diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp index c8ac7b395..3fbc3aedc 100644 --- a/common/Seccomp.cpp +++ b/common/Seccomp.cpp @@ -12,12 +12,13 @@ */ #include "config.h" - #include #include #include #include +#if DISABLE_SECCOMP == 0 #include +#endif #include #include #include @@ -42,6 +43,7 @@ # error "Platform does not support seccomp filtering yet - unsafe." #endif +#if DISABLE_SECCOMP == 0 extern "C" { static void handleSysSignal(int /* signal */, @@ -73,6 +75,7 @@ static void handleSysSignal(int /* signal */, } } // extern "C" +#endif namespace Seccomp { @@ -80,6 +83,7 @@ bool lockdown(Type type) { (void)type; // so far just the kit. +#if DISABLE_SECCOMP == 0 #define ACCEPT_SYSCALL(name) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) @@ -214,8 +218,16 @@ bool lockdown(Type type) LOG_TRC("Install seccomp filter successfully."); return true; +#else // DISABLE_SECCOMP == 0 + LOG_WRN("Warning this code was compiled without seccomp enabled, this setup is not recommended for production."); + return true; +#endif // DISABLE_SECCOMP == 0 } +} // namespace Seccomp + +namespace Rlimit { + bool handleSetrlimitCommand(const std::vector& tokens) { if (tokens.size() == 3 && tokens[0] == "setconfig") @@ -276,6 +288,6 @@ bool handleSetrlimitCommand(const std::vector& tokens) return false; } -} // namespace Seccomp +} // namespace Rlimit /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/common/Seccomp.hpp b/common/Seccomp.hpp index f6d1a1301..5098c1c75 100644 --- a/common/Seccomp.hpp +++ b/common/Seccomp.hpp @@ -14,7 +14,9 @@ namespace Seccomp { /// Lock-down a process hard - @returns true on success. bool lockdown(Type type); +}; +namespace Rlimit { /// Handles setconfig command with limit_... subcommands. /// Returns true iff it handled the command, regardless of success/failure. bool handleSetrlimitCommand(const std::vector& tokens); diff --git a/configure.ac b/configure.ac index 4da3f4e9f..45a4160f3 100644 --- a/configure.ac +++ b/configure.ac @@ -52,6 +52,10 @@ AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [Enable debugging, link with debugging version of Poco libraries])) +AC_ARG_ENABLE([seccomp], + AS_HELP_STRING([--disable-seccomp], + [Disable use of linux/seccomp.h header when kernel on target system does not support it. + Beware of the security consequences!])) AC_ARG_WITH([lokit-path], AS_HELP_STRING([--with-lokit-path=], [Path to the "include" directory with the LibreOfficeKit headers])) @@ -267,9 +271,16 @@ AC_CHECK_HEADERS([LibreOfficeKit/LibreOfficeKit.h], AC_CHECK_HEADERS([Poco/Net/WebSocket.h], [], [AC_MSG_ERROR([header Poco/Net/WebSocket.h not found, perhaps you want to use --with-poco-includes])]) -AC_CHECK_HEADERS([linux/seccomp.h], - [], - [AC_MSG_ERROR([critical security header linux/seccomp.h not found.])]) +DISABLE_SECCOMP= +if test "$enable_seccomp" != "no"; then + AC_CHECK_HEADERS([linux/seccomp.h], + [], + [AC_MSG_ERROR([critical security header linux/seccomp.h not found. If kernel on target system does not support SECCOMP, you can use --disable-seccomp, but mind the security consequences.])]) + AC_DEFINE([DISABLE_SECCOMP],0,[Whether to disable SECCOMP]) +else + AC_DEFINE([DISABLE_SECCOMP],1,[Whether to disable SECCOMP]) +fi + AC_MSG_CHECKING([POCO version]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([ diff --git a/kit/ForKit.cpp b/kit/ForKit.cpp index fa95321d6..5dde307f0 100644 --- a/kit/ForKit.cpp +++ b/kit/ForKit.cpp @@ -113,8 +113,8 @@ public: } else if (tokens.size() == 3 && tokens[0] == "setconfig") { - // Currently onlly rlimit entries are supported. - if (!Seccomp::handleSetrlimitCommand(tokens)) + // Currently only rlimit entries are supported. + if (!Rlimit::handleSetrlimitCommand(tokens)) { LOG_ERR("Unknown setconfig command: " << message); } @@ -442,7 +442,7 @@ int main(int argc, char** argv) { const auto pair = LOOLProtocol::split(cmdLimit, ':'); std::vector tokensLimit = { "setconfig", pair.first, pair.second }; - if (!Seccomp::handleSetrlimitCommand(tokensLimit)) + if (!Rlimit::handleSetrlimitCommand(tokensLimit)) { LOG_ERR("Unknown rlimits command: " << cmdLimit); } diff --git a/kit/Kit.cpp b/kit/Kit.cpp index 64898ef87..8036503b7 100644 --- a/kit/Kit.cpp +++ b/kit/Kit.cpp @@ -1927,7 +1927,7 @@ void lokit_main(const std::string& childRoot, else if (tokens.size() == 3 && tokens[0] == "setconfig") { // Currently onlly rlimit entries are supported. - if (!Seccomp::handleSetrlimitCommand(tokens)) + if (!Rlimit::handleSetrlimitCommand(tokens)) { LOG_ERR("Unknown setconfig command: " << message); }