diff options
| author | Karel Zak | 2016-09-29 16:32:33 +0200 |
|---|---|---|
| committer | Karel Zak | 2016-09-29 16:32:33 +0200 |
| commit | 8e4925016875c6a4f2ab4f833ba66f0fc57396a2 (patch) | |
| tree | a6cb7d8cd2d619895c6de6975fe6c904875e5cc5 /configure.ac | |
| parent | tests: Add helper for TIOCSTI exploit (diff) | |
| download | kernel-qcow2-util-linux-8e4925016875c6a4f2ab4f833ba66f0fc57396a2.tar.gz kernel-qcow2-util-linux-8e4925016875c6a4f2ab4f833ba66f0fc57396a2.tar.xz kernel-qcow2-util-linux-8e4925016875c6a4f2ab4f833ba66f0fc57396a2.zip | |
su,runuser: add libseccomp based workaround for TIOCSTI ioctl
This patch add libseccomp based syscalls filter to disable TIOCSTI
ioctl in su/runuser children.
IMHO it is not elegant solution due to dependence on libseccomp
(--without-seccomp if hate it)... but there is nothing better for now.
Addresses: CVE-2016-2779
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 680f5b687..634686513 100644 --- a/configure.ac +++ b/configure.ac @@ -1691,6 +1691,22 @@ AS_IF([test "x$with_user" != xno], [ ]) AM_CONDITIONAL([HAVE_USER], [test "x$have_user" = xyes]) + +AC_ARG_WITH([libseccomp], AS_HELP_STRING([--without-seccomp], [compile without libseccomp]), + [], [with_seccomp=check] +) +have_seccomp=no +AS_IF([test "x$with_seccomp" != xno], [ + PKG_CHECK_MODULES(SECCOMP,[libseccomp], [have_seccomp=yes], [have_seccomp=no]) + AS_CASE([$with_seccomp:$have_seccomp], + [yes:no], + [AC_MSG_ERROR([seccomp selected but libseccomp not found])], + [*:yes], + [AC_DEFINE([HAVE_LIBSECCOMP], [1], [Define if libseccomp is available])] + ) +]) + + AC_ARG_ENABLE([chfn-chsh-password], AS_HELP_STRING([--disable-chfn-chsh-password], [do not require the user to enter the password in chfn and chsh]), [], [enable_chfn_chsh_password=yes] |