Ver código fonte

Use FreeBSD 10's procctl(PROC_TRACE_CTL) to disable core dumps and tracing.

Bryan Drewery 10 anos atrás
pai
commit
efd29138df
5 arquivos alterados com 49 adições e 6 exclusões
  1. 3 2
      build/autotools/configure.ac
  2. 15 2
      configure
  3. 1 0
      doc/UPDATES.md
  4. 9 0
      src/config.h.in
  5. 21 2
      src/shell.cc

+ 3 - 2
build/autotools/configure.ac

@@ -91,7 +91,8 @@ AC_HEADER_STAT
 #checkpoint
 AC_CACHE_SAVE 
 AC_CHECK_HEADERS([stdarg.h arpa/inet.h fcntl.h limits.h locale.h netdb.h netinet/in.h])
-AC_CHECK_HEADERS([sys/file.h sys/ioctl.h sys/param.h sys/socket.h wchar.h sys/ptrace.h paths.h sys/prctl.h])
+AC_CHECK_HEADERS([sys/file.h sys/ioctl.h sys/param.h sys/socket.h wchar.h])
+AC_CHECK_HEADERS([sys/ptrace.h paths.h sys/prctl.h sys/procctl.h])
 
 #checkpoint
 AC_CACHE_SAVE
@@ -212,7 +213,7 @@ AC_CHECK_FUNCS([clock fsync getrusage isascii getpassphrase posix_madvise madvis
 AC_CHECK_FUNCS([memcpy memmem memset random rename snprintf srandom gettime])
 #checkpoint
 AC_CACHE_SAVE
-AC_CHECK_FUNCS([strcasecmp strncasecmp vsnprintf inet_ntop])
+AC_CHECK_FUNCS([strcasecmp strncasecmp vsnprintf inet_ntop prctl procctl])
 
 #autoscan suggested this....
 #These are recommended by autoscan, but no code supports it currently

+ 15 - 2
configure

@@ -5538,7 +5538,20 @@ fi
 
 done
 
-for ac_header in sys/file.h sys/ioctl.h sys/param.h sys/socket.h wchar.h sys/ptrace.h paths.h sys/prctl.h
+for ac_header in sys/file.h sys/ioctl.h sys/param.h sys/socket.h wchar.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>build/confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+for ac_header in sys/ptrace.h paths.h sys/prctl.h sys/procctl.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -8705,7 +8718,7 @@ $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
-for ac_func in strcasecmp strncasecmp vsnprintf inet_ntop
+for ac_func in strcasecmp strncasecmp vsnprintf inet_ntop prctl procctl
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_cxx_check_func "$LINENO" "$ac_func" "$as_ac_var"

+ 1 - 0
doc/UPDATES.md

@@ -4,6 +4,7 @@
   * Avoid warnings from Debian's FORTIFY_SOURCE
   * Remove an old +take limiter that was forgotten.
   * Use Linux's prctl(PR_SET_DUMPABLE) to disable core dumps and ptrace(2).
+  * Use FreeBSD 10's procctl(PROC_TRACE_CTL) to disable core dumps and tracing.
   * Fix binary compat issue causing ptrace permission errors on Linux 3.4+
 
 # 1.4.6

+ 9 - 0
src/config.h.in

@@ -140,6 +140,12 @@
 /* Define to 1 if you have the `posix_madvise' function. */
 #undef HAVE_POSIX_MADVISE
 
+/* Define to 1 if you have the `prctl' function. */
+#undef HAVE_PRCTL
+
+/* Define to 1 if you have the `procctl' function. */
+#undef HAVE_PROCCTL
+
 /* Define to 1 if you have the `random' function. */
 #undef HAVE_RANDOM
 
@@ -216,6 +222,9 @@
 /* Define to 1 if you have the <sys/prctl.h> header file. */
 #undef HAVE_SYS_PRCTL_H
 
+/* Define to 1 if you have the <sys/procctl.h> header file. */
+#undef HAVE_SYS_PROCCTL_H
+
 /* Define to 1 if you have the <sys/ptrace.h> header file. */
 #undef HAVE_SYS_PTRACE_H
 

+ 21 - 2
src/shell.cc

@@ -60,6 +60,9 @@
 #define PR_SET_PTRACER 0x59616d61
 #endif
 #endif
+#ifdef HAVE_SYS_PROCCTL_H
+#include <sys/procctl.h>
+#endif
 #ifdef HAVE_SYS_PTRACE_H
 # include <sys/ptrace.h>
 #endif /* HAVE_SYS_PTRACE_H */
@@ -308,16 +311,32 @@ void check_trace(int start)
     if (!start)
       return;
 
-#if defined(PR_SET_DUMPABLE) && defined(PR_GET_DUMPABLE) && !defined(DEBUG)
+#ifndef DEBUG
+    int tracing_safe = 0;
+
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) && defined(PR_GET_DUMPABLE)
     /* Try to disable ptrace and core dumping entirely. */
     if (prctl(PR_GET_DUMPABLE) == 0 ||
         (prctl(PR_SET_DUMPABLE, 0) == 0 && prctl(PR_GET_DUMPABLE) == 0)) {
+      tracing_safe = 1;
+    }
+#elif defined(HAVE_PROCCTL) && defined(PROC_TRACE_CTL)
+    int status = 0;
+
+    if ((procctl(P_PID, parent, PROC_TRACE_STATUS, &status) == 0 &&
+        status == -1) ||
+        (status = PROC_TRACE_CTL_DISABLE,
+        procctl(P_PID, parent, PROC_TRACE_CTL, &status) == 0)) {
+      tracing_safe = 1;
+    }
+#endif
+    if (tracing_safe) {
       /* We're safe! Don't bother with further checks. */
       putlog(LOG_DEBUG, "*", "Ptrace disabled, no longer checking.");
       trace = DET_IGNORE;
       return;
     }
-#endif
+#endif	/* DEBUG */
 
 #ifndef __sun__
     int x, i, filedes[2];