Use Solaris setpflags(__PROC_PROTECT, ...).

Where possible, use Solaris setpflags to disable process tracing on ssh-agent and sftp-server. bz#2584, based on a patch from huieying.lee at oracle.com, ok djm.
2016-06-14 10:48:27 +10:00 · 2016-06-14 10:48:27 +10:00 · a86ec4d073
parent 0f916d39b0
commit a86ec4d073
2 changed files with 9 additions and 0 deletions
--- a/configure.ac
+++ b/configure.ac
@ -898,6 +898,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	else
 		AC_MSG_RESULT([no])
 	fi
+	AC_CHECK_FUNCS([setpflags])
 	AC_CHECK_FUNCS([setppriv])
 	AC_CHECK_FUNCS([priv_basicset])
 	AC_CHECK_HEADERS([priv.h])
--- a/platform.c
+++ b/platform.c
@ -22,6 +22,9 @@
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
 #endif
+#ifdef HAVE_PRIV_H
+#include <priv.h> /* For setpflags() and __PROC_PROTECT  */
+#endif

 #include <stdarg.h>
 #include <unistd.h>
@ -229,4 +232,9 @@ platform_disable_tracing(int strict)
 	if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict)
 		fatal("unable to make the process undumpable");
 #endif
+#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
+	/* On Solaris, we should make this process untraceable */
+	if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
+		fatal("unable to make the process untraceable");
+#endif
 }