mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 05:56:15 +02:00
configure.ac: check for sandbox-shell's FEATURE_SH_STANDALONE
See also: https://bugs.archlinux.org/task/73998. Busybox's FEATURE_SH_STANDALONE feature causes other busybox applets to leak into the sandbox, where system() calls will start preferring them over tools in $PATH. On arch, this even includes `ar`. Let's check for this evil feature and disallow using this as a sandbox shell.
This commit is contained in:
parent
4f98bc29ff
commit
cbf60bec6f
1 changed files with 11 additions and 0 deletions
11
configure.ac
11
configure.ac
|
@ -294,6 +294,17 @@ esac
|
|||
AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]),
|
||||
sandbox_shell=$withval)
|
||||
AC_SUBST(sandbox_shell)
|
||||
if ! test -z ${sandbox_shell+x}; then
|
||||
AC_MSG_CHECKING([whether sandbox-shell has the standalone feature])
|
||||
# busybox shell sometimes allows executing other busybox applets,
|
||||
# even if they are not in the path, breaking our sandbox
|
||||
if PATH= $sandbox_shell -c "busybox" 2>&1 | grep -qv "not found"; then
|
||||
AC_MSG_RESULT(enabled)
|
||||
AC_MSG_ERROR([Please disable busybox FEATURE_SH_STANDALONE])
|
||||
else
|
||||
AC_MSG_RESULT(disabled)
|
||||
fi
|
||||
fi
|
||||
|
||||
# Expand all variables in config.status.
|
||||
test "$prefix" = NONE && prefix=$ac_default_prefix
|
||||
|
|
Loading…
Reference in a new issue