github.com/apptainer/singularity@v3.1.1+incompatible/mlocal/checks/project-post.chk (about) 1 #!/bin/sh - 2 # 3 # Singularity core libs system configuration detection 4 # 5 set -e 6 7 config_add_header 8 9 config_add_def PACKAGE_NAME \"$package_name\" 10 config_add_def PACKAGE_TARNAME \"$package_name\" 11 config_add_def PACKAGE_VERSION \"$package_version\" 12 config_add_def PACKAGE_STRING \"singularity $package_version\" 13 config_add_def PACKAGE_BUGREPORT \"support@sylabs.io\" 14 config_add_def PACKAGE_URL \"\" 15 16 config_add_def BUILDDIR \"$builddir\" 17 config_add_def PREFIX \"$prefix\" 18 config_add_def EXECPREFIX \"$exec_prefix\" 19 config_add_def BINDIR \"$bindir\" 20 config_add_def SBINDIR \"$sbindir\" 21 config_add_def LIBEXECDIR \"$libexecdir\" 22 config_add_def DATAROOTDIR \"$datarootdir\" 23 config_add_def DATADIR \"$datadir\" 24 config_add_def SYSCONFDIR \"$sysconfdir\" 25 config_add_def SHAREDSTATEDIR \"$sharedstatedir\" 26 config_add_def LOCALSTATEDIR \"$localstatedir\" 27 config_add_def RUNSTATEDIR \"$runstatedir\" 28 config_add_def INCLUDEDIR \"$includedir\" 29 config_add_def OLDINCLUDEDIR \"$oldincludedir\" 30 config_add_def DOCDIR \"$docdir\" 31 config_add_def INFODIR \"$infodir\" 32 config_add_def HTMLDIR \"$htmldir\" 33 config_add_def DVIDIR \"$dvidir\" 34 config_add_def PDFDIR \"$pdfdir\" 35 config_add_def PSDIR \"$psdir\" 36 config_add_def LIBDIR \"$libdir\" 37 config_add_def LOCALEDIR \"$localedir\" 38 config_add_def MANDIR \"$mandir\" 39 config_add_def SINGULARITY_CONFDIR SYSCONFDIR \"/singularity\" 40 config_add_def CAPABILITY_FILE SINGULARITY_CONFDIR \"/capability.json\" 41 config_add_def ECL_FILE SINGULARITY_CONFDIR \"/ecl.toml\" 42 config_add_def SESSIONDIR LOCALSTATEDIR \"/singularity/mnt/session\" 43 44 build_runtime=0 45 if [ "$host" = "unix" ]; then 46 build_runtime=1 47 fi 48 49 ######################## 50 # ns: CLONE_NEWPID 51 ######################## 52 printf " checking: namespace: CLONE_NEWPID... " 53 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWPID); }" | \ 54 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 55 echo "no" 56 else 57 echo "yes" 58 config_add_def NS_CLONE_NEWPID 1 59 fi 60 61 ######################## 62 # ns: CLONE_FS 63 ######################## 64 printf " checking: namespace: CLONE_FS... " 65 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_FS); }" | \ 66 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 67 echo "no" 68 else 69 echo "yes" 70 config_add_def NS_CLONE_FS 1 71 fi 72 73 ######################## 74 # ns: CLONE_NEWNS 75 ######################## 76 printf " checking: namespace: CLONE_NEWNS... " 77 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWNS); }" | \ 78 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 79 echo "no" 80 if [ "$build_runtime" -eq 1 ]; then 81 echo 82 echo "This host does not support the CLONE_NEWNS (mount) namespace flag! You" 83 echo "really really really don't want to run Singularity containers without a" 84 echo "Separate mount name namespace!" 85 echo 86 exit 2 87 fi 88 else 89 echo "yes" 90 config_add_def NS_CLONE_NEWNS 1 91 fi 92 93 ######################## 94 # ns: CLONE_NEWUSER 95 ######################## 96 printf " checking: namespace: CLONE_NEWUSER... " 97 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWUSER); }" | \ 98 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 99 echo "no" 100 else 101 echo "yes" 102 config_add_def NS_CLONE_NEWUSER 1 103 fi 104 105 ######################## 106 # ns: CLONE_NEWIPC 107 ######################## 108 printf " checking: namespace: CLONE_NEWIPC... " 109 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWIPC); }" | \ 110 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 111 echo "no" 112 else 113 echo "yes" 114 config_add_def NS_CLONE_NEWIPC 1 115 fi 116 117 ######################## 118 # ns: CLONE_NEWNET 119 ######################## 120 printf " checking: namespace: CLONE_NEWNET... " 121 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWNET); }" | \ 122 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 123 echo "no" 124 else 125 echo "yes" 126 config_add_def NS_CLONE_NEWNET 1 127 fi 128 129 ######################## 130 # ns: CLONE_NEWUTS 131 ######################## 132 printf " checking: namespace: CLONE_NEWUTS... " 133 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWUTS); }" | \ 134 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 135 echo "no" 136 else 137 echo "yes" 138 config_add_def NS_CLONE_NEWUTS 1 139 fi 140 141 ######################## 142 # ns: CLONE_NEWCGROUP 143 ######################## 144 printf " checking: namespace: CLONE_NEWCGROUP... " 145 if ! printf "#define _GNU_SOURCE\n#include <sched.h>\nint main() { unshare(CLONE_NEWCGROUP); }" | \ 146 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 147 echo "no" 148 else 149 echo "yes" 150 config_add_def NS_CLONE_NEWCGROUP 1 151 fi 152 153 ######################## 154 # feature: NO_NEW_PRIVS 155 ######################## 156 printf " checking: feature: NO_NEW_PRIVS... " 157 testprog=$makeit_testprogdir/test_nnp 158 cat > ${testprog}.c << "EOF" 159 #include <sys/prctl.h> 160 #ifndef PR_SET_NO_NEW_PRIVS 161 # define PR_SET_NO_NEW_PRIVS 38 162 # define PR_GET_NO_NEW_PRIVS 39 163 #endif 164 int main() { 165 if( prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0 ) { return 1; } 166 if( prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0) != 1 ) { return 1; } 167 return 0; 168 } 169 EOF 170 if ! $tgtcc -x c -o $testprog ${testprog}.c >/dev/null 2>&1; then 171 echo "no" 172 if [ "$build_runtime" -eq 1 ]; then 173 echo "ERROR: Failed to compile NO_NEW_PRIVS test" 174 exit 2; 175 fi 176 else 177 if ! $testprog; then 178 echo "ERROR: Kernel does not support NO_NEW_PRIVS. Updated Kernel is required." 179 exit 2; 180 else 181 echo "yes" 182 config_add_def SINGULARITY_NO_NEW_PRIVS 1 183 fi 184 fi 185 186 ######################## 187 # feature: MS_SLAVE 188 ######################## 189 printf " checking: feature: MS_SLAVE... " 190 if ! printf "#include <sys/mount.h>\n#ifndef MS_SLAVE\n#error failed\n#endif\nint main() { }" | \ 191 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 192 echo "no" 193 else 194 echo "yes" 195 config_add_def SINGULARITY_MS_SLAVE 1 196 fi 197 198 ######################## 199 # feature: MS_REC 200 ######################## 201 printf " checking: feature: MS_REC... " 202 if ! printf "#include <sys/mount.h>\n#ifndef MS_REC\n#error failed\n#endif\nint main() { }" | \ 203 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 204 echo "no" 205 if [ "$build_runtime" -eq 1 ]; then 206 echo 207 echo "This host does not support the MS_REC mount option!" 208 echo 209 exit 2 210 fi 211 else 212 echo "yes" 213 fi 214 215 ######################## 216 # feature: MS_PRIVATE 217 ######################## 218 printf " checking: feature: MS_PRIVATE... " 219 if ! printf "#include <sys/mount.h>\n#ifndef MS_PRIVATE\n#error failed\n#endif\nint main() { }" | \ 220 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 221 tgtstatic=0 222 echo "no" 223 if [ "$build_runtime" -eq 1 ]; then 224 echo 225 echo "This host does not support the MS_PRIVATE mount option!" 226 echo 227 exit 2 228 fi 229 else 230 echo "yes" 231 fi 232 233 ######################## 234 # user capabilities 235 ######################## 236 printf " checking: user capabilities... " 237 testprog=$makeit_testprogdir/test_ucap 238 cat > ${testprog}.c << "EOF" 239 #include <sys/prctl.h> 240 int main() { 241 if( prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, 0, 0, 0) < 0 ) { return 1; } 242 return 0; 243 } 244 EOF 245 if ! $tgtcc -x c -o $testprog ${testprog}.c >/dev/null 2>&1; then 246 echo "no" 247 else 248 if ! $testprog; then 249 echo "no" 250 else 251 echo "yes" 252 config_add_def USER_CAPABILITIES 1 253 fi 254 fi 255 256 ######################## 257 # linux/securebits.h 258 ######################## 259 printf " checking: header linux/securebits.h... " 260 if ! printf "#include <linux/securebits.h>\nint main() { }" | \ 261 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 262 echo "no" 263 else 264 echo "yes" 265 config_add_def SINGULARITY_SECUREBITS 1 266 fi 267 268 ######################## 269 # linux/capability.h 270 ######################## 271 printf " checking: header linux/capability.h... " 272 if ! printf "#include <linux/capability.h>\nint main() { }" | \ 273 $tgtcc -x c -o /dev/null - >/dev/null 2>&1; then 274 echo "no" 275 if [ "$build_runtime" -eq 1 ]; then 276 echo 277 echo "linux/capability.h header not found, requires kernel headers installation." 278 echo 279 exit 2 280 fi 281 else 282 echo "yes" 283 fi 284 285 ######################## 286 # function setns 287 ######################## 288 printf " checking: function setns... " 289 symb=`nm -g \`$tgtcc --print-file-name=libc.a\` 2>/dev/null | awk '$2 == "T" && $3 == "setns" {print $3}'` 290 if [ "X$symb" = "Xsetns" ]; then 291 echo "yes" 292 else 293 echo "no" 294 config_add_def SINGULARITY_NO_SETNS 1 295 if ! test -d "/proc/self/ns"; then 296 echo "WARNING: instance feature is disabled due to lack of kernel support" 297 echo 298 else 299 config_add_def SINGULARITY_SETNS_SYSCALL 1 300 fi 301 fi 302 303 ######################## 304 # libssl dev 305 ######################## 306 printf " checking: libssl+headers... " 307 if ! printf "#include <openssl/sha.h>\nint main() { }" | \ 308 $tgtcc $user_cflags $ldflags -x c -o /dev/null - -lcrypto >/dev/null 2>&1; then 309 tgtstatic=0 310 echo "no" 311 if [ "$build_runtime" -eq 1 ]; then 312 echo 313 echo "Unable to find the libssl, need package openssl-devel (libssl-dev on Debian/Ubuntu)" 314 echo 315 exit 2 316 fi 317 else 318 echo "yes" 319 fi 320 321 ######################## 322 # libuuid dev 323 ######################## 324 printf " checking: libuuid+headers... " 325 if ! printf "#include <uuid/uuid.h>\nint main() { }" | \ 326 $tgtcc $user_cflags $ldflags -x c -o /dev/null - -luuid >/dev/null 2>&1; then 327 tgtstatic=0 328 echo "no" 329 if [ "$build_runtime" -eq 1 ]; then 330 echo 331 echo "unable to find the libuuid, need package libuuid-devel (uuid-dev on Debian/Ubuntu)" 332 echo 333 exit 2 334 fi 335 else 336 echo "yes" 337 fi 338 339 ######################## 340 # libseccomp dev 341 ######################## 342 printf " checking: libseccomp+headers... " 343 if ! printf "#include <seccomp.h>\nint main() { seccomp_syscall_resolve_name(\"read\"); }" | \ 344 $tgtcc $user_cflags $ldflags -x c -o /dev/null - -lseccomp >/dev/null 2>&1; then 345 tgtstatic=0 346 echo "no" 347 else 348 echo "yes" 349 appsec=1 350 fi 351 352 config_add_footer 353