2026-02-10 00:37:00 +08:00 · 2014-06-12 15:35:45 +02:00
parent ae3b9e5111
commit 70623591d5
5 changed files with 17 additions and 5 deletions
							
							
								
							
							
						
@@ -236,7 +236,7 @@ fi
AC_ARG_ENABLE(seccomp,
  AS_HELP_STRING([--enable-seccomp], [enable seccomp support]),
    seccomp_enabled=$enableval, seccomp_enabled=no)
    seccomp_enabled=$enableval, seccomp_enabled=yes)
if [ test "$seccomp_enabled" = "yes" ];then
AC_LIB_HAVE_LINKFLAGS(seccomp,, [#include <seccomp.h>], [seccomp_init(0);])
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -84,6 +84,7 @@ static struct cfg_options available_options[] = {
	{ .name = "socket-file", .type = OPTION_STRING, .mandatory = 1 },
	{ .name = "occtl-socket-file", .type = OPTION_STRING, .mandatory = 0 },
	{ .name = "banner", .type = OPTION_STRING, .mandatory = 0 },
	{ .name = "use-seccomp", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "predictable-ips", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "session-control", .type = OPTION_BOOLEAN, .mandatory = 0 },
	{ .name = "auto-select-group", .type = OPTION_BOOLEAN, .mandatory = 0 },
							
								
							
							
								
							
							
						
@@ -450,6 +451,7 @@ unsigned force_cert_auth;
		config->cisco_client_compat = 1;
	}
	READ_TF("use-seccomp", config->seccomp, 0);
	READ_TF("predictable-ips", config->predictable_ips, 1);
	READ_TF("use-utmp", config->use_utmp, 1);
	READ_TF("use-dbus", config->use_dbus, 0);
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -94,6 +94,11 @@ An example configuration file follows.
# accounting system in place with the PAM modules.
#session-control = true
# Whether to enable seccomp worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
#use-seccomp = true
# A banner to be displayed on clients
#banner = "Welcome"
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -221,6 +221,9 @@ struct cfg_st {
	unsigned rekey_method; /* REKEY_METHOD_ */
	time_t min_reauth_time;	/* after a failed auth, how soon one can reauthenticate -> in seconds */
	unsigned seccomp; /* whether seccomp should be enabled or not */
	unsigned auth_timeout; /* timeout of HTTP auth */
	unsigned idle_timeout; /* timeout when idle */
	unsigned mobile_idle_timeout; /* timeout when a mobile is idle */
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -691,10 +691,12 @@ void vpn_server(struct worker_st *ws)
	if (ws->config->auth_timeout)
		alarm(ws->config->auth_timeout);
	ret = disable_system_calls(ws);
	if (ret < 0) {
		oclog(ws, LOG_INFO,
		      "could not disable system calls, kernel might not support seccomp");
	if (ws->config->seccomp != 0) {
		ret = disable_system_calls(ws);
		if (ret < 0) {
			oclog(ws, LOG_INFO,
			      "could not disable system calls, kernel might not support seccomp");
		}
	}
	oclog(ws, LOG_DEBUG, "accepted connection");