diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-12-03 12:24:51 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-12-03 12:24:51 +0000 |
| commit | f3749790f6efb2a1927558827569de7bd66df472 (patch) | |
| tree | 3e6f1abda8824b8a4b2de5bd15aaf1b02cc2b1a9 /lib/Makefile.in | |
| parent | 2851246deff8f83224fc40c6d0231c6834c24177 (diff) | |
Confine most untrusted data handling using seccomp
Fixes Debian bug #877199.
* configure.ac: Require libpipeline >= 1.5.0. Call MAN_LIBSECCOMP.
* docs/INSTALL.quick: Bump minimum libpipeline version to 1.5.0. List
libseccomp as recommended.
* lib/Makefile.am (libman_la_CPPFLAGS): Add $(libseccomp_CFLAGS).
(libman_la_SOURCES): Add sandbox.c and sandbox.h.
(libman_la_LDFLAGS): Add $(libseccomp_LIBS).
* lib/sandbox.c: New file.
* lib/sandbox.h: New file.
* m4/man-libseccomp.m4: New file.
* src/man.c (set_term): Check that process ID matches original before
calling tcsetattr.
(get_term): Record original process ID to work around an arguable bug in
pipecmd_exec.
* src/lexgrog_test.c (main), src/man.c (main), src/manconv_main.c
(main), src/mandb.c (main), src/zsoelim_main.c (main): Initialise
sandbox.
* lib/decompress.c (decompress_open, decompress_fdopen): Attach sandbox
to decompression commands.
* src/lexgrog.l (find_name): Attach sandbox to 'col'.
* src/man.c (add_col): Attach sandbox to 'col'.
(make_roff_command): Attach sandbox to 'zsoelim' and to groff-related
programs.
(add_output_iconv): Attach sandbox to 'iconv'.
(make_display_command): Attach sandbox to 'tr'.
(open_cat_stream, display_catman): Attach sandbox to compression
commands.
* src/manconv_client.c (add_manconv): Attach sandbox to manconv_stdin.
* src/straycats.c (check_for_stray): Attach sandbox to 'col'.
* src/whatis.c (use_grep): Attach sandbox to 'grep'.
* src/accessdb.c, src/catman.c, src/globbing_test.c, src/manpath.c:
Define stub sandbox variable.
* docs/NEWS: Document this.
Diffstat (limited to 'lib/Makefile.in')
| -rw-r--r-- | lib/Makefile.in | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/lib/Makefile.in b/lib/Makefile.in index e3a7c29a..89df5434 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -107,6 +107,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/man-arg-automatic-create.m4 \ $(top_srcdir)/m4/man-compress-lib.m4 \ $(top_srcdir)/m4/man-gnu-nroff.m4 \ $(top_srcdir)/m4/man-heirloom-nroff.m4 \ + $(top_srcdir)/m4/man-libseccomp.m4 \ $(top_srcdir)/m4/man-linguas.m4 $(top_srcdir)/m4/man-po4a.m4 \ $(top_srcdir)/m4/man-trans-subst.m4 \ $(top_srcdir)/gnulib/m4/00gnulib.m4 \ @@ -345,7 +346,8 @@ am_libman_la_OBJECTS = libman_la-appendstr.lo libman_la-cleanup.lo \ libman_la-encodings.lo libman_la-hashtable.lo \ libman_la-linelength.lo libman_la-lower.lo \ libman_la-orderfiles.lo libman_la-pathsearch.lo \ - libman_la-security.lo libman_la-tempfile.lo libman_la-util.lo \ + libman_la-sandbox.lo libman_la-security.lo \ + libman_la-tempfile.lo libman_la-util.lo \ libman_la-wordfnmatch.lo libman_la-xchown.lo \ libman_la-xregcomp.lo libman_la_OBJECTS = $(am_libman_la_OBJECTS) @@ -1369,6 +1371,8 @@ libdir = @libdir@ libexecdir = @libexecdir@ libpipeline_CFLAGS = @libpipeline_CFLAGS@ libpipeline_LIBS = @libpipeline_LIBS@ +libseccomp_CFLAGS = @libseccomp_CFLAGS@ +libseccomp_LIBS = @libseccomp_LIBS@ lispdir = @lispdir@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -1419,7 +1423,8 @@ libman_la_CPPFLAGS = \ -I$(top_srcdir)/gnulib/lib \ -I$(top_builddir)/gnulib/lib \ -DLOCALEDIR=\"$(localedir)\" \ - $(libpipeline_CFLAGS) + $(libpipeline_CFLAGS) \ + $(libseccomp_CFLAGS) libman_la_SOURCES = \ appendstr.c \ @@ -1440,6 +1445,8 @@ libman_la_SOURCES = \ orderfiles.h \ pathsearch.c \ pathsearch.h \ + sandbox.c \ + sandbox.h \ security.c \ security.h \ tempfile.c \ @@ -1457,7 +1464,8 @@ libman_la_LIBADD = ../gnulib/lib/libgnu.la $(LTLIBOBJS) \ libman_la_LDFLAGS = \ -avoid-version -release $(VERSION) -rpath $(pkglibdir) \ -no-undefined \ - $(libpipeline_LIBS) + $(libpipeline_LIBS) \ + $(libseccomp_LIBS) all: all-am @@ -1547,6 +1555,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-lower.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-orderfiles.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-pathsearch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-sandbox.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-security.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-tempfile.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libman_la-util.Plo@am__quote@ @@ -1645,6 +1654,13 @@ libman_la-pathsearch.lo: pathsearch.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libman_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libman_la-pathsearch.lo `test -f 'pathsearch.c' || echo '$(srcdir)/'`pathsearch.c +libman_la-sandbox.lo: sandbox.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libman_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libman_la-sandbox.lo -MD -MP -MF $(DEPDIR)/libman_la-sandbox.Tpo -c -o libman_la-sandbox.lo `test -f 'sandbox.c' || echo '$(srcdir)/'`sandbox.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libman_la-sandbox.Tpo $(DEPDIR)/libman_la-sandbox.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sandbox.c' object='libman_la-sandbox.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libman_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libman_la-sandbox.lo `test -f 'sandbox.c' || echo '$(srcdir)/'`sandbox.c + libman_la-security.lo: security.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libman_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libman_la-security.lo -MD -MP -MF $(DEPDIR)/libman_la-security.Tpo -c -o libman_la-security.lo `test -f 'security.c' || echo '$(srcdir)/'`security.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libman_la-security.Tpo $(DEPDIR)/libman_la-security.Plo |