FreeBSD capsicum / timezones

Darren Tucker dtucker at dtucker.net
Mon Apr 18 17:02:44 AEST 2022 

On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:
> Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e
> 
>     * Cache timezone data via caph_cache_tzdata() as we cannot access the
>       timezone file.
> 
> caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and
> 11.2 and later), although I suspect there is a desire to build OpenSSH
> on older versions as well. This could be addressed with an autoconf
> check for the existence of capsicum_helpers.h -- I'll create a patch
> for that, if desired.

Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline
function so AC_CHECK_FUNCS doesn't work:

static __inline void
caph_cache_tzdata(void)
{
        tzset();
}

Is an inline in the other versions and is it likely to remain so in
future?

diff --git a/configure.ac b/configure.ac
index c285ea32..f25a638e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
 ])
 
 # sys/capsicum.h requires sys/types.h
-AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
+AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
 #ifdef HAVE_SYS_TYPES_H
 # include <sys/types.h>
 #endif
 ])
 
+AC_MSG_CHECKING([for caph_cache_tzdata])
+AC_LINK_IFELSE(
+    [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
+	[[caph_cache_tzdata();]])],
+    [ AC_MSG_RESULT([yes]) ],
+    [ AC_MSG_RESULT([no]) ]
+)
+
 # net/route.h requires sys/socket.h and sys/types.h.
 # sys/sysctl.h also requires sys/param.h
 AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index 883be185..11045251 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -29,6 +29,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#ifdef HAVE_CAPSICUM_HELPERS_H
+#include <capsicum_helpers.h>
+#endif
 
 #include "log.h"
 #include "monitor.h"
@@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	struct rlimit rl_zero;
 	cap_rights_t rights;
 
+#ifdef HAVE_CAPH_CACHE_TZDATA
+	caph_cache_tzdata();
+#endif
+
 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
 
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list