Mailing List Archive

On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:
> Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e
>
> * Cache timezone data via caph_cache_tzdata() as we cannot access the
> timezone file.
>
> caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and
> 11.2 and later), although I suspect there is a desire to build OpenSSH
> on older versions as well. This could be addressed with an autoconf
> check for the existence of capsicum_helpers.h -- I'll create a patch
> for that, if desired.

Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline
function so AC_CHECK_FUNCS doesn't work:

static __inline void
caph_cache_tzdata(void)
{
tzset();
}

Is an inline in the other versions and is it likely to remain so in
future?

diff --git a/configure.ac b/configure.ac
index c285ea32..f25a638e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
])

# sys/capsicum.h requires sys/types.h
-AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
+AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
#ifdef HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
])

+AC_MSG_CHECKING([for caph_cache_tzdata])
+AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
+ [[caph_cache_tzdata();]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no]) ]
+)
+
# net/route.h requires sys/socket.h and sys/types.h.
# sys/sysctl.h also requires sys/param.h
AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index 883be185..11045251 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -29,6 +29,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_CAPSICUM_HELPERS_H
+#include <capsicum_helpers.h>
+#endif

#include "log.h"
#include "monitor.h"
@@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box)
struct rlimit rl_zero;
cap_rights_t rights;

+#ifdef HAVE_CAPH_CACHE_TZDATA
+ caph_cache_tzdata();
+#endif
+
rl_zero.rlim_cur = rl_zero.rlim_max = 0;

if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Mon, 18 Apr 2022 at 03:03, Darren Tucker <dtucker@dtucker.net> wrote:
>
> On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:
> > Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e
> >
> > * Cache timezone data via caph_cache_tzdata() as we cannot access the
> > timezone file.
> >
> > caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and
> > 11.2 and later), although I suspect there is a desire to build OpenSSH
> > on older versions as well. This could be addressed with an autoconf
> > check for the existence of capsicum_helpers.h -- I'll create a patch
> > for that, if desired.
>
> Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline
> function so AC_CHECK_FUNCS doesn't work:

Ah, indeed. I expect it will remain as an inline.

> diff --git a/configure.ac b/configure.ac
> index c285ea32..f25a638e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
> ])
>
> # sys/capsicum.h requires sys/types.h
> -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
> +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
> #ifdef HAVE_SYS_TYPES_H
> # include <sys/types.h>
> #endif
> ])
>
> +AC_MSG_CHECKING([for caph_cache_tzdata])
> +AC_LINK_IFELSE(
> + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
> + [[caph_cache_tzdata();]])],
> + [ AC_MSG_RESULT([yes]) ],
> + [ AC_MSG_RESULT([no]) ]
> +)
> +
> # net/route.h requires sys/socket.h and sys/types.h.
> # sys/sysctl.h also requires sys/param.h
> AC_CHECK_HEADERS([net/route.h sys/sysctl.h], [], [], [
> diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
> index 883be185..11045251 100644
> --- a/sandbox-capsicum.c
> +++ b/sandbox-capsicum.c
> @@ -29,6 +29,9 @@
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> +#ifdef HAVE_CAPSICUM_HELPERS_H
> +#include <capsicum_helpers.h>
> +#endif
>
> #include "log.h"
> #include "monitor.h"
> @@ -69,6 +72,10 @@ ssh_sandbox_child(struct ssh_sandbox *box)
> struct rlimit rl_zero;
> cap_rights_t rights;
>
> +#ifdef HAVE_CAPH_CACHE_TZDATA
> + caph_cache_tzdata();
> +#endif
> +
> rl_zero.rlim_cur = rl_zero.rlim_max = 0;
>
> if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

This patch LGTM thanks.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On 4/18/2022 12:02 AM, Darren Tucker wrote:
> On Sun, Apr 17, 2022 at 06:00:11PM -0400, Ed Maste wrote:
>> Part of FreeBSD commit r339216 / fc3c19a9fceeea48a9259ac3833a125804342c0e
>>
>> * Cache timezone data via caph_cache_tzdata() as we cannot access the
>> timezone file.
>>
>> caph_cache_tzdata exists in all supported FreeBSD versions (12.0+, and
>> 11.2 and later), although I suspect there is a desire to build OpenSSH
>> on older versions as well. This could be addressed with an autoconf
>> check for the existence of capsicum_helpers.h -- I'll create a patch
>> for that, if desired.
> Looks like at least in FreeBSD 12.2 caph_cache_tzdata is an inline
> function so AC_CHECK_FUNCS doesn't work:
>
> static __inline void
> caph_cache_tzdata(void)
> {
> tzset();
> }
>
> Is an inline in the other versions and is it likely to remain so in
> future?
>
> diff --git a/configure.ac b/configure.ac
> index c285ea32..f25a638e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -504,12 +504,20 @@ AC_CHECK_HEADERS([sys/audit.h], [], [], [
> ])
>
> # sys/capsicum.h requires sys/types.h
> -AC_CHECK_HEADERS([sys/capsicum.h], [], [], [
> +AC_CHECK_HEADERS([sys/capsicum.h capsicum_helpers.h], [], [], [
> #ifdef HAVE_SYS_TYPES_H
> # include <sys/types.h>
> #endif
> ])
>
> +AC_MSG_CHECKING([for caph_cache_tzdata])
> +AC_LINK_IFELSE(
> + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
> + [[caph_cache_tzdata();]])],
> + [ AC_MSG_RESULT([yes]) ],
> + [ AC_MSG_RESULT([no]) ]
> +)
> +

I think something is missing here. There is no HAVE_CAPH_CACHE_TZDATA in
config.h.in.

checking for caph_cache_tzdata... yes

# grep CAPH *
sandbox-capsicum.c:#ifdef HAVE_CAPH_CACHE_TZDATA


--
Bryan Drewery

On Mon, 23 May 2022 at 13:29, Bryan Drewery <bdrewery@freebsd.org> wrote:
>
> > +AC_MSG_CHECKING([for caph_cache_tzdata])
> > +AC_LINK_IFELSE(
> > + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
> > + [[caph_cache_tzdata();]])],
> > + [ AC_MSG_RESULT([yes]) ],
> > + [ AC_MSG_RESULT([no]) ]
> > +)
> > +
>
> I think something is missing here. There is no HAVE_CAPH_CACHE_TZDATA in
> config.h.in.

Indeed, it works for me locally if I add
"AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], ..." to the "yes" case.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, 24 May 2022, Ed Maste wrote:

> On Mon, 23 May 2022 at 13:29, Bryan Drewery <bdrewery@freebsd.org> wrote:
> >
> > > +AC_MSG_CHECKING([for caph_cache_tzdata])
> > > +AC_LINK_IFELSE(
> > > + [AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
> > > + [[caph_cache_tzdata();]])],
> > > + [ AC_MSG_RESULT([yes]) ],
> > > + [ AC_MSG_RESULT([no]) ]
> > > +)
> > > +
> >
> > I think something is missing here. There is no HAVE_CAPH_CACHE_TZDATA in
> > config.h.in.

I've commited this to master.

--- configure.ac.old 2022-05-23 11:03:38.055760761 -0700
+++ configure.ac 2022-05-24 10:12:14.310483685 -0700
@@ -514,7 +514,11 @@
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ #include <capsicum_helpers.h> ]],
[[caph_cache_tzdata();]])],
- [ AC_MSG_RESULT([yes]) ],
+ [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], [1],
+ [Define if you have caph_cache_tzdata])
+ ],
[ AC_MSG_RESULT([no]) ]
)

>
> Indeed, it works for me locally if I add
> "AC_DEFINE([HAVE_CAPH_CACHE_TZDATA], ..." to the "yes" case.


--
Tim Rice Multitalents
tim@multitalents.net


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev