {
   732    733   		for (count = 0; count < (check_period / time_interval); count++) {
   733    734   			sleep_time.tv_sec = time_interval;
   734    735   			sleep_time.tv_nsec = 0;
   735    736   			nanosleep(&sleep_time, NULL);
   736    737   
   737    738   			pthread_mutex_lock(&filed_sockettimeout_mutex);
................................................................................
   752    753   				continue;
   753    754   			}
   754    755   
   755    756   			expiration_time = filed_sockettimeout_sockstatus[idx].expiration_time;
   756    757   
   757    758   			thread_id = filed_sockettimeout_sockstatus[idx].thread_id;
   758    759   
   759         -			if (expiration_time > now) {
          760  +			if (expiration_time > filed_sockettimeout_time) {
   760    761   				continue;
   761    762   			}
   762    763   
   763    764   			filed_sockettimeout_close(idx, 1);
   764    765   
   765    766   			dup2(filed_sockettimeout_devnull_fd, idx);
   766    767   
................................................................................
   805    806   	filed_sockettimeout_devnull_fd = open("/dev/null", O_RDWR);
   806    807   	if (filed_sockettimeout_devnull_fd < 0) {
   807    808   		return(-1);
   808    809   	}
   809    810   
   810    811   	return(0);
   811    812   }
   812         -#endif
          813  +#endif /* FILED_DONT_TIMEOUT */
   813    814   
          815  +#ifndef FILED_DO_SECCOMP
          816  +#define filed_init_seccomp() 0
          817  +#else
   814    818   #include <linux/seccomp.h>
   815    819   #include <linux/filter.h>
   816    820   #include <linux/audit.h>
   817    821   #include <sys/ptrace.h>
          822  +#include <sys/prctl.h>
   818    823   #include <stddef.h>
   819    824   
   820    825   static int filed_init_seccomp(void) {
   821    826   	struct sock_fprog filter;
   822    827   	struct sock_filter rules[] = {
   823    828   #include "filed.seccomp.h"
   824    829   	};
................................................................................
   836    841   	prctl_ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filter);
   837    842   	if (prctl_ret != 0) {
   838    843   		return(-1);
   839    844   	}
   840    845   
   841    846   	return(0);
   842    847   }
          848  +#endif /* FILED_DO_SECCOMP */
   843    849   
   844    850   /* Format time per RFC2616 */
   845    851   static char *filed_format_time(char *buffer, size_t buffer_len, const time_t timeinfo) {
   846    852   	struct tm timeinfo_tm, *timeinfo_tm_p;
   847    853   
   848    854   	timeinfo_tm_p = gmtime_r(&timeinfo, &timeinfo_tm);
   849    855   	if (timeinfo_tm_p == NULL) {
................................................................................
  1702   1708   	}
  1703   1709   
  1704   1710   	return;
  1705   1711   }
  1706   1712   
  1707   1713   /* Add a getopt option */
  1708   1714   static void filed_getopt_long_setopt(struct option *opt, const char *name, int has_arg, int val) {
  1709         -	opt->name     = name;
         1715  +	opt->name     = (const char *) name;
  1710   1716   	opt->has_arg  = has_arg;
  1711   1717   	opt->flag     = NULL;
  1712   1718   	opt->val      = val;
  1713   1719   
  1714   1720   	return;
  1715   1721   }
  1716   1722   
................................................................................
  1815   1821   	int port = PORT, thread_count = THREAD_COUNT;
  1816   1822   	int cache_size = CACHE_SIZE;
  1817   1823   	int init_ret, chroot_ret, setuid_ret, lookup_ret, chdir_ret;
  1818   1824   	int setuid_enabled = 0, daemon_enabled = 0;
  1819   1825   	int ch;
  1820   1826   	int fd;
  1821   1827   
         1828  +	/* Set default value */
         1829  +	thread_options.fake_newroot = NULL;
         1830  +
  1822   1831   	/* Process arguments */
  1823   1832   	filed_getopt_long_setopt(&options[0], "port", required_argument, 'p');
  1824   1833   	filed_getopt_long_setopt(&options[1], "threads", required_argument, 't');
  1825   1834   	filed_getopt_long_setopt(&options[2], "cache", required_argument, 'c');
  1826   1835   	filed_getopt_long_setopt(&options[3], "bind", required_argument, 'b');
  1827   1836   	filed_getopt_long_setopt(&options[4], "user", required_argument, 'u');
  1828   1837   	filed_getopt_long_setopt(&options[5], "root", required_argument, 'r');