diff options
| author | fanquake <fanquake@gmail.com> | 2023-05-04 12:07:26 +0100 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2023-06-16 10:38:19 +0100 |
| commit | 32e2ffc39374f61bb2435da507f285459985df9e (patch) | |
| tree | 44103a701bd14b0c77163db5d557215d40842210 /configure.ac | |
| parent | b3db18a0126bc4181d2a0880c27f45d203d06179 (diff) | |
Remove the syscall sandbox
After initially being merged in #20487, it's no-longer clear that an
internal syscall sandboxing mechanism is something that Bitcoin Core
should have/maintain, especially when compared to better
maintained/supported alterantives, i.e firejail.
Note that given where it's used, the sandbox also gets dragged into the
kernel.
There is some related discussion in #24771.
This should not require any sort of deprecation, as this was only ever
an opt-in, experimental feature.
Closes #24771.
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/configure.ac b/configure.ac index f9fac057d0..a0faac43ea 100644 --- a/configure.ac +++ b/configure.ac @@ -96,12 +96,6 @@ case $host in ;; esac -AC_ARG_WITH([seccomp], - [AS_HELP_STRING([--with-seccomp], - [enable experimental syscall sandbox feature (-sandbox), default is yes if seccomp-bpf is detected under Linux x86_64])], - [seccomp_found=$withval], - [seccomp_found=auto]) - AC_ARG_ENABLE([c++20], [AS_HELP_STRING([--enable-c++20], [enable compilation in c++20 mode (disabled by default)])], @@ -1539,36 +1533,6 @@ if test "$use_external_signer" != "no"; then fi AM_CONDITIONAL([ENABLE_EXTERNAL_SIGNER], [test "$use_external_signer" = "yes"]) -dnl Do not compile with syscall sandbox support when compiling under the sanitizers. -dnl The sanitizers introduce use of syscalls that are not typically used in bitcoind -dnl (such as execve when the sanitizers execute llvm-symbolizer). -if test "$use_sanitizers" != ""; then - AC_MSG_WARN([Specifying --with-sanitizers forces --without-seccomp since the sanitizers introduce use of syscalls not allowed by the bitcoind syscall sandbox (-sandbox=<mode>).]) - seccomp_found=no -fi -if test "$seccomp_found" != "no"; then - AC_MSG_CHECKING([for seccomp-bpf (Linux x86-64)]) - AC_PREPROC_IFELSE([AC_LANG_PROGRAM([[ - @%:@include <linux/seccomp.h> - ]], [[ - #if !defined(__x86_64__) - # error Syscall sandbox is an experimental feature currently available only under Linux x86-64. - #endif - ]])],[ - AC_MSG_RESULT([yes]) - seccomp_found="yes" - AC_DEFINE([USE_SYSCALL_SANDBOX], [1], [Define this symbol to build with syscall sandbox support.]) - ],[ - AC_MSG_RESULT([no]) - seccomp_found="no" - ]) -fi -dnl Currently only enable -sandbox=<mode> feature if seccomp is found. -dnl In the future, sandboxing could be also be supported with other -dnl sandboxing mechanisms besides seccomp. -use_syscall_sandbox=$seccomp_found -AM_CONDITIONAL([ENABLE_SYSCALL_SANDBOX], [test "$use_syscall_sandbox" != "no"]) - dnl Check for reduced exports if test "$use_reduce_exports" = "yes"; then AX_CHECK_COMPILE_FLAG([-fvisibility=hidden], [CORE_CXXFLAGS="$CORE_CXXFLAGS -fvisibility=hidden"], @@ -2008,7 +1972,6 @@ echo echo "Options used to compile and link:" echo " external signer = $use_external_signer" echo " multiprocess = $build_multiprocess" -echo " with experimental syscall sandbox support = $use_syscall_sandbox" echo " with libs = $build_bitcoin_libs" echo " with wallet = $enable_wallet" if test "$enable_wallet" != "no"; then |