This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 04b172da5b96a51b0d55c905b423ababff9f4e0b
Author: Darren Tucker <dtucker@dtucker.net>
Date: Fri Nov 19 16:01:51 2021 +1100
Don't auto-enable Capsicum sandbox on FreeBSD 9/10.
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
---
configure.ac | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index a159d9f0..ddb6c5b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -994,6 +994,11 @@ mips-sony-bsd|mips-sony-newsos4)
# and will crash if they cannot be opened.
AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
[define if setrlimit RLIMIT_NOFILE breaks things])
+ case "$host" in
+ *-*-freebsd9.*|*-*-freebsd10.*)
+ # Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
+ disable_capsicum=yes
+ esac
;;
*-*-bsdi*)
AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -3654,6 +3659,7 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
elif test "x$sandbox_arg" = "xcapsicum" || \
( test -z "$sandbox_arg" && \
+ test "x$disable_capsicum" != "xyes" && \
test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits
dtucker pushed a commit to branch master
in repository openssh.
commit 04b172da5b96a51b0d55c905b423ababff9f4e0b
Author: Darren Tucker <dtucker@dtucker.net>
Date: Fri Nov 19 16:01:51 2021 +1100
Don't auto-enable Capsicum sandbox on FreeBSD 9/10.
Since we changed from select() to ppoll() tests have been failing.
This seems to be because FreeBSD 10 (and presumably 9) do not allow
ppoll() in the privsep process and sshd will fail with "Not permitted in
capability mode". Setting CAP_EVENT on the FDs doesn't help, but weirdly,
poll() works without that. Those versions are EOL so this situation is
unlikely to change.
---
configure.ac | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/configure.ac b/configure.ac
index a159d9f0..ddb6c5b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -994,6 +994,11 @@ mips-sony-bsd|mips-sony-newsos4)
# and will crash if they cannot be opened.
AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
[define if setrlimit RLIMIT_NOFILE breaks things])
+ case "$host" in
+ *-*-freebsd9.*|*-*-freebsd10.*)
+ # Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
+ disable_capsicum=yes
+ esac
;;
*-*-bsdi*)
AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -3654,6 +3659,7 @@ elif test "x$sandbox_arg" = "xseccomp_filter" || \
AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter])
elif test "x$sandbox_arg" = "xcapsicum" || \
( test -z "$sandbox_arg" && \
+ test "x$disable_capsicum" != "xyes" && \
test "x$ac_cv_header_sys_capsicum_h" = "xyes" && \
test "x$ac_cv_func_cap_rights_limit" = "xyes") ; then
test "x$ac_cv_header_sys_capsicum_h" != "xyes" && \
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits