common/Seccomp.cpp | 10 ++++++++++ configure.ac | 19 +++++++++++++++---- debian/changelog | 6 ++++++ loolwsd.spec.in | 2 +- 4 files changed, 32 insertions(+), 5 deletions(-)
New commits: commit 26f9b5648f9afc896ba6b95d2948b43f082ddc4a Author: Andras Timar <andras.ti...@collabora.com> Date: Fri Jun 30 12:10:38 2017 +0200 configure option to disable SECCOMP Change-Id: I8120674b60d388a3f85190631469a112c4af9266 Reviewed-on: https://gerrit.libreoffice.org/39408 Reviewed-by: Michael Meeks <michael.me...@collabora.com> Tested-by: Michael Meeks <michael.me...@collabora.com> (cherry picked from commit ad8bffa04a9fd104342d245100ba419b69f7e8ba) Signed-off-by: Andras Timar <andras.ti...@collabora.com> diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp index 092f1a5d..3cef8786 100644 --- a/common/Seccomp.cpp +++ b/common/Seccomp.cpp @@ -23,7 +23,9 @@ #include <sys/prctl.h> #include <linux/audit.h> #include <linux/filter.h> +#if DISABLE_SECCOMP == 0 #include <linux/seccomp.h> +#endif #include <common/Log.hpp> #include <common/SigUtil.hpp> @@ -40,6 +42,7 @@ # error "Platform does not support seccomp filtering yet - unsafe." #endif +#if DISABLE_SECCOMP == 0 extern "C" { static void handleSysSignal(int /* signal */, @@ -71,6 +74,7 @@ static void handleSysSignal(int /* signal */, } } // extern "C" +#endif namespace Seccomp { @@ -78,6 +82,7 @@ bool lockdown(Type type) { (void)type; // so far just the kit. +#if DISABLE_SECCOMP == 0 #define ACCEPT_SYSCALL(name) \ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) @@ -212,8 +217,13 @@ bool lockdown(Type type) LOG_TRC("Install seccomp filter successfully."); return true; +#else // DISABLE_SECCOMP == 0 + LOG_WRN("Warning this code was compiled without seccomp enabled, this setup is not recommended for production."); + return true; +#endif // DISABLE_SECCOMP == 0 } } // namespace Seccomp + /* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/configure.ac b/configure.ac index 0017b0e1..54b48669 100644 --- a/configure.ac +++ b/configure.ac @@ -52,6 +52,10 @@ AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [Enable debugging, link with debugging version of Poco libraries])) +AC_ARG_ENABLE([seccomp], + AS_HELP_STRING([--disable-seccomp], + [Disable use of linux/seccomp.h header when kernel on target system does not support it. + Beware of the security consequences!])) AC_ARG_WITH([lokit-path], AS_HELP_STRING([--with-lokit-path=<path>], [Path to the "include" directory with the LibreOfficeKit headers])) @@ -266,9 +270,16 @@ AC_CHECK_HEADERS([LibreOfficeKit/LibreOfficeKit.h], AC_CHECK_HEADERS([Poco/Net/WebSocket.h], [], [AC_MSG_ERROR([header Poco/Net/WebSocket.h not found, perhaps you want to use --with-poco-includes])]) -AC_CHECK_HEADERS([linux/seccomp.h], - [], - [AC_MSG_ERROR([critical security header linux/seccomp.h not found.])]) +DISABLE_SECCOMP= +if test "$enable_seccomp" != "no"; then + AC_CHECK_HEADERS([linux/seccomp.h], + [], + [AC_MSG_ERROR([critical security header linux/seccomp.h not found. If kernel on target system does not support SECCOMP, you can use --disable-seccomp, but mind the security consequences.])]) + AC_DEFINE([DISABLE_SECCOMP],0,[Whether to disable SECCOMP]) +else + AC_DEFINE([DISABLE_SECCOMP],1,[Whether to disable SECCOMP]) +fi + AC_MSG_CHECKING([POCO version]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([ commit 0157d2637286e4ed86256d95c9f3fbca92128373 Author: Andras Timar <andras.ti...@collabora.com> Date: Mon Jul 3 18:23:10 2017 +0200 Bump version to 2.1.3 Change-Id: I20f41ebd51b39dfe656947e619821b99a78dc493 diff --git a/configure.ac b/configure.ac index 6a437dd0..0017b0e1 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ AC_PREREQ([2.69]) -AC_INIT([loolwsd], [2.1.2], [libreoffice@lists.freedesktop.org]) +AC_INIT([loolwsd], [2.1.3], [libreoffice@lists.freedesktop.org]) LT_INIT([shared, disable-static, dlopen]) AM_INIT_AUTOMAKE([1.11 silent-rules subdir-objects tar-pax -Wno-portability]) diff --git a/debian/changelog b/debian/changelog index 68cbf3e8..561781b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +loolwsd (2.1.3-1) unstable; urgency=medium + + * see the git log: http://col.la/cool21 + + -- Andras Timar <andras.ti...@collabora.com> Tue, 03 Jul 2017 14:00:00 +0100 + loolwsd (2.1.2-6) unstable; urgency=medium * see the git log: http://col.la/cool21 diff --git a/loolwsd.spec.in b/loolwsd.spec.in index d1c62520..724ddc5d 100644 --- a/loolwsd.spec.in +++ b/loolwsd.spec.in @@ -12,7 +12,7 @@ Name: loolwsd%{name_suffix} Name: loolwsd %endif Version: @PACKAGE_VERSION@ -Release: 6%{?dist} +Release: 1%{?dist} Vendor: Collabora Summary: LibreOffice On-Line WebSocket Daemon License: MPL _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits