forked from pool/cockpit
build without checking for pidfd_getpid on Leap 15.6
This commit is contained in:
parent
d26d5019d5
commit
8a6c640ec4
@ -73,6 +73,7 @@ Patch107: 0006-totp-motd.patch
|
||||
Patch103: 0004-leap-gnu18-removal.patch
|
||||
Patch104: selinux_libdir.patch
|
||||
Patch105: fix-libexecdir.patch
|
||||
Patch106: drop_pidfd_getpid_check.patch
|
||||
|
||||
Patch201: remove_rh_links.patch
|
||||
|
||||
@ -228,6 +229,7 @@ BuildRequires: python3-tox-current-env
|
||||
%patch -P 103 -p1
|
||||
%patch -P 104 -p1
|
||||
%patch -P 105 -p1
|
||||
%patch -P 106 -p1
|
||||
%endif
|
||||
|
||||
%patch -P 201 -p1
|
||||
|
69
drop_pidfd_getpid_check.patch
Normal file
69
drop_pidfd_getpid_check.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 7b593a925..6010e8d6e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -40,7 +40,6 @@ AC_CHECK_TOOL(AR, ar)
|
||||
|
||||
AC_CHECK_FUNCS(
|
||||
closefrom
|
||||
- pidfd_getpid
|
||||
)
|
||||
|
||||
AM_SILENT_RULES([yes])
|
||||
diff --git a/src/session/client-certificate.c b/src/session/client-certificate.c
|
||||
index 18c8b1e4e..6acca2596 100644
|
||||
--- a/src/session/client-certificate.c
|
||||
+++ b/src/session/client-certificate.c
|
||||
@@ -177,52 +177,8 @@ get_ws_proc_fd_pid_time (int unix_fd)
|
||||
static int
|
||||
get_ws_proc_fd (int unix_fd)
|
||||
{
|
||||
-#if defined(SO_PEERPIDFD) && defined(HAVE_PIDFD_GETPID)
|
||||
- int pidfd = -1;
|
||||
- socklen_t socklen = sizeof pidfd;
|
||||
- /* this is always the pidfd for the process that started the communication, it cannot be recycled */
|
||||
- if (getsockopt (unix_fd, SOL_SOCKET, SO_PEERPIDFD, &pidfd, &socklen) < 0)
|
||||
- {
|
||||
- if (errno == ENOPROTOOPT)
|
||||
- {
|
||||
- debug ("SO_PEERPIDFD not supported: %m, falling back to pid/time check");
|
||||
- return get_ws_proc_fd_pid_time (unix_fd);
|
||||
- }
|
||||
-
|
||||
- warn ("Failed to get peer pidfd");
|
||||
- exit_init_problem ("access-denied", "Failed to get peer pidfd");
|
||||
- }
|
||||
- /* this is an inout parameter, be extra suspicious; this really Should Not Happen™, so bomb out */
|
||||
- if (socklen != sizeof pidfd)
|
||||
- errx (EX, "SO_PEERPIDFD returned too small result");
|
||||
-
|
||||
- /* get pid for pidfd; from here on this is racy and could suffer from PID recycling */
|
||||
- pid_t pid = pidfd_getpid (pidfd);
|
||||
- if (pid < 0)
|
||||
- {
|
||||
- /* be *very* strict here. This could theoretically ENOSYS if glibc has pidfd_getpid() but the kernel doesn't
|
||||
- * support it; but err on the side of denying access rather than falling back */
|
||||
- warn ("Failed to get pid from pidfd");
|
||||
- exit_init_problem ("access-denied", "Failed to get pid from pidfd");
|
||||
- }
|
||||
-
|
||||
- debug ("pid from ws peer pidfd: %i", (int) pid);
|
||||
- int ws_proc_dirfd = open_proc_pid (pid);
|
||||
-
|
||||
- /* check that the pid is still valid to guard against recycling */
|
||||
- if (pidfd_getpid (pidfd) != pid)
|
||||
- {
|
||||
- warn ("original pid %i is not valid any more", (int) pid);
|
||||
- exit_init_problem ("access-denied", "Failed to get cockpit-ws pid");
|
||||
- }
|
||||
-
|
||||
- close (pidfd);
|
||||
- return ws_proc_dirfd;
|
||||
-
|
||||
-#else
|
||||
debug ("not built with pidfd support, falling back to pid/time check");
|
||||
return get_ws_proc_fd_pid_time (unix_fd);
|
||||
-#endif
|
||||
}
|
||||
|
||||
/* valid_256_bit_hex_string:
|
Loading…
x
Reference in New Issue
Block a user