Fix configure check for seccomp filter on Linux

2025-08-22 09:57:41 +00:00 · 2016-10-09 11:24:29 -06:00 · 2016-10-09 11:24:29 -06:00 · 8e49ce07f6
commit 8e49ce07f6
parent 237e2f964d
4 changed files with 32 additions and 24 deletions
--- a/config.h.in
+++ b/config.h.in
@ -124,6 +124,10 @@
   don't. */
 #undef HAVE_DECL_QUAD_MIN

+/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and
+   to 0 if you don't. */
+#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER
+
 /* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
   don't. */
 #undef HAVE_DECL_SETAUTHDB
@ -526,9 +530,6 @@
 /* Define to 1 if you have the `posix_spawnp' function. */
 #undef HAVE_POSIX_SPAWNP

-/* Define to 1 if you have the `prctl' function. */
-#undef HAVE_PRCTL
-
 /* Define to 1 if you have the `pread' function. */
 #undef HAVE_PREAD

--- a/32
+++ b/32
@ -15223,23 +15223,25 @@ fi
    *-*-linux*|*-*-k*bsd*-gnu)
 		shadow_funcs="getspnam"
 		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-		# Check for linux/filter.h and prctl to use seccomp(2)
-		ac_fn_c_check_header_mongrel "$LINENO" "linux/filter.h" "ac_cv_header_linux_filter_h" "$ac_includes_default"
-if test "x$ac_cv_header_linux_filter_h" = xyes; then :
-  for ac_func in prctl
-do :
-  ac_fn_c_check_func "$LINENO" "prctl" "ac_cv_func_prctl"
-if test "x$ac_cv_func_prctl" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_PRCTL 1
+		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+		ac_fn_c_check_decl "$LINENO" "SECCOMP_SET_MODE_FILTER" "ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" "
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <asm/unistd.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+
+"
+if test "x$ac_cv_have_decl_SECCOMP_SET_MODE_FILTER" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SECCOMP_SET_MODE_FILTER $ac_have_decl
 _ACEOF

-fi
-done
-
-fi
-
-
 		;;
    *-*-gnu*)
 		# lockf() is broken on the Hurd
--- a/configure.ac
+++ b/configure.ac
@ -1962,8 +1962,14 @@ case "$host" in
    *-*-linux*|*-*-k*bsd*-gnu)
 		shadow_funcs="getspnam"
 		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-		# Check for linux/filter.h and prctl to use seccomp(2)
-		AC_CHECK_HEADER([linux/filter.h], [AC_CHECK_FUNCS([prctl])])
+		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+		AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <asm/unistd.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+		])
 		;;
    *-*-gnu*)
 		# lockf() is broken on the Hurd
--- a/src/sudo_noexec.c
+++ b/src/sudo_noexec.c
@ -18,10 +18,9 @@

 #include <sys/types.h>

-#if defined(__linux__) && defined(HAVE_PRCTL)
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
 # include <sys/prctl.h>
 # include <asm/unistd.h>
-# include <linux/audit.h>
 # include <linux/filter.h>
 # include <linux/seccomp.h>
 #endif
@ -216,7 +215,7 @@ INTERPOSE(wordexp)
 /*
 * On Linux we can use a seccomp() filter to disable exec.
 */
-#if defined(__linux) && defined(HAVE_PRCTL)
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER

 /* Older systems may not support execveat(2). */
 #ifndef __NR_execveat
@ -251,4 +250,4 @@ noexec_ctor(void)
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
 	(void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
 }
-#endif /* __linux__ && HAVE_PRCTL */
+#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */