sudo/sme9/sudo-1.8.6p3-noexec-update.patch

diff -up sudo-1.8.6p3/config.h.in.noexec-update sudo-1.8.6p3/config.h.in
--- sudo-1.8.6p3/config.h.in.noexec-update      2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/config.h.in    2016-11-24 10:35:39.742359619 +0100
@@ -87,6 +87,10 @@
    don't. */
 #undef HAVE_DECL_H_ERRNO
 
+/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and
+   to 0 if you don't. */
+#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER
+
 /* Define to 1 if you have the declaration of `sys_sigabbrev', and to 0 if you
    don't. */
 #undef HAVE_DECL_SYS_SIGABBREV
@@ -134,9 +138,21 @@
 /* Define to 1 if the compiler supports the __visibility__ attribute. */
 #undef HAVE_DSO_VISIBILITY
 
+/* Define to 1 if you have the `exect' function. */
+#undef HAVE_EXECT
+
+/* Define to 1 if you have the `execvp' function. */
+#undef HAVE_EXECVP
+
+/* Define to 1 if you have the `execvpe' function. */
+#undef HAVE_EXECVPE
+
 /* Define to 1 if your system has the F_CLOSEM fcntl. */
 #undef HAVE_FCNTL_CLOSEM
 
+/* Define to 1 if you have the `fexecve' function. */
+#undef HAVE_FEXECVE
+
 /* Define to 1 if you have the `fgetln' function. */
 #undef HAVE_FGETLN
 
@@ -415,6 +431,12 @@
 /* Define to 1 if you have the `posix_openpt' function. */
 #undef HAVE_POSIX_OPENPT
 
+/* Define to 1 if you have the `posix_spawn' function. */
+#undef HAVE_POSIX_SPAWN
+
+/* Define to 1 if you have the `posix_spawnp' function. */
+#undef HAVE_POSIX_SPAWNP
+
 /* Define to 1 if you have the `priv_set' function. */
 #undef HAVE_PRIV_SET
 
@@ -694,6 +716,12 @@
 /* Define to 1 if you have the `vsnprintf' function. */
 #undef HAVE_VSNPRINTF
 
+/* Define to 1 if you have the `wordexp' function. */
+#undef HAVE_WORDEXP
+
+/* Define to 1 if you have the <wordexp.h> header file. */
+#undef HAVE_WORDEXP_H
+
 /* Define to 1 if you have the <zlib.h> header file. */
 #undef HAVE_ZLIB_H
 
diff -up sudo-1.8.6p3/configure.in.noexec-update sudo-1.8.6p3/configure.in
--- sudo-1.8.6p3/configure.in.noexec-update     2016-11-24 10:35:39.729359787 +0100
+++ sudo-1.8.6p3/configure.in   2016-11-24 10:35:39.743359606 +0100
@@ -1805,6 +1805,14 @@ case "$host" in
                shadow_funcs="getspnam"
                shadow_libs_optional="-lshadow"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
+                # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+                AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [
+#include <sys/types.h>
+#include <sys/prctl.h>
+#include <asm/unistd.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+                ])
                ;;
     *-convex-bsd*)
                OSDEFS="${OSDEFS} -D_CONVEX_SOURCE"
@@ -2067,7 +2075,7 @@ AC_HEADER_DIRENT
 AC_HEADER_TIME
 AC_HEADER_STDBOOL
 AC_HEADER_MAJOR
-AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h wordexp.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
 AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
 #ifdef HAVE_PROCFS_H
 #include <procfs.h>
@@ -2199,7 +2207,8 @@ dnl
 AC_FUNC_GETGROUPS
 AC_CHECK_FUNCS(glob strrchr sysconf tzset strftime setenv \
               regcomp setlocale nl_langinfo mbr_check_membership \
-              setrlimit64)
+              setrlimit64 \
+              wordexp exect execvp execvpe fexecve posix_spawn posix_spawnp)
 AC_REPLACE_FUNCS(getgrouplist)
 AC_CHECK_FUNCS(getline, [], [
     AC_LIBOBJ(getline)
diff -up sudo-1.8.6p3/include/missing.h.noexec-update sudo-1.8.6p3/include/missing.h
--- sudo-1.8.6p3/include/missing.h.noexec-update        2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p3/include/missing.h      2016-11-24 10:35:39.743359606 +0100
@@ -198,6 +198,13 @@ typedef struct sigaction sigaction_t;
 #endif
 
 /*
+ * The nitems macro may be defined in sys/param.h
+ */
+#ifndef nitems
+# define nitems(_a)     (sizeof((_a)) / sizeof((_a)[0]))
+#endif
+
+/*
  * If dirfd() does not exists, hopefully dd_fd does.
  */
 #if !defined(HAVE_DIRFD) && defined(HAVE_DD_FD)
diff -up sudo-1.8.6p3/src/Makefile.in.noexec-update sudo-1.8.6p3/src/Makefile.in
--- sudo-1.8.6p3/src/Makefile.in.noexec-update  2016-11-24 10:35:39.743359606 +0100
+++ sudo-1.8.6p3/src/Makefile.in        2016-11-24 10:46:58.563597083 +0100
@@ -105,7 +105,7 @@ sudo: $(OBJS) $(LT_LIBS)
        $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(LIBS)
 
 libsudo_noexec.la: sudo_noexec.lo
-       $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+       $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
 
 sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
        $(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) $(PIE_LDFLAGS) @LIBINTL@ $(LIBS)
diff -up sudo-1.8.6p3/src/sudo_noexec.c.noexec-update sudo-1.8.6p3/src/sudo_noexec.c
--- sudo-1.8.6p3/src/sudo_noexec.c.noexec-update        2012-09-18 15:56:30.000000000 +0200
+++ sudo-1.8.6p3/src/sudo_noexec.c      2016-11-24 10:35:39.743359606 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004-2005, 2010-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2004-2005, 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,20 +18,64 @@
 
 #include <sys/types.h>
 
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
+# include <sys/prctl.h>
+# include <asm/unistd.h>
+# include <linux/filter.h>
+# include <linux/seccomp.h>
+#endif
+
 #include <errno.h>
 #include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
 #ifdef HAVE_SPAWN_H
 #include <spawn.h>
 #endif
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_WORDEXP_H
+#include <wordexp.h>
+#endif
+#if defined(HAVE_SHL_LOAD)
+# include <dl.h>
+#elif defined(HAVE_DLOPEN)
+# include <dlfcn.h>
+#endif
 
 #include "missing.h"
+#include "pathnames.h"
+
+#ifdef HAVE___INTERPOSE
+/*
+ * Mac OS X 10.4 and above has support for library symbol interposition.
+ * There is a good explanation of this in the Mac OS X Internals book.
+ */
+typedef struct interpose_s {
+    void *new_func;
+    void *orig_func;
+} interpose_t;
+
+# define FN_NAME(fn)   dummy_ ## fn
+# define INTERPOSE(fn) \
+    __attribute__((__used__)) static const interpose_t interpose_ ## fn \
+    __attribute__((__section__("__DATA,__interpose"))) = \
+       { (void *)dummy_ ## fn, (void *)fn };
+#else
+# define FN_NAME(fn)   fn
+# define INTERPOSE(fn)
+#endif
 
 /*
- * Dummy versions of the execve() family of syscalls.  We don't need
- * to stub out all of them, just the ones that correspond to actual
- * system calls (which varies by OS).  Note that it is still possible
- * to access the real syscalls via the syscall() interface but very
- * few programs actually do that.
+ * Dummy versions of the exec(3) family of syscalls.  It is not enough to
+ * just dummy out execve(2) since many C libraries do not call the public
+ * execve(2) interface.  Note that it is still possible to access the real
+ * syscalls via the syscall(2) interface, but that is rarely done.
  */
 
 #define DUMMY_BODY                             \
@@ -40,61 +84,172 @@
     return -1;                                 \
 }
 
+#define DUMMY1(fn, t1)                         \
+__dso_public int                               \
+FN_NAME(fn)(t1 a1)                             \
+DUMMY_BODY                                     \
+INTERPOSE(fn)
+
 #define DUMMY2(fn, t1, t2)                     \
 __dso_public int                               \
-fn(t1 a1, t2 a2)                               \
-DUMMY_BODY
+FN_NAME(fn)(t1 a1, t2 a2)                      \
+DUMMY_BODY                                     \
+INTERPOSE(fn)
 
 #define DUMMY3(fn, t1, t2, t3)                 \
 __dso_public int                               \
-fn(t1 a1, t2 a2, t3 a3)                                \
-DUMMY_BODY
+FN_NAME(fn)(t1 a1, t2 a2, t3 a3)               \
+DUMMY_BODY                                     \
+INTERPOSE(fn)
 
 #define DUMMY6(fn, t1, t2, t3, t4, t5, t6)     \
 __dso_public int                               \
-fn(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6)   \
-DUMMY_BODY
+FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6)  \
+DUMMY_BODY                                     \
+INTERPOSE(fn)
 
 #define DUMMY_VA(fn, t1, t2)                   \
 __dso_public int                               \
-fn(t1 a1, t2 a2, ...)                          \
-DUMMY_BODY
+FN_NAME(fn)(t1 a1, t2 a2, ...)                 \
+DUMMY_BODY                                     \
+INTERPOSE(fn)
 
+/*
+ * Standard exec(3) family of functions.
+ */
 DUMMY_VA(execl, const char *, const char *)
-DUMMY_VA(_execl, const char *, const char *)
-DUMMY_VA(__execl, const char *, const char *)
 DUMMY_VA(execle, const char *, const char *)
-DUMMY_VA(_execle, const char *, const char *)
-DUMMY_VA(__execle, const char *, const char *)
 DUMMY_VA(execlp, const char *, const char *)
-DUMMY_VA(_execlp, const char *, const char *)
-DUMMY_VA(__execlp, const char *, const char *)
-DUMMY3(exect, const char *, char * const *, char * const *)
-DUMMY3(_exect, const char *, char * const *, char * const *)
-DUMMY3(__exect, const char *, char * const *, char * const *)
 DUMMY2(execv, const char *, char * const *)
-DUMMY2(_execv, const char *, char * const *)
-DUMMY2(__execv, const char *, char * const *)
 DUMMY2(execvp, const char *, char * const *)
-DUMMY2(_execvp, const char *, char * const *)
-DUMMY2(__execvp, const char *, char * const *)
-DUMMY3(execvP, const char *, const char *, char * const *)
-DUMMY3(_execvP, const char *, const char *, char * const *)
-DUMMY3(__execvP, const char *, const char *, char * const *)
 DUMMY3(execve, const char *, char * const *, char * const *)
-DUMMY3(_execve, const char *, char * const *, char * const *)
-DUMMY3(__execve, const char *, char * const *, char * const *)
+
+/*
+ * Non-standard exec(3) functions and corresponding private versions.
+ */
+#ifdef HAVE_EXECVP
+DUMMY3(execvP, const char *, const char *, char * const *)
+#endif
+#ifdef HAVE_EXECVPE
 DUMMY3(execvpe, const char *, char * const *, char * const *)
-DUMMY3(_execvpe, const char *, char * const *, char * const *)
-DUMMY3(__execvpe, const char *, char * const *, char * const *)
+#endif
+#ifdef HAVE_EXECT
+DUMMY3(exect, const char *, char * const *, char * const *)
+#endif
+
+/*
+ * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).
+ */
+#ifdef HAVE_FEXECVE
 DUMMY3(fexecve, int , char * const *, char * const *)
-DUMMY3(_fexecve, int , char * const *, char * const *)
-DUMMY3(__fexecve, int , char * const *, char * const *)
-#ifdef HAVE_SPAWN_H
+#endif
+#ifdef HAVE_POSIX_SPAWN
 DUMMY6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
-DUMMY6(_posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
-DUMMY6(__posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+#endif
+#ifdef HAVE_POSIX_SPAWNP
 DUMMY6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
-DUMMY6(_posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
-DUMMY6(__posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
-#endif /* HAVE_SPAWN_H */
+#endif
+
+/*
+ * system(3) and popen(3).
+ * We can't use a wrapper for popen since it returns FILE *, not int.
+ */
+DUMMY1(system, const char *)
+
+__dso_public FILE *
+FN_NAME(popen)(const char *c, const char *t)
+{
+    errno = EACCES;
+    return NULL;
+}
+INTERPOSE(popen)
+
+#if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))
+/*
+ * We can't use a wrapper for wordexp(3) since we still want to call
+ * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
+ */
+typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
+
+__dso_public int
+FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)
+{
+#if defined(HAVE___INTERPOSE)
+    return wordexp(words, we, flags | WRDE_NOCMD);
+#else
+# if defined(HAVE_DLOPEN)
+    void *fn = dlsym(RTLD_NEXT, "wordexp");
+# elif defined(HAVE_SHL_LOAD)
+    const char *name, *myname = _PATH_SUDO_NOEXEC;
+    struct shl_descriptor *desc;
+    void *fn = NULL;
+    int idx = 0;
+
+    name = strrchr(myname, '/');
+    if (name != NULL)
+       myname = name + 1;
+
+    /* Search for wordexp() but skip this shared object. */
+    while (shl_get(idx++, &desc) == 0) {
+       name = strrchr(desc->filename, '/');
+       if (name == NULL)
+               name = desc->filename;
+       else
+               name++;
+       if (strcmp(name, myname) == 0)
+           continue;
+       if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
+           break;
+    }
+# else
+    void *fn = NULL;
+# endif
+    if (fn == NULL) {
+       errno = EACCES;
+       return -1;
+    }
+    return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
+#endif /* HAVE___INTERPOSE */
+}
+INTERPOSE(wordexp)
+#endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */
+
+/*
+ * On Linux we can use a seccomp() filter to disable exec.
+ */
+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
+
+/* Older systems may not support execveat(2). */
+#ifndef __NR_execveat
+# define __NR_execveat -1
+#endif
+
+static void noexec_ctor(void) __attribute__((constructor));
+
+static void
+noexec_ctor(void)
+{
+    struct sock_filter exec_filter[] = {
+       /* Load syscall number into the accumulator */
+       BPF_STMT(BPF_LD | BPF_ABS, offsetof(struct seccomp_data, nr)),
+       /* Jump to deny for execve/execveat */
+       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 2, 0),
+       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execveat, 1, 0),
+       /* Allow non-matching syscalls */
+       BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
+       /* Deny execve/execveat syscall */
+       BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))
+    };
+    const struct sock_fprog exec_fprog = {
+       nitems(exec_filter),
+       exec_filter
+    };
+
+    /*
+     * SECCOMP_MODE_FILTER will fail unless the process has
+     * CAP_SYS_ADMIN or the no_new_privs bit is set.
+     */
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
+       (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
+}
+#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */
1	jpp	1.1	diff -up sudo-1.8.6p3/config.h.in.noexec-update sudo-1.8.6p3/config.h.in
2			--- sudo-1.8.6p3/config.h.in.noexec-update 2012-09-18 15:57:43.000000000 +0200
3			+++ sudo-1.8.6p3/config.h.in 2016-11-24 10:35:39.742359619 +0100
4			@@ -87,6 +87,10 @@
5			don't. */
6			#undef HAVE_DECL_H_ERRNO
7
8			+/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and
9			+ to 0 if you don't. */
10			+#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER
11			+
12			/* Define to 1 if you have the declaration of `sys_sigabbrev', and to 0 if you
13			don't. */
14			#undef HAVE_DECL_SYS_SIGABBREV
15			@@ -134,9 +138,21 @@
16			/* Define to 1 if the compiler supports the __visibility__ attribute. */
17			#undef HAVE_DSO_VISIBILITY
18
19			+/* Define to 1 if you have the `exect' function. */
20			+#undef HAVE_EXECT
21			+
22			+/* Define to 1 if you have the `execvp' function. */
23			+#undef HAVE_EXECVP
24			+
25			+/* Define to 1 if you have the `execvpe' function. */
26			+#undef HAVE_EXECVPE
27			+
28			/* Define to 1 if your system has the F_CLOSEM fcntl. */
29			#undef HAVE_FCNTL_CLOSEM
30
31			+/* Define to 1 if you have the `fexecve' function. */
32			+#undef HAVE_FEXECVE
33			+
34			/* Define to 1 if you have the `fgetln' function. */
35			#undef HAVE_FGETLN
36
37			@@ -415,6 +431,12 @@
38			/* Define to 1 if you have the `posix_openpt' function. */
39			#undef HAVE_POSIX_OPENPT
40
41			+/* Define to 1 if you have the `posix_spawn' function. */
42			+#undef HAVE_POSIX_SPAWN
43			+
44			+/* Define to 1 if you have the `posix_spawnp' function. */
45			+#undef HAVE_POSIX_SPAWNP
46			+
47			/* Define to 1 if you have the `priv_set' function. */
48			#undef HAVE_PRIV_SET
49
50			@@ -694,6 +716,12 @@
51			/* Define to 1 if you have the `vsnprintf' function. */
52			#undef HAVE_VSNPRINTF
53
54			+/* Define to 1 if you have the `wordexp' function. */
55			+#undef HAVE_WORDEXP
56			+
57			+/* Define to 1 if you have the <wordexp.h> header file. */
58			+#undef HAVE_WORDEXP_H
59			+
60			/* Define to 1 if you have the <zlib.h> header file. */
61			#undef HAVE_ZLIB_H
62
63			diff -up sudo-1.8.6p3/configure.in.noexec-update sudo-1.8.6p3/configure.in
64			--- sudo-1.8.6p3/configure.in.noexec-update 2016-11-24 10:35:39.729359787 +0100
65			+++ sudo-1.8.6p3/configure.in 2016-11-24 10:35:39.743359606 +0100
66			@@ -1805,6 +1805,14 @@ case "$host" in
67			shadow_funcs="getspnam"
68			shadow_libs_optional="-lshadow"
69			test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
70			+ # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
71			+ AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [
72			+#include <sys/types.h>
73			+#include <sys/prctl.h>
74			+#include <asm/unistd.h>
75			+#include <linux/seccomp.h>
76			+#include <linux/filter.h>
77			+ ])
78			;;
79			-convex-bsd)
80			OSDEFS="${OSDEFS} -D_CONVEX_SOURCE"
81			@@ -2067,7 +2075,7 @@ AC_HEADER_DIRENT
82			AC_HEADER_TIME
83			AC_HEADER_STDBOOL
84			AC_HEADER_MAJOR
85			-AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
86			+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h wordexp.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
87			AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
88			#ifdef HAVE_PROCFS_H
89			#include <procfs.h>
90			@@ -2199,7 +2207,8 @@ dnl
91			AC_FUNC_GETGROUPS
92			AC_CHECK_FUNCS(glob strrchr sysconf tzset strftime setenv \
93			regcomp setlocale nl_langinfo mbr_check_membership \
94			- setrlimit64)
95			+ setrlimit64 \
96			+ wordexp exect execvp execvpe fexecve posix_spawn posix_spawnp)
97			AC_REPLACE_FUNCS(getgrouplist)
98			AC_CHECK_FUNCS(getline, [], [
99			AC_LIBOBJ(getline)
100			diff -up sudo-1.8.6p3/include/missing.h.noexec-update sudo-1.8.6p3/include/missing.h
101			--- sudo-1.8.6p3/include/missing.h.noexec-update 2012-09-18 15:56:28.000000000 +0200
102			+++ sudo-1.8.6p3/include/missing.h 2016-11-24 10:35:39.743359606 +0100
103			@@ -198,6 +198,13 @@ typedef struct sigaction sigaction_t;
104			#endif
105
106			/*
107			+ * The nitems macro may be defined in sys/param.h
108			+ */
109			+#ifndef nitems
110			+# define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
111			+#endif
112			+
113			+/*
114			* If dirfd() does not exists, hopefully dd_fd does.
115			*/
116			#if !defined(HAVE_DIRFD) && defined(HAVE_DD_FD)
117			diff -up sudo-1.8.6p3/src/Makefile.in.noexec-update sudo-1.8.6p3/src/Makefile.in
118			--- sudo-1.8.6p3/src/Makefile.in.noexec-update 2016-11-24 10:35:39.743359606 +0100
119			+++ sudo-1.8.6p3/src/Makefile.in 2016-11-24 10:46:58.563597083 +0100
120			@@ -105,7 +105,7 @@ sudo: $(OBJS) $(LT_LIBS)
121			$(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(LIBS)
122
123			libsudo_noexec.la: sudo_noexec.lo
124			- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
125			+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
126
127			sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
128			$(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) $(PIE_LDFLAGS) @LIBINTL@ $(LIBS)
129			diff -up sudo-1.8.6p3/src/sudo_noexec.c.noexec-update sudo-1.8.6p3/src/sudo_noexec.c
130			--- sudo-1.8.6p3/src/sudo_noexec.c.noexec-update 2012-09-18 15:56:30.000000000 +0200
131			+++ sudo-1.8.6p3/src/sudo_noexec.c 2016-11-24 10:35:39.743359606 +0100
132			@@ -1,5 +1,5 @@
133			/*
134			- * Copyright (c) 2004-2005, 2010-2011 Todd C. Miller <Todd.Miller@courtesan.com>
135			+ * Copyright (c) 2004-2005, 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
136			*
137			* Permission to use, copy, modify, and distribute this software for any
138			* purpose with or without fee is hereby granted, provided that the above
139			@@ -18,20 +18,64 @@
140
141			#include <sys/types.h>
142
143			+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
144			+# include <sys/prctl.h>
145			+# include <asm/unistd.h>
146			+# include <linux/filter.h>
147			+# include <linux/seccomp.h>
148			+#endif
149			+
150			#include <errno.h>
151			#include <stdarg.h>
152			+#include <stdio.h>
153			+#include <stdlib.h>
154			+#include <unistd.h>
155			#ifdef HAVE_SPAWN_H
156			#include <spawn.h>
157			#endif
158			+#ifdef HAVE_STRING_H
159			+# include <string.h>
160			+#endif /* HAVE_STRING_H */
161			+#ifdef HAVE_STRINGS_H
162			+# include <strings.h>
163			+#endif /* HAVE_STRINGS_H */
164			+#ifdef HAVE_WORDEXP_H
165			+#include <wordexp.h>
166			+#endif
167			+#if defined(HAVE_SHL_LOAD)
168			+# include <dl.h>
169			+#elif defined(HAVE_DLOPEN)
170			+# include <dlfcn.h>
171			+#endif
172
173			#include "missing.h"
174			+#include "pathnames.h"
175			+
176			+#ifdef HAVE___INTERPOSE
177			+/*
178			+ * Mac OS X 10.4 and above has support for library symbol interposition.
179			+ * There is a good explanation of this in the Mac OS X Internals book.
180			+ */
181			+typedef struct interpose_s {
182			+ void *new_func;
183			+ void *orig_func;
184			+} interpose_t;
185			+
186			+# define FN_NAME(fn) dummy_ ## fn
187			+# define INTERPOSE(fn) \
188			+ __attribute__((__used__)) static const interpose_t interpose_ ## fn \
189			+ __attribute__((__section__("__DATA,__interpose"))) = \
190			+ { (void )dummy_ ## fn, (void )fn };
191			+#else
192			+# define FN_NAME(fn) fn
193			+# define INTERPOSE(fn)
194			+#endif
195
196			/*
197			- * Dummy versions of the execve() family of syscalls. We don't need
198			- * to stub out all of them, just the ones that correspond to actual
199			- * system calls (which varies by OS). Note that it is still possible
200			- * to access the real syscalls via the syscall() interface but very
201			- * few programs actually do that.
202			+ * Dummy versions of the exec(3) family of syscalls. It is not enough to
203			+ * just dummy out execve(2) since many C libraries do not call the public
204			+ * execve(2) interface. Note that it is still possible to access the real
205			+ * syscalls via the syscall(2) interface, but that is rarely done.
206			*/
207
208			#define DUMMY_BODY \
209			@@ -40,61 +84,172 @@
210			return -1; \
211			}
212
213			+#define DUMMY1(fn, t1) \
214			+__dso_public int \
215			+FN_NAME(fn)(t1 a1) \
216			+DUMMY_BODY \
217			+INTERPOSE(fn)
218			+
219			#define DUMMY2(fn, t1, t2) \
220			__dso_public int \
221			-fn(t1 a1, t2 a2) \
222			-DUMMY_BODY
223			+FN_NAME(fn)(t1 a1, t2 a2) \
224			+DUMMY_BODY \
225			+INTERPOSE(fn)
226
227			#define DUMMY3(fn, t1, t2, t3) \
228			__dso_public int \
229			-fn(t1 a1, t2 a2, t3 a3) \
230			-DUMMY_BODY
231			+FN_NAME(fn)(t1 a1, t2 a2, t3 a3) \
232			+DUMMY_BODY \
233			+INTERPOSE(fn)
234
235			#define DUMMY6(fn, t1, t2, t3, t4, t5, t6) \
236			__dso_public int \
237			-fn(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
238			-DUMMY_BODY
239			+FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
240			+DUMMY_BODY \
241			+INTERPOSE(fn)
242
243			#define DUMMY_VA(fn, t1, t2) \
244			__dso_public int \
245			-fn(t1 a1, t2 a2, ...) \
246			-DUMMY_BODY
247			+FN_NAME(fn)(t1 a1, t2 a2, ...) \
248			+DUMMY_BODY \
249			+INTERPOSE(fn)
250
251			+/*
252			+ * Standard exec(3) family of functions.
253			+ */
254			DUMMY_VA(execl, const char , const char )
255			-DUMMY_VA(_execl, const char , const char )
256			-DUMMY_VA(__execl, const char , const char )
257			DUMMY_VA(execle, const char , const char )
258			-DUMMY_VA(_execle, const char , const char )
259			-DUMMY_VA(__execle, const char , const char )
260			DUMMY_VA(execlp, const char , const char )
261			-DUMMY_VA(_execlp, const char , const char )
262			-DUMMY_VA(__execlp, const char , const char )
263			-DUMMY3(exect, const char , char const , char const *)
264			-DUMMY3(_exect, const char , char const , char const *)
265			-DUMMY3(__exect, const char , char const , char const *)
266			DUMMY2(execv, const char , char const *)
267			-DUMMY2(_execv, const char , char const *)
268			-DUMMY2(__execv, const char , char const *)
269			DUMMY2(execvp, const char , char const *)
270			-DUMMY2(_execvp, const char , char const *)
271			-DUMMY2(__execvp, const char , char const *)
272			-DUMMY3(execvP, const char , const char , char * const *)
273			-DUMMY3(_execvP, const char , const char , char * const *)
274			-DUMMY3(__execvP, const char , const char , char * const *)
275			DUMMY3(execve, const char , char const , char const *)
276			-DUMMY3(_execve, const char , char const , char const *)
277			-DUMMY3(__execve, const char , char const , char const *)
278			+
279			+/*
280			+ * Non-standard exec(3) functions and corresponding private versions.
281			+ */
282			+#ifdef HAVE_EXECVP
283			+DUMMY3(execvP, const char , const char , char * const *)
284			+#endif
285			+#ifdef HAVE_EXECVPE
286			DUMMY3(execvpe, const char , char const , char const *)
287			-DUMMY3(_execvpe, const char , char const , char const *)
288			-DUMMY3(__execvpe, const char , char const , char const *)
289			+#endif
290			+#ifdef HAVE_EXECT
291			+DUMMY3(exect, const char , char const , char const *)
292			+#endif
293			+
294			+/*
295			+ * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).
296			+ */
297			+#ifdef HAVE_FEXECVE
298			DUMMY3(fexecve, int , char * const , char const *)
299			-DUMMY3(_fexecve, int , char * const , char const *)
300			-DUMMY3(__fexecve, int , char * const , char const *)
301			-#ifdef HAVE_SPAWN_H
302			+#endif
303			+#ifdef HAVE_POSIX_SPAWN
304			DUMMY6(posix_spawn, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
305			-DUMMY6(_posix_spawn, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
306			-DUMMY6(__posix_spawn, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
307			+#endif
308			+#ifdef HAVE_POSIX_SPAWNP
309			DUMMY6(posix_spawnp, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
310			-DUMMY6(_posix_spawnp, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
311			-DUMMY6(__posix_spawnp, pid_t , const char , const posix_spawn_file_actions_t , const posix_spawnattr_t , char * const , char const *)
312			-#endif /* HAVE_SPAWN_H */
313			+#endif
314			+
315			+/*
316			+ * system(3) and popen(3).
317			+ * We can't use a wrapper for popen since it returns FILE *, not int.
318			+ */
319			+DUMMY1(system, const char *)
320			+
321			+__dso_public FILE *
322			+FN_NAME(popen)(const char c, const char t)
323			+{
324			+ errno = EACCES;
325			+ return NULL;
326			+}
327			+INTERPOSE(popen)
328			+
329			+#if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) \|\| defined(HAVE_SHL_LOAD) \|\| defined(HAVE___INTERPOSE))
330			+/*
331			+ * We can't use a wrapper for wordexp(3) since we still want to call
332			+ * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
333			+ */
334			+typedef int (sudo_fn_wordexp_t)(const char , wordexp_t *, int);
335			+
336			+__dso_public int
337			+FN_NAME(wordexp)(const char words, wordexp_t we, int flags)
338			+{
339			+#if defined(HAVE___INTERPOSE)
340			+ return wordexp(words, we, flags \| WRDE_NOCMD);
341			+#else
342			+# if defined(HAVE_DLOPEN)
343			+ void *fn = dlsym(RTLD_NEXT, "wordexp");
344			+# elif defined(HAVE_SHL_LOAD)
345			+ const char name, myname = _PATH_SUDO_NOEXEC;
346			+ struct shl_descriptor *desc;
347			+ void *fn = NULL;
348			+ int idx = 0;
349			+
350			+ name = strrchr(myname, '/');
351			+ if (name != NULL)
352			+ myname = name + 1;
353			+
354			+ /* Search for wordexp() but skip this shared object. */
355			+ while (shl_get(idx++, &desc) == 0) {
356			+ name = strrchr(desc->filename, '/');
357			+ if (name == NULL)
358			+ name = desc->filename;
359			+ else
360			+ name++;
361			+ if (strcmp(name, myname) == 0)
362			+ continue;
363			+ if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
364			+ break;
365			+ }
366			+# else
367			+ void *fn = NULL;
368			+# endif
369			+ if (fn == NULL) {
370			+ errno = EACCES;
371			+ return -1;
372			+ }
373			+ return ((sudo_fn_wordexp_t)fn)(words, we, flags \| WRDE_NOCMD);
374			+#endif /* HAVE___INTERPOSE */
375			+}
376			+INTERPOSE(wordexp)
377			+#endif /* HAVE_WORDEXP && (RTLD_NEXT \|\| HAVE_SHL_LOAD \|\| HAVE___INTERPOSE) */
378			+
379			+/*
380			+ * On Linux we can use a seccomp() filter to disable exec.
381			+ */
382			+#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
383			+
384			+/* Older systems may not support execveat(2). */
385			+#ifndef __NR_execveat
386			+# define __NR_execveat -1
387			+#endif
388			+
389			+static void noexec_ctor(void) __attribute__((constructor));
390			+
391			+static void
392			+noexec_ctor(void)
393			+{
394			+ struct sock_filter exec_filter[] = {
395			+ /* Load syscall number into the accumulator */
396			+ BPF_STMT(BPF_LD \| BPF_ABS, offsetof(struct seccomp_data, nr)),
397			+ /* Jump to deny for execve/execveat */
398			+ BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, __NR_execve, 2, 0),
399			+ BPF_JUMP(BPF_JMP \| BPF_JEQ \| BPF_K, __NR_execveat, 1, 0),
400			+ /* Allow non-matching syscalls */
401			+ BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ALLOW),
402			+ /* Deny execve/execveat syscall */
403			+ BPF_STMT(BPF_RET \| BPF_K, SECCOMP_RET_ERRNO \| (EACCES & SECCOMP_RET_DATA))
404			+ };
405			+ const struct sock_fprog exec_fprog = {
406			+ nitems(exec_filter),
407			+ exec_filter
408			+ };
409			+
410			+ /*
411			+ * SECCOMP_MODE_FILTER will fail unless the process has
412			+ * CAP_SYS_ADMIN or the no_new_privs bit is set.
413			+ */
414			+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
415			+ (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
416			+}
417			+#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */