From 6a9e8c5a57af0cb4bffa6c31488e7216b8c68741 Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Fri, 14 Mar 2014 23:24:22 -0400
Subject: [PATCH] Disable seccomp-filter unless ENABLE_SECCOMP_FILTER is
 defined.

It is very likely to fail on untested architectures.  I can only test it
adequately on x64.
---
 ndhc/ndhc.c    | 4 +++-
 ndhc/seccomp.c | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ndhc/ndhc.c b/ndhc/ndhc.c
index 3e7bbd1..f9b569a 100644
--- a/ndhc/ndhc.c
+++ b/ndhc/ndhc.c
@@ -91,7 +91,7 @@ static void show_usage(void)
 {
     printf(
 "ndhc " NDHC_VERSION ", dhcp client.  Licensed under 2-clause BSD.\n"
-"Copyright (C) 2004-2012 Nicholas J. Kain\n"
+"Copyright (C) 2004-2014 Nicholas J. Kain\n"
 "Usage: ndhc [OPTIONS]\n\n"
 "  -c, --clientid=CLIENTID         Client identifier\n"
 "  -h, --hostname=HOSTNAME         Client hostname\n"
@@ -110,7 +110,9 @@ static void show_usage(void)
 "  -u, --user=USER                 Change ndhc privileges to this user\n"
 "  -U, --ifch-user=USER            Change ndhc-ifch privileges to this user\n"
 "  -C, --chroot=DIR                Chroot to this directory\n"
+#ifdef ENABLE_SECCOMP_FILTER
 "  -S, --seccomp-enforce           Enforce seccomp syscall restrictions\n"
+#endif
 "  -d, --relentless-defense        Never back off in defending IP against\n"
 "                                  conflicting hosts (servers only)\n"
 "  -w, --arp-probe-wait            Time to delay before first ARP probe\n"
diff --git a/ndhc/seccomp.c b/ndhc/seccomp.c
index dc891a9..e748cfc 100644
--- a/ndhc/seccomp.c
+++ b/ndhc/seccomp.c
@@ -34,6 +34,7 @@ bool seccomp_enforce = false;
 
 int enforce_seccomp_ndhc(void)
 {
+#ifdef ENABLE_SECCOMP_FILTER
     if (!seccomp_enforce)
         return 0;
     struct sock_filter filter[] = {
@@ -95,11 +96,13 @@ int enforce_seccomp_ndhc(void)
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
         return -1;
     log_line("ndhc seccomp filter installed.  Please disable seccomp if you encounter problems.");
+#endif
     return 0;
 }
 
 int enforce_seccomp_ifch(void)
 {
+#ifdef ENABLE_SECCOMP_FILTER
     if (!seccomp_enforce)
         return 0;
     struct sock_filter filter[] = {
@@ -149,6 +152,7 @@ int enforce_seccomp_ifch(void)
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
         return -1;
     log_line("ndhc-ifch seccomp filter installed.  Please disable seccomp if you encounter problems.");
+#endif
     return 0;
 }