Skip to content

Commit

Permalink
- (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
Browse files Browse the repository at this point in the history
    RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
    libc will attempt to open additional file descriptors for crypto
    offload and crash if they cannot be opened.
  • Loading branch information
djmdjm committed Jan 25, 2014
1 parent a92ac74 commit 2035b22
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@
[kex.c]
dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
ok dtucker@, noted by mancha
- (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
libc will attempt to open additional file descriptors for crypto
offload and crash if they cannot be opened.

20130125
- (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
Expand Down
7 changes: 5 additions & 2 deletions configure.ac
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.562 2014/01/25 02:16:59 djm Exp $
# $Id: configure.ac,v 1.563 2014/01/25 22:39:53 djm Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
Expand All @@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

AC_INIT([OpenSSH], [Portable], [[email protected]])
AC_REVISION($Revision: 1.562 $)
AC_REVISION($Revision: 1.563 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_LANG([C])

Expand Down Expand Up @@ -780,6 +780,9 @@ mips-sony-bsd|mips-sony-newsos4)
AC_DEFINE([BROKEN_STRNVIS], [1],
[FreeBSD strnvis argument order is swapped compared to OpenBSD])
TEST_MALLOC_OPTIONS="AJRX"
# Preauth crypto occasionally uses file descriptors for crypto offload
# and will crash if they cannot be opened.
AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE])
;;
*-*-bsdi*)
AC_DEFINE([SETEUID_BREAKS_SETUID])
Expand Down
2 changes: 2 additions & 0 deletions sandbox-capsicum.c
Original file line number Diff line number Diff line change
Expand Up @@ -75,9 +75,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
__func__, strerror(errno));
#ifndef SANDBOX_SKIP_RLIMIT_NOFILE
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
__func__, strerror(errno));
#endif
if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
__func__, strerror(errno));
Expand Down
2 changes: 2 additions & 0 deletions sandbox-rlimit.c
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
__func__, strerror(errno));
#endif
#ifndef SANDBOX_SKIP_RLIMIT_NOFILE
if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
__func__, strerror(errno));
#endif
#ifdef HAVE_RLIMIT_NPROC
if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)
fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s",
Expand Down

0 comments on commit 2035b22

Please sign in to comment.