diff --git a/CMakeLists.txt b/CMakeLists.txt index 2184ae90..cb627ccd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1065,113 +1065,6 @@ if(XZ_LZIP_DECODER) ) endif() - -############## -# Sandboxing # -############## - -# auto Use sandboxing if a supported method is available in the OS. -# no Disable sandboxing. -# capsicum Require Capsicum (FreeBSD >= 10.2) and fail if not found. -# pledge Require pledge(2) (OpenBSD >= 5.9) and fail if not found. -# landlock Require Landlock (Linux >= 5.13) and fail if not found. -set(SUPPORTED_SANDBOX_METHODS auto no capsicum pledge landlock) - -set(XZ_SANDBOX auto CACHE STRING - "Sandboxing method to use in 'xz', 'xzdec', and 'lzmadec'") - -set_property(CACHE XZ_SANDBOX PROPERTY STRINGS "${SUPPORTED_SANDBOX_METHODS}") - -if(NOT XZ_SANDBOX IN_LIST SUPPORTED_SANDBOX_METHODS) - message(FATAL_ERROR "'${XZ_SANDBOX}' is not a supported " - "sandboxing method") -endif() - -# When autodetecting, the search order is fixed and we must not find -# more than one method. -if(XZ_SANDBOX STREQUAL "no") - set(SANDBOX_FOUND ON) -else() - set(SANDBOX_FOUND OFF) -endif() - -# Since xz and xzdec can both use sandboxing, the compile definition needed -# to use the sandbox must be added to both targets. -set(SANDBOX_COMPILE_DEFINITION OFF) - -# Sandboxing: Capsicum -if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^capsicum$") - check_symbol_exists(cap_rights_limit sys/capsicum.h - HAVE_CAP_RIGHTS_LIMIT) - if(HAVE_CAP_RIGHTS_LIMIT) - set(SANDBOX_COMPILE_DEFINITION "HAVE_CAP_RIGHTS_LIMIT") - set(SANDBOX_FOUND ON) - endif() -endif() - -# Sandboxing: pledge(2) -if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^pledge$") - check_symbol_exists(pledge unistd.h HAVE_PLEDGE) - if(HAVE_PLEDGE) - set(SANDBOX_COMPILE_DEFINITION "HAVE_PLEDGE") - set(SANDBOX_FOUND ON) - endif() -endif() - -# Sandboxing: Landlock -if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^landlock$") - # A compile check is done here because some systems have - # linux/landlock.h, but do not have the syscalls defined - # in order to actually use Linux Landlock. - check_c_source_compiles(" - #include - #include - #include - - void my_sandbox(void) - { - (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); - (void)SYS_landlock_create_ruleset; - (void)SYS_landlock_restrict_self; - (void)LANDLOCK_CREATE_RULESET_VERSION; - return; - } - - int main(void) { return 0; } - " - HAVE_LINUX_LANDLOCK) - - if(HAVE_LINUX_LANDLOCK) - set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK") - set(SANDBOX_FOUND ON) - - # Of our three sandbox methods, only Landlock is incompatible - # with -fsanitize. FreeBSD 13.2 with Capsicum was tested with - # -fsanitize=address,undefined and had no issues. OpenBSD (as - # of version 7.4) has minimal support for process instrumentation. - # OpenBSD does not distribute the additional libraries needed - # (libasan, libubsan, etc.) with GCC or Clang needed for runtime - # sanitization support and instead only support - # -fsanitize-minimal-runtime for minimal undefined behavior - # sanitization. This minimal support is compatible with our use - # of the Pledge sandbox. So only Landlock will result in a - # build that cannot compress or decompress a single file to - # standard out. - if(CMAKE_C_FLAGS MATCHES "-fsanitize=") - message(SEND_ERROR - "CMAKE_C_FLAGS or the environment variable CFLAGS " - "contains '-fsanitize=' which is incompatible " - "with Landlock sandboxing. Use -DXZ_SANDBOX=no " - "as an argument to 'cmake' when using '-fsanitize'.") - endif() - endif() -endif() - -if(NOT SANDBOX_FOUND AND NOT XZ_SANDBOX MATCHES "^auto$|^no$") - message(SEND_ERROR "XZ_SANDBOX=${XZ_SANDBOX} was used but " - "support for the sandboxing method wasn't found.") -endif() - ### # Put the tuklib functions under the lzma_ namespace. @@ -1701,6 +1594,113 @@ if(NOT HAVE_GETOPT_LONG) endif() +############################################################################# +# Sandboxing for the command line tools +############################################################################# + +# auto Use sandboxing if a supported method is available in the OS. +# no Disable sandboxing. +# capsicum Require Capsicum (FreeBSD >= 10.2) and fail if not found. +# pledge Require pledge(2) (OpenBSD >= 5.9) and fail if not found. +# landlock Require Landlock (Linux >= 5.13) and fail if not found. +set(SUPPORTED_SANDBOX_METHODS auto no capsicum pledge landlock) + +set(XZ_SANDBOX auto CACHE STRING + "Sandboxing method to use in 'xz', 'xzdec', and 'lzmadec'") + +set_property(CACHE XZ_SANDBOX PROPERTY STRINGS "${SUPPORTED_SANDBOX_METHODS}") + +if(NOT XZ_SANDBOX IN_LIST SUPPORTED_SANDBOX_METHODS) + message(FATAL_ERROR "'${XZ_SANDBOX}' is not a supported " + "sandboxing method") +endif() + +# When autodetecting, the search order is fixed and we must not find +# more than one method. +if(XZ_SANDBOX STREQUAL "no") + set(SANDBOX_FOUND ON) +else() + set(SANDBOX_FOUND OFF) +endif() + +# Since xz and xzdec can both use sandboxing, the compile definition needed +# to use the sandbox must be added to both targets. +set(SANDBOX_COMPILE_DEFINITION OFF) + +# Sandboxing: Capsicum +if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^capsicum$") + check_symbol_exists(cap_rights_limit sys/capsicum.h + HAVE_CAP_RIGHTS_LIMIT) + if(HAVE_CAP_RIGHTS_LIMIT) + set(SANDBOX_COMPILE_DEFINITION "HAVE_CAP_RIGHTS_LIMIT") + set(SANDBOX_FOUND ON) + endif() +endif() + +# Sandboxing: pledge(2) +if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^pledge$") + check_symbol_exists(pledge unistd.h HAVE_PLEDGE) + if(HAVE_PLEDGE) + set(SANDBOX_COMPILE_DEFINITION "HAVE_PLEDGE") + set(SANDBOX_FOUND ON) + endif() +endif() + +# Sandboxing: Landlock +if(NOT SANDBOX_FOUND AND XZ_SANDBOX MATCHES "^auto$|^landlock$") + # A compile check is done here because some systems have + # linux/landlock.h, but do not have the syscalls defined + # in order to actually use Linux Landlock. + check_c_source_compiles(" + #include + #include + #include + + void my_sandbox(void) + { + (void)prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + (void)SYS_landlock_create_ruleset; + (void)SYS_landlock_restrict_self; + (void)LANDLOCK_CREATE_RULESET_VERSION; + return; + } + + int main(void) { return 0; } + " + HAVE_LINUX_LANDLOCK) + + if(HAVE_LINUX_LANDLOCK) + set(SANDBOX_COMPILE_DEFINITION "HAVE_LINUX_LANDLOCK") + set(SANDBOX_FOUND ON) + + # Of our three sandbox methods, only Landlock is incompatible + # with -fsanitize. FreeBSD 13.2 with Capsicum was tested with + # -fsanitize=address,undefined and had no issues. OpenBSD (as + # of version 7.4) has minimal support for process instrumentation. + # OpenBSD does not distribute the additional libraries needed + # (libasan, libubsan, etc.) with GCC or Clang needed for runtime + # sanitization support and instead only support + # -fsanitize-minimal-runtime for minimal undefined behavior + # sanitization. This minimal support is compatible with our use + # of the Pledge sandbox. So only Landlock will result in a + # build that cannot compress or decompress a single file to + # standard out. + if(CMAKE_C_FLAGS MATCHES "-fsanitize=") + message(SEND_ERROR + "CMAKE_C_FLAGS or the environment variable CFLAGS " + "contains '-fsanitize=' which is incompatible " + "with Landlock sandboxing. Use -DXZ_SANDBOX=no " + "as an argument to 'cmake' when using '-fsanitize'.") + endif() + endif() +endif() + +if(NOT SANDBOX_FOUND AND NOT XZ_SANDBOX MATCHES "^auto$|^no$") + message(SEND_ERROR "XZ_SANDBOX=${XZ_SANDBOX} was used but " + "support for the sandboxing method wasn't found.") +endif() + + ############################################################################# # xzdec and lzmadec #############################################################################