Seccomp is now compiled in by default, and can be enabled at run-time.

configure.ac

@@ -236,7 +236,7 @@ fi
 
 AC_ARG_ENABLE(seccomp,
   AS_HELP_STRING([--enable-seccomp], [enable seccomp support]),
-    seccomp_enabled=$enableval, seccomp_enabled=no)
+    seccomp_enabled=$enableval, seccomp_enabled=yes)
 
 if [ test "$seccomp_enabled" = "yes" ];then
 AC_LIB_HAVE_LINKFLAGS(seccomp,, [#include <seccomp.h>], [seccomp_init(0);])

src/config.c

@@ -84,6 +84,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "socket-file", .type = OPTION_STRING, .mandatory = 1 },
 	{ .name = "occtl-socket-file", .type = OPTION_STRING, .mandatory = 0 },
 	{ .name = "banner", .type = OPTION_STRING, .mandatory = 0 },
+	{ .name = "use-seccomp", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "predictable-ips", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "session-control", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "auto-select-group", .type = OPTION_BOOLEAN, .mandatory = 0 },
@@ -450,6 +451,7 @@ unsigned force_cert_auth;
 		config->cisco_client_compat = 1;
 	}
 
+	READ_TF("use-seccomp", config->seccomp, 0);
 	READ_TF("predictable-ips", config->predictable_ips, 1);
 	READ_TF("use-utmp", config->use_utmp, 1);
 	READ_TF("use-dbus", config->use_dbus, 0);

src/ocserv-args.def

@@ -94,6 +94,11 @@ An example configuration file follows.
 # accounting system in place with the PAM modules.
 #session-control = true
 
+# Whether to enable seccomp worker isolation. That restricts the number of 
+# system calls allowed to a worker process, in order to reduce damage from a
+# bug in the worker process. It is available on Linux systems at a performance cost.
+#use-seccomp = true
+
 # A banner to be displayed on clients
 #banner = "Welcome"
 

src/vpn.h

@@ -221,6 +221,9 @@ struct cfg_st {
 	unsigned rekey_method; /* REKEY_METHOD_ */
 
 	time_t min_reauth_time;	/* after a failed auth, how soon one can reauthenticate -> in seconds */
+
+	unsigned seccomp; /* whether seccomp should be enabled or not */
+
 	unsigned auth_timeout; /* timeout of HTTP auth */
 	unsigned idle_timeout; /* timeout when idle */
 	unsigned mobile_idle_timeout; /* timeout when a mobile is idle */

src/worker-vpn.c

@@ -691,10 +691,12 @@ void vpn_server(struct worker_st *ws)
 	if (ws->config->auth_timeout)
 		alarm(ws->config->auth_timeout);
 
-	ret = disable_system_calls(ws);
+	if (ws->config->seccomp != 0) {
-	if (ret < 0) {
+		ret = disable_system_calls(ws);
-		oclog(ws, LOG_INFO,
+		if (ret < 0) {
-		      "could not disable system calls, kernel might not support seccomp");
+			oclog(ws, LOG_INFO,
+			      "could not disable system calls, kernel might not support seccomp");
+		}
 	}
 
 	oclog(ws, LOG_DEBUG, "accepted connection");