- (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not

setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported. Its benefit is minor, so it's not worth disabling the sandbox if it doesn't work.
2012-07-03 22:48:31 +10:00 · 2012-07-03 22:48:31 +10:00 · d545a4b974
--- a/4
+++ b/4
@ -1,6 +1,10 @@
 20120703
 - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
   setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
+ - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
+   setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported.  Its
+   benefit is minor, so it's not worth disabling the sandbox if it doesn't
+   work.

 20120702
 - (dtucker) OpenBSD CVS Sync
--- a/configure.ac
+++ b/configure.ac
@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.493 2012/07/03 04:31:18 dtucker Exp $
+# $Id: configure.ac,v 1.494 2012/07/03 12:48:31 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.493 $)
+AC_REVISION($Revision: 1.494 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])

@ -2615,6 +2615,25 @@ AC_RUN_IFELSE(
 	[AC_MSG_WARN([cross compiling: assuming yes])]
 )

+AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works])
+AC_RUN_IFELSE(
+	[AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <stdlib.h>
+	]],[[
+		struct rlimit rl_zero;
+
+		rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+		exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
+	]])],
+	[AC_MSG_RESULT([yes])],
+	[AC_MSG_RESULT([no])
+	 AC_DEFINE(SANDBOX_SKIP_RLIMIT_FSIZE, 1,
+	    [setrlimit RLIMIT_FSIZE works])],
+	[AC_MSG_WARN([cross compiling: assuming yes])]
+)
+
 if test "x$sandbox_arg" = "xsystrace" || \
   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
 	test "x$have_systr_policy_kill" != "x1" && \
--- a/sandbox-rlimit.c
+++ b/sandbox-rlimit.c
@ -64,9 +64,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)

 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;

+#ifndef SANDBOX_SKIP_RLIMIT_FSIZE
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
 			__func__, strerror(errno));
+#endif
 	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
 			__func__, strerror(errno));