[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - 2 commits - common/Seccomp.cpp configure.ac debian/changelog loolwsd.spec.in

Andras Timar andras.timar at collabora.com
Mon Jul 3 16:25:47 UTC 2017 

 common/Seccomp.cpp |   10 ++++++++++
 configure.ac       |   19 +++++++++++++++----
 debian/changelog   |    6 ++++++
 loolwsd.spec.in    |    2 +-
 4 files changed, 32 insertions(+), 5 deletions(-)

New commits:
commit 26f9b5648f9afc896ba6b95d2948b43f082ddc4a
Author: Andras Timar <andras.timar at collabora.com>
Date:   Fri Jun 30 12:10:38 2017 +0200

    configure option to disable SECCOMP
    
    Change-Id: I8120674b60d388a3f85190631469a112c4af9266
    Reviewed-on: https://gerrit.libreoffice.org/39408
    Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
    Tested-by: Michael Meeks <michael.meeks at collabora.com>
    (cherry picked from commit ad8bffa04a9fd104342d245100ba419b69f7e8ba)
    Signed-off-by: Andras Timar <andras.timar at collabora.com>

diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
index 092f1a5d..3cef8786 100644
--- a/common/Seccomp.cpp
+++ b/common/Seccomp.cpp
@@ -23,7 +23,9 @@
 #include <sys/prctl.h>
 #include <linux/audit.h>
 #include <linux/filter.h>
+#if DISABLE_SECCOMP == 0
 #include <linux/seccomp.h>
+#endif
 
 #include <common/Log.hpp>
 #include <common/SigUtil.hpp>
@@ -40,6 +42,7 @@
 #  error "Platform does not support seccomp filtering yet - unsafe."
 #endif
 
+#if DISABLE_SECCOMP == 0
 extern "C" {
 
 static void handleSysSignal(int /* signal */,
@@ -71,6 +74,7 @@ static void handleSysSignal(int /* signal */,
 }
 
 } // extern "C"
+#endif
 
 namespace Seccomp {
 
@@ -78,6 +82,7 @@ bool lockdown(Type type)
 {
     (void)type; // so far just the kit.
 
+#if DISABLE_SECCOMP == 0
     #define ACCEPT_SYSCALL(name) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
@@ -212,8 +217,13 @@ bool lockdown(Type type)
     LOG_TRC("Install seccomp filter successfully.");
 
     return true;
+#else // DISABLE_SECCOMP == 0
+     LOG_WRN("Warning this code was compiled without seccomp enabled, this setup is not recommended for production.");
+     return true;
+#endif // DISABLE_SECCOMP == 0
 }
 
 } // namespace Seccomp
 
+
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/configure.ac b/configure.ac
index 0017b0e1..54b48669 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,10 @@ AC_ARG_ENABLE([debug],
               AS_HELP_STRING([--enable-debug],
                              [Enable debugging, link with debugging version of Poco libraries]))
 
+AC_ARG_ENABLE([seccomp],
+              AS_HELP_STRING([--disable-seccomp],
+                             [Disable use of linux/seccomp.h header when kernel on target system does not support it.
+                              Beware of the security consequences!]))
 AC_ARG_WITH([lokit-path],
             AS_HELP_STRING([--with-lokit-path=<path>],
                            [Path to the "include" directory with the LibreOfficeKit headers]))
@@ -266,9 +270,16 @@ AC_CHECK_HEADERS([LibreOfficeKit/LibreOfficeKit.h],
 AC_CHECK_HEADERS([Poco/Net/WebSocket.h],
                  [],
                  [AC_MSG_ERROR([header Poco/Net/WebSocket.h not found, perhaps you want to use --with-poco-includes])])
-AC_CHECK_HEADERS([linux/seccomp.h],
-                 [],
-                 [AC_MSG_ERROR([critical security header linux/seccomp.h not found.])])
+DISABLE_SECCOMP=
+if test "$enable_seccomp" != "no"; then
+    AC_CHECK_HEADERS([linux/seccomp.h],
+                     [],
+                     [AC_MSG_ERROR([critical security header linux/seccomp.h not found. If kernel on target system does not support SECCOMP, you can use --disable-seccomp, but mind the security consequences.])])
+    AC_DEFINE([DISABLE_SECCOMP],0,[Whether to disable SECCOMP])
+else
+    AC_DEFINE([DISABLE_SECCOMP],1,[Whether to disable SECCOMP])
+fi
+
 
 AC_MSG_CHECKING([POCO version])
 AC_COMPILE_IFELSE([AC_LANG_SOURCE([
commit 0157d2637286e4ed86256d95c9f3fbca92128373
Author: Andras Timar <andras.timar at collabora.com>
Date:   Mon Jul 3 18:23:10 2017 +0200

    Bump version to 2.1.3
    
    Change-Id: I20f41ebd51b39dfe656947e619821b99a78dc493

diff --git a/configure.ac b/configure.ac
index 6a437dd0..0017b0e1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3,7 +3,7 @@
 
 AC_PREREQ([2.69])
 
-AC_INIT([loolwsd], [2.1.2], [libreoffice at lists.freedesktop.org])
+AC_INIT([loolwsd], [2.1.3], [libreoffice at lists.freedesktop.org])
 LT_INIT([shared, disable-static, dlopen])
 
 AM_INIT_AUTOMAKE([1.11 silent-rules subdir-objects tar-pax -Wno-portability])
diff --git a/debian/changelog b/debian/changelog
index 68cbf3e8..561781b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+loolwsd (2.1.3-1) unstable; urgency=medium
+
+  * see the git log: http://col.la/cool21
+
+ -- Andras Timar <andras.timar at collabora.com>  Tue, 03 Jul 2017 14:00:00 +0100
+
 loolwsd (2.1.2-6) unstable; urgency=medium
 
   * see the git log: http://col.la/cool21
diff --git a/loolwsd.spec.in b/loolwsd.spec.in
index d1c62520..724ddc5d 100644
--- a/loolwsd.spec.in
+++ b/loolwsd.spec.in
@@ -12,7 +12,7 @@ Name:           loolwsd%{name_suffix}
 Name:           loolwsd
 %endif
 Version:        @PACKAGE_VERSION@
-Release:        6%{?dist}
+Release:        1%{?dist}
 Vendor:         Collabora
 Summary:        LibreOffice On-Line WebSocket Daemon
 License:        MPL

More information about the Libreoffice-commits mailing list