Change USE_SECCOMP to ENABLE_EXTRA_SECURITY and use it for Windows and OpenBSD, too.

This option now controls seccomp(), Win32 low integrity processes, and OpenBSD pledge() and tame(). It's recommended to keep it enabled everywhere, though on Linux it may need to be disabled if a glibc update breaks things due to new syscalls. appveyor.cmd, travis.sh: Set ENABLE_EXTRA_SECURITY.
2025-06-18 19:45:41 -04:00 · 2020-08-20 19:05:01 -04:00 · 2020-08-20 19:05:01 -04:00 · 3370832b21
commit 3370832b21
parent 8650f665bc
15 changed files with 111 additions and 97 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -173,17 +173,9 @@ ELSE(BUILD_CLI)
 	SET(CLI_BUILD_MSG "No")
 ENDIF(BUILD_CLI)
-IF(SECCOMP_FOUND)
+IF(NOT SECURITY_MECHANISM)
-	SET(SEC_MECHANISM "seccomp()")
+	SET(SECURITY_MECHANISM "None")
-ELSEIF(HAVE_PLEDGE)
+ENDIF(NOT SECURITY_MECHANISM)
 	SET(SEC_MECHANISM "pledge()")
 ELSEIF(HAVE_TAME)
 	SET(SEC_MECHANISM "tame()")
 ELSEIF(WIN32)
 	SET(SEC_MECHANISM "Win32")
 ELSE()
 	SET(SEC_MECHANISM "none")
 ENDIF()
 IF(ENABLE_DECRYPTION)
 	SET(ENABLE_DECRYPTION_MSG "Enabled")
@ -246,7 +238,7 @@ MESSAGE("
 - Building these UI frontends: ${UI_FRONTENDS}
 - Building command-line frontend: ${CLI_BUILD_MSG}
- Security mechanism: ${SEC_MECHANISM}
+- Security mechanism: ${SECURITY_MECHANISM}
 - Decryption functionality: ${ENABLE_DECRYPTION_MSG}
 - XML parsing: ${ENABLE_XML_MSG}
 - PVRTC decoder: ${ENABLE_PVRTC_MSG}
--- a/appveyor.cmd
+++ b/appveyor.cmd
@ -13,7 +13,7 @@ set CMAKE_GENERATOR_TOOLSET=v140_xp
 if "%platform%" == "x64" set "CMAKE_GENERATOR=%CMAKE_GENERATOR% Win64"
 mkdir build
 cd build
-cmake .. -G "%CMAKE_GENERATOR%" -DCMAKE_GENERATOR_TOOLSET=%CMAKE_GENERATOR_TOOLSET% -DENABLE_JPEG=ON -DBUILD_TESTING=ON -DENABLE_LTO=OFF -DENABLE_PCH=ON
+cmake .. -G "%CMAKE_GENERATOR%" -DCMAKE_GENERATOR_TOOLSET=%CMAKE_GENERATOR_TOOLSET% -DENABLE_EXTRA_SECURITY=ON -DENABLE_JPEG=ON -DBUILD_TESTING=ON -DENABLE_LTO=OFF -DENABLE_PCH=ON
 exit /b %ERRORLEVEL%
 :mingw-w64
--- a/src/libromdata/img/ExecRpDownload_win32.cpp
+++ b/src/libromdata/img/ExecRpDownload_win32.cpp
@ -66,6 +66,7 @@ int CacheManager::execRpDownload(const string &filteredCacheKey)
 	memset(&pi, 0, sizeof(pi));
 	si.cb = sizeof(si);
 #ifdef ENABLE_EXTRA_SECURITY
 	// Attempt to create a low-integrity token.
 	HANDLE hLowToken = CreateIntegrityLevelToken(SECURITY_MANDATORY_LOW_RID);
 	if (hLowToken) {
@ -83,7 +84,9 @@ int CacheManager::execRpDownload(const string &filteredCacheKey)
 			&si,				// lpStartupInfo
 			&pi);				// lpProcessInformation
 		CloseHandle(hLowToken);
-	} else {
+	} else
 #endif /* ENABLE_EXTRA_SECURITY */
 	{
 		// Unable to create a low-integrity token.
 		// Create the process normally.
 		bRet = CreateProcess(
--- a/src/librpsecure/CMakeLists.txt
+++ b/src/librpsecure/CMakeLists.txt
@ -8,48 +8,48 @@ IF(POLICY CMP0063)
 ENDIF(POLICY CMP0063)
 PROJECT(librpsecure LANGUAGES C)
-IF(CMAKE_SYSTEM_NAME STREQUAL "Linux")
+OPTION(ENABLE_EXTRA_SECURITY "Enable extra security functionality if available." ON)
 	OPTION(USE_SECCOMP "Use libseccomp filters in rp-download and rpcli." ON)
 	OPTION(ENABLE_SECCOMP_DEBUG "Enable libseccomp debugging." OFF)
 ELSE()
 	SET(USE_SECCOMP OFF CACHE INTERNAL "Use libseccomp filters in rp-download and rpcli." FORCE)
 	SET(ENABLE_SECCOMP_DEBUG OFF CACHE INTERNAL "Enable libseccomp debugging." FORCE)
 ENDIF()
-IF(WIN32)
+IF(ENABLE_EXTRA_SECURITY)
-	SET(librpsecure_SRCS
+	IF(WIN32)
-		win32/integrity_level.c
+		SET(librpsecure_SRCS
-		win32/secoptions.c
+			win32/integrity_level.c
-		)
+			win32/secoptions.c
-	SET(librpsecure_H
+			)
-		os-secure.h
+		SET(librpsecure_H
-		win32/integrity_level.h
+			os-secure.h
-		win32/secoptions.h
+			win32/integrity_level.h
-		win32/secoptions_win8.h
+			win32/secoptions.h
-		)
+			win32/secoptions_win8.h
-	SET(librpsecure_OS_SRCS os-secure_win32.c)
+			)
-ELSEIF(UNIX AND NOT APPLE)
+		SET(librpsecure_OS_SRCS os-secure_win32.c)
-	# Check for system security functionality.
+		SET(SECURITY_MECHANISM_int "Win32 API")
-	IF(USE_SECCOMP)
+	ELSEIF(UNIX AND NOT APPLE)
-		# Linux: Use seccomp().
+		# Check for system security functionality.
-		FIND_PACKAGE(SECCOMP REQUIRED)
+		IF(CMAKE_SYSTEM MATCHES "Linux")
-		IF(SECCOMP_FOUND)
+			# Linux: Use seccomp().
-			SET(librpsecure_OS_SRCS os-secure_linux.c)
+			FIND_PACKAGE(SECCOMP REQUIRED)
-			IF(ENABLE_SECCOMP_DEBUG)
+			IF(SECCOMP_FOUND)
-				SET(librpsecure_OS_SRCS ${librpsecure_OS_SRCS} seccomp-debug.c)
+				SET(librpsecure_OS_SRCS os-secure_linux.c seccomp-debug.c)
-				SET(librpsecure_OS_H ${librpsecure_OS_H} seccomp-debug.h)
+				SET(librpsecure_OS_H seccomp-debug.h)
-			ENDIF(ENABLE_SECCOMP_DEBUG)
+				SET(HAVE_SECCOMP 1)
-			SET(HAVE_SECCOMP 1)
+				SET(SECURITY_MECHANISM_int "seccomp()")
-		ENDIF(SECCOMP_FOUND)
+			ENDIF(SECCOMP_FOUND)
-	ELSE()
+		ELSE()
-		# OpenBSD: Use pledge()/tame().
+			# OpenBSD: Use pledge()/tame().
-		INCLUDE(CheckOpenBSDPledge)
+			INCLUDE(CheckOpenBSDPledge)
-		CHECK_OPENBSD_PLEDGE()
+			CHECK_OPENBSD_PLEDGE()
-		IF(HAVE_PLEDGE OR HAVE_TAME)
+			IF(HAVE_PLEDGE)
-			SET(librpsecure_OS_SRCS os-secure_openbsd.c)
+				SET(librpsecure_OS_SRCS os-secure_openbsd.c)
 				SET(SECURITY_MECHANISM_int "pledge()")
 			ELSEIF(HAVE_TAME)
 				SET(librpsecure_OS_SRCS os-secure_openbsd.c)
 				SET(SECURITY_MECHANISM_int "tame()")
 			ENDIF()
 		ENDIF()
 	ENDIF()
-ENDIF()
+ENDIF(ENABLE_EXTRA_SECURITY)
 SET(SECURITY_MECHANISM "${SECURITY_MECHANISM_int}" CACHE INTERNAL "Security mechanism" FORCE)
 IF(NOT librpsecure_OS_SRCS)
 	# TODO: Add support for other systems.
@ -73,9 +73,11 @@ INCLUDE(SetMSVCDebugPath)
 SET_MSVC_DEBUG_PATH(rpsecure)
 # Exclude from ALL builds.
 SET_TARGET_PROPERTIES(rpsecure PROPERTIES EXCLUDE_FROM_ALL TRUE)
-IF(USE_SECCOMP AND SECCOMP_FOUND)
+IF(ENABLE_EXTRA_SECURITY)
-	TARGET_LINK_LIBRARIES(rpsecure PUBLIC Seccomp::seccomp)
+	IF(CMAKE_SYSTEM MATCHES "Linux" AND SECCOMP_FOUND)
-ENDIF(USE_SECCOMP AND SECCOMP_FOUND)
+		TARGET_LINK_LIBRARIES(rpsecure PUBLIC Seccomp::seccomp)
 	ENDIF(CMAKE_SYSTEM MATCHES "Linux" AND SECCOMP_FOUND)
 ENDIF(ENABLE_EXTRA_SECURITY)
 TARGET_INCLUDE_DIRECTORIES(rpsecure
 	PUBLIC  $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>		# librpsecure
--- a/src/librpsecure/config.librpsecure.h.in
+++ b/src/librpsecure/config.librpsecure.h.in
@ -21,7 +21,7 @@
 /* Define to 1 if you have the Linux `seccomp` library. */
 #cmakedefine HAVE_SECCOMP 1
-/* Define to 1 to enable seccomp debugging. */
+/* Define to 1 to enable extra security functionality. */
-#cmakedefine ENABLE_SECCOMP_DEBUG 1
+#cmakedefine ENABLE_EXTRA_SECURITY 1
 #endif /* __ROMPROPERTIES_LIBRPSECURE_CONFIG_H__ */
--- a/src/librpsecure/os-secure.h
+++ b/src/librpsecure/os-secure.h
@ -11,17 +11,19 @@
 #include "config.librpsecure.h"
-#ifdef _WIN32
+#ifdef ENABLE_EXTRA_SECURITY
-# include <windows.h>
+#  ifdef _WIN32
-#else /* !_WIN32 */
+#    include <windows.h>
-# include <unistd.h>
+#  else /* !_WIN32 */
-# ifdef HAVE_SECCOMP
+#    include <unistd.h>
-#  include <linux/unistd.h>
+#    ifdef HAVE_SECCOMP
-#  include <seccomp.h>
+#      include <linux/unistd.h>
-# elif HAVE_TAME
+#      include <seccomp.h>
-#  include <sys/tame.h>
+#    elif HAVE_TAME
-# endif
+#      include <sys/tame.h>
-#endif /* _WIN32 */
+#    endif
 #  endif /* _WIN32 */
 #endif /* ENABLE_EXTRA_SECURITY */
 #ifdef __cplusplus
@ -33,7 +35,7 @@ extern "C" {
 * (Windows only; no-op on other platforms.)
 * @return 0 on success; negative POSIX error code on error.
 */
-#ifdef _WIN32
+#if defined(_WIN32) && defined(ENABLE_EXTRA_SECURITY)
 int rp_secure_reduce_integrity(void);
 #else /* !_WIN32 */
 static inline int rp_secure_reduce_integrity(void)
@ -50,7 +52,7 @@ static inline int rp_secure_reduce_integrity(void)
 */
 typedef struct _rp_secure_param_t {
 #if defined(_WIN32)
-	BOOL bHighSec;	// High security mode
+	int bHighSec;		// High security mode
 #elif defined(HAVE_SECCOMP)
 	const int *syscall_wl;	// Array of allowed syscalls. (-1 terminated)
 #elif defined(HAVE_PLEDGE)
@ -58,7 +60,9 @@ typedef struct _rp_secure_param_t {
 #elif defined(HAVE_TAME)
 	int tame_flags;		// tame() flags
 #else
-# warning rp_secure_enable() not implemented for this OS
+#  ifdef ENABLE_SANDBOX
 #    warning rp_secure_enable() not implemented for this OS
 #  endif /* ENABLE_SANDBOX */
 	int dummy;		// to prevent having an empty struct
 #endif
 } rp_secure_param_t;
@ -68,7 +72,15 @@ typedef struct _rp_secure_param_t {
 * @param param OS-specific parameter.
 * @return 0 on success; negative POSIX error code on error.
 */
 #if defined(ENABLE_EXTRA_SECURITY)
 int rp_secure_enable(rp_secure_param_t param);
 #else /* !ENABLE_EXTRA_SECURITY */
 static inline int rp_secure_enable(rp_secure_param_t param)
 {
 	((void)param);
 	return 0;
 }
 #endif /* ENABLE_EXTRA_SECURITY */
 #ifdef __cplusplus
 }
--- a/src/librpsecure/os-secure_dummy.c
+++ b/src/librpsecure/os-secure_dummy.c
@ -6,16 +6,4 @@
 * SPDX-License-Identifier: GPL-2.0-or-later                               *
 ***************************************************************************/
-#include "os-secure.h"
+// dummy file to force a valid target
 /**
 * Enable OS-specific security functionality.
 * @param param OS-specific parameter.
 * @return 0 on success; negative POSIX error code on error.
 */
 int rp_secure_enable(rp_secure_param_t param)
 {
 	// Dummy implementation does nothing.
 	((void)param);
 	return 0;
 }
--- a/src/librpsecure/os-secure_linux.c
+++ b/src/librpsecure/os-secure_linux.c
@ -22,11 +22,15 @@
 #include <sys/prctl.h>
 #include <linux/sched.h>	// CLONE_THREAD
 #ifndef NDEBUG
 #  define ENABLE_SECCOMP_DEBUG 1
 #endif /* !NDEBUG */
 #ifdef ENABLE_SECCOMP_DEBUG
-# include "seccomp-debug.h"
+#  include "seccomp-debug.h"
-# define SCMP_ACTION SCMP_ACT_TRAP
+#  define SCMP_ACTION SCMP_ACT_TRAP
 #else /* !ENABLE_SECCOMP_DEBUG */
-# define SCMP_ACTION SCMP_ACT_KILL
+#  define SCMP_ACTION SCMP_ACT_KILL
 #endif /* ENABLE_SECCOMP_DEBUG */
 /**
--- a/src/librpsecure/seccomp-debug.c
+++ b/src/librpsecure/seccomp-debug.c
@ -7,6 +7,9 @@
 ***************************************************************************/
 #include "seccomp-debug.h"
 #ifndef NDEBUG
 #include <seccomp.h>
 #include <signal.h>
@ -133,3 +136,5 @@ void seccomp_debug_install_sigsys(void)
 	sigaction(SIGSYS, &act, NULL);
 }
 #endif /* !NDEBUG */
--- a/src/librpsecure/seccomp-debug.h
+++ b/src/librpsecure/seccomp-debug.h
@ -9,6 +9,8 @@
 #ifndef __ROMPROPERTIES_LIBRPSECURE_SECCOMP_DEBUG_H__
 #define __ROMPROPERTIES_LIBRPSECURE_SECCOMP_DEBUG_H__
 #ifndef NDEBUG
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -23,4 +25,6 @@ void seccomp_debug_install_sigsys(void);
 }
 #endif
 #endif /* !NDEBUG */
 #endif /* __ROMPROPERTIES_LIBRPSECURE_SECCOMP_DEBUG_H__ */
--- a/src/librpsecure/win32/integrity_level.h
+++ b/src/librpsecure/win32/integrity_level.h
@ -9,6 +9,10 @@
 #ifndef __ROMPROPERTIES_LIBRPSECURE_WIN32_INTEGRITY_LEVEL_H__
 #define __ROMPROPERTIES_LIBRPSECURE_WIN32_INTEGRITY_LEVEL_H__
 #include "config.librpsecure.h"
 #ifdef ENABLE_EXTRA_SECURITY
 #include <windows.h>
 #ifdef __cplusplus
@ -48,4 +52,6 @@ DWORD SetProcessIntegrityLevel(int level);
 }
 #endif
 #endif /* ENABLE_EXTRA_SECURITY */
 #endif /* __ROMPROPERTIES_LIBRPSECURE_WIN32_INTEGRITY_LEVEL_H__ */
--- a/src/librpsecure/win32/secoptions.c
+++ b/src/librpsecure/win32/secoptions.c
@ -18,6 +18,7 @@
 #include <stdlib.h>
 // Windows includes.
 #include <windows.h>
 #include <sdkddkver.h>
 #include <winternl.h>
 #include <tchar.h>
@ -213,7 +214,7 @@ out:
 * @param bHighSec If non-zero, enable high security for unprivileged processes.
 * @return 0 on success; negative POSIX error code on error.
 */
-int rp_secure_win32_secoptions_init(BOOL bHighSec)
+int rp_secure_win32_secoptions_init(int bHighSec)
 {
 	OSVERSIONINFO osvi;
 	HMODULE hKernel32;
--- a/src/librpsecure/win32/secoptions.h
+++ b/src/librpsecure/win32/secoptions.h
@ -9,8 +9,6 @@
 #ifndef __ROMPROPERTIES_LIBRPSECURE_WIN32_SECOPTIONS_H__
 #define __ROMPROPERTIES_LIBRPSECURE_WIN32_SECOPTIONS_H__
 #include <windows.h>
 #ifdef __cplusplus
 extern "C" {
 #endif
@ -21,7 +19,7 @@ extern "C" {
 * @param bHighSec If non-zero, enable high security for unprivileged processes.
 * @return 0 on success; negative POSIX error code on error.
 */
-int rp_secure_win32_secoptions_init(BOOL bHighSec);
+int rp_secure_win32_secoptions_init(int bHighSec);
 #ifdef __cplusplus
 }
--- a/src/rpcli/rpcli_secure.c
+++ b/src/rpcli/rpcli_secure.c
@ -19,7 +19,7 @@ int rpcli_do_security_options(void)
 	// Set OS-specific security options.
 	rp_secure_param_t param;
 #if defined(_WIN32)
-	param.bHighSec = FALSE;
+	param.bHighSec = 0;
 #elif defined(HAVE_SECCOMP)
 	static const int syscall_wl[] = {
 		// Syscalls used by rp-download.
@ -89,5 +89,6 @@ int rpcli_do_security_options(void)
 #else
 	param.dummy = 0;
 #endif
 	return rp_secure_enable(param);
 }
--- a/travis.sh
+++ b/travis.sh
@ -41,7 +41,7 @@ case "$OSTYPE" in
 			-DBUILD_XFCE=ON \
 			-DBUILD_GTK3=ON \
 			\
-			-DUSE_SECCOMP=OFF \
+			-DENABLE_EXTRA_SECURITY=OFF \
 			-DENABLE_JPEG=OFF \
 			-DENABLE_XML=OFF \
 			-DENABLE_DECRYPTION=OFF \
@ -60,10 +60,8 @@ LC_ALL="en_US.UTF8" ctest -V || RET=1
 LC_ALL="fr_FR.UTF8" ctest -V || RET=1
 # Second build with optional components enabled.
 # NOTE: Seccomp is Linux only, so a warning will be printed
 # on other platforms.
 cmake .. \
-	-DUSE_SECCOMP=ON \
+	-DENABLE_EXTRA_SECURITY=ON \
 	-DENABLE_JPEG=ON \
 	-DENABLE_XML=ON \
 	-DENABLE_DECRYPTION=ON \