From 3f4761f27198fb486acb3895405d46c95ed04861 Mon Sep 17 00:00:00 2001
From: Ben Kibbey <bjk@luxsci.net>
Date: Wed, 17 Sep 2014 21:30:13 -0400
Subject: [PATCH] Set PR_SET_DUMPABLE to 0 when available.

This disallows attaching to a pwmd process.
---
 configure.ac | 12 +++++++++---
 src/pwmd.c   |  4 ++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index f6394a7a..4f6faa4e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -83,7 +83,7 @@ AC_CHECK_DECLS([SO_BINDTODEVICE],,, [[#include <sys/types.h>
 
 case "$target_os" in
      linux*)
-	AC_CHECK_HEADERS([linux/sockios.h linux/prctl.h])
+	AC_CHECK_HEADERS([linux/sockios.h sys/prctl.h])
 	if test "x$ac_cv_header_linux_sockios_h" = xyes; then
 		AC_CHECK_DECL([SIOCOUTQ],,, [[#include <linux/sockios.h>]])
 		if test "x$ac_cv_have_decl_SIOCOUTQ" = xyes; then
@@ -92,12 +92,18 @@ case "$target_os" in
 		fi
 	fi
 
-	if test "x$ac_cv_header_linux_prctl_h" = xyes; then
-	   AC_CHECK_DECL([PR_SET_NAME],,, [[#include <linux/prctl.h>]])
+	if test "x$ac_cv_header_sys_prctl_h" = xyes; then
+	   AC_CHECK_DECL([PR_SET_NAME],,, [[#include <sys/prctl.h>]])
 	      if test "x$ac_cv_have_decl_PR_SET_NAME" = xyes; then
 	            AC_DEFINE(HAVE_PR_SET_NAME, 1,
 		       	     [Defined if PR_SET_NAME is available (Linux specific)])
 	      fi
+
+	   AC_CHECK_DECL([PR_SET_DUMPABLE],,, [[#include <sys/prctl.h>]])
+	      if test "x$ac_cv_have_decl_PR_SET_DUMPABLE" = xyes; then
+	            AC_DEFINE(HAVE_PR_SET_DUMPABLE, 1,
+		      	     [Defined if PR_SET_DUMPABLE is available (Linux specific)])
+	      fi
 	fi
 	;;
      openbsd*)
diff --git a/src/pwmd.c b/src/pwmd.c
index 921d0ace..1e7f7f46 100644
--- a/src/pwmd.c
+++ b/src/pwmd.c
@@ -2645,6 +2645,10 @@ main (int argc, char *argv[])
   if (setrlimit (RLIMIT_CORE, &rl) != 0)
     err (EXIT_FAILURE, "setrlimit()");
 #endif
+
+#ifdef HAVE_PR_SET_DUMPABLE
+  prctl (PR_SET_DUMPABLE, 0);
+#endif
 #endif
 
 #ifdef ENABLE_NLS
-- 
2.11.4.GIT