bdc859e8de
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:cockpit/cockpit?expand=0&rev=209
70 lines
2.3 KiB
Diff
70 lines
2.3 KiB
Diff
diff --git a/configure.ac b/configure.ac
|
|
index 7b593a925..6010e8d6e 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -40,7 +40,6 @@ AC_CHECK_TOOL(AR, ar)
|
|
|
|
AC_CHECK_FUNCS(
|
|
closefrom
|
|
- pidfd_getpid
|
|
)
|
|
|
|
AM_SILENT_RULES([yes])
|
|
diff --git a/src/session/client-certificate.c b/src/session/client-certificate.c
|
|
index 18c8b1e4e..6acca2596 100644
|
|
--- a/src/session/client-certificate.c
|
|
+++ b/src/session/client-certificate.c
|
|
@@ -177,52 +177,8 @@ get_ws_proc_fd_pid_time (int unix_fd)
|
|
static int
|
|
get_ws_proc_fd (int unix_fd)
|
|
{
|
|
-#if defined(SO_PEERPIDFD) && defined(HAVE_PIDFD_GETPID)
|
|
- int pidfd = -1;
|
|
- socklen_t socklen = sizeof pidfd;
|
|
- /* this is always the pidfd for the process that started the communication, it cannot be recycled */
|
|
- if (getsockopt (unix_fd, SOL_SOCKET, SO_PEERPIDFD, &pidfd, &socklen) < 0)
|
|
- {
|
|
- if (errno == ENOPROTOOPT)
|
|
- {
|
|
- debug ("SO_PEERPIDFD not supported: %m, falling back to pid/time check");
|
|
- return get_ws_proc_fd_pid_time (unix_fd);
|
|
- }
|
|
-
|
|
- warn ("Failed to get peer pidfd");
|
|
- exit_init_problem ("access-denied", "Failed to get peer pidfd");
|
|
- }
|
|
- /* this is an inout parameter, be extra suspicious; this really Should Not Happen™, so bomb out */
|
|
- if (socklen != sizeof pidfd)
|
|
- errx (EX, "SO_PEERPIDFD returned too small result");
|
|
-
|
|
- /* get pid for pidfd; from here on this is racy and could suffer from PID recycling */
|
|
- pid_t pid = pidfd_getpid (pidfd);
|
|
- if (pid < 0)
|
|
- {
|
|
- /* be *very* strict here. This could theoretically ENOSYS if glibc has pidfd_getpid() but the kernel doesn't
|
|
- * support it; but err on the side of denying access rather than falling back */
|
|
- warn ("Failed to get pid from pidfd");
|
|
- exit_init_problem ("access-denied", "Failed to get pid from pidfd");
|
|
- }
|
|
-
|
|
- debug ("pid from ws peer pidfd: %i", (int) pid);
|
|
- int ws_proc_dirfd = open_proc_pid (pid);
|
|
-
|
|
- /* check that the pid is still valid to guard against recycling */
|
|
- if (pidfd_getpid (pidfd) != pid)
|
|
- {
|
|
- warn ("original pid %i is not valid any more", (int) pid);
|
|
- exit_init_problem ("access-denied", "Failed to get cockpit-ws pid");
|
|
- }
|
|
-
|
|
- close (pidfd);
|
|
- return ws_proc_dirfd;
|
|
-
|
|
-#else
|
|
debug ("not built with pidfd support, falling back to pid/time check");
|
|
return get_ws_proc_fd_pid_time (unix_fd);
|
|
-#endif
|
|
}
|
|
|
|
/* valid_256_bit_hex_string:
|