FreeBSD capsicum / timezones

Ed Maste emaste at freebsd.org
Tue Apr 19 03:42:54 AEST 2022 

On Mon, 18 Apr 2022 at 03:03, Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:
> > Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e
> >
> >     * Cache timezone data via caph_cache_tzdata() as we cannot access the
> >       timezone file.
> >
> > caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and
> > 11.2 and later), although I suspect there is a desire to build OpenSSH
> > on older versions as well. This could be addressed with an autoconf
> > check for the existence of capsicum_helpers.h -- I'll create a patch
> > for that, if desired.
>
> Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline
> function so AC_CHECK_FUNCS doesn't work:

Ah, indeed. I expect it will remain as an inline.

> diff --git a/configure.ac b/configure.ac
> index c285ea32..f25a638e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
>  ])
>
>  # sys/capsicum.h requires sys/types.h
> -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
> +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
>  #ifdef HAVE_SYS_TYPES_H
>  # include <sys/types.h>
>  #endif
>  ])
>
> +AC_MSG_CHECKING([for caph_cache_tzdata])
> +AC_LINK_IFELSE(
> +    [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
> +       [[caph_cache_tzdata();]])],
> +    [ AC_MSG_RESULT([yes]) ],
> +    [ AC_MSG_RESULT([no]) ]
> +)
> +
>  # net/route.h requires sys/socket.h and sys/types.h.
>  # sys/sysctl.h also requires sys/param.h
>  AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
> diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
> index 883be185..11045251 100644
> --- a/sandbox-capsicum.c
> +++ b/sandbox-capsicum.c
> @@ -29,6 +29,9 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <unistd.h>
> +#ifdef HAVE_CAPSICUM_HELPERS_H
> +#include <capsicum_helpers.h>
> +#endif
>
>  #include "log.h"
>  #include "monitor.h"
> @@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box)
>         struct rlimit rl_zero;
>         cap_rights_t rights;
>
> +#ifdef HAVE_CAPH_CACHE_TZDATA
> +       caph_cache_tzdata();
> +#endif
> +
>         rl_zero.rlim_cur = rl_zero.rlim_max = 0;
>
>         if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

This patch LGTM thanks.

More information about the openssh-unix-dev mailing list