View | Details | Raw Unified | Return to bug 195910 | Differences between
and this patch

Collapse All | Expand All

(-)Makefile (-2 / +8 lines)
Lines 13-25 Link Here
13
WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
13
WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
14
USES=		gmake tar:bzip2
14
USES=		gmake tar:bzip2
15
GNU_CONFIGURE=	yes
15
GNU_CONFIGURE=	yes
16
USE_AUTOTOOLS=	autoconf
16
CONFIGURE_ARGS=	--disable-pcap-restart
17
CONFIGURE_ARGS=	--disable-pcap-restart
17
MAKE_JOBS_UNSAFE=	yes
18
MAKE_JOBS_UNSAFE=	yes
18
19
19
OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS
20
OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS CAPSICUM
20
OPTIONS_DEFAULT=	PCRE IPV6
21
OPTIONS_DEFAULT=	PCRE IPV6 CAPSICUM
21
PCRE_DESC=		Use PCRE instead of GNU regex
22
PCRE_DESC=		Use PCRE instead of GNU regex
22
PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
23
PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
24
CAPSICUM_DESC=		Build with capsicum if kernel supports it
23
25
24
PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz
26
PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz
25
27
Lines 43-48 Link Here
43
CONFIGURE_ARGS+=	--enable-ipv6
45
CONFIGURE_ARGS+=	--enable-ipv6
44
.endif
46
.endif
45
47
48
.if ${PORT_OPTIONS:MIPV6}
49
CONFIGURE_ARGS+=        --enable-capsicum
50
.endif
51
46
post-patch:
52
post-patch:
47
.if ${PORT_OPTIONS:MPORTS_PCAP}
53
.if ${PORT_OPTIONS:MPORTS_PCAP}
48
	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \
54
	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \
(-)files/patch-Configure.in (+45 lines)
Line 0 Link Here
1
--- configure.in.orig	2006-11-15 07:43:56.000000000 +0400
2
+++ configure.in	2014-12-12 00:01:00.000000000 +0400
3
@@ -110,6 +110,34 @@ else
4
    USE_IPv6="0"
5
 fi
6
 
7
+AC_ARG_ENABLE(capsicum,
8
+[  --enable-capsicum           enable capsicum support],
9
+[
10
+  use_capsicum="$enableval"
11
+],
12
+[ 
13
+  use_capsicum="no"
14
+])  
15
+
16
+#
17
+# Check whether various functions are available.  If any are, set
18
+# ac_lbl_capsicum_function_seen to yes; if any are not, set
19
+# ac_lbl_capsicum_function_not_seen to yes.
20
+#
21
+# All of them must be available in order to enable capsicum sandboxing.
22
+#
23
+if test $use_capsicum = yes && test $use_capsicum != no ; then
24
+	AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
25
+	    ac_lbl_capsicum_function_seen=yes,
26
+	    ac_lbl_capsicum_function_not_seen=yes)
27
+fi
28
+AC_MSG_CHECKING([whether to sandbox using capsicum])
29
+if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
30
+	HAVE_CAPSICUM="1"
31
+	AC_MSG_RESULT(yes)
32
+else
33
+	AC_MSG_RESULT(no)
34
+fi
35
 
36
 dnl
37
 dnl Configure the regular expression library.
38
@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,    
39
 
40
 AC_DEFINE_UNQUOTED(USE_PCRE,                  $USE_PCRE,                  [whether to use PCRE (default GNU Regex)])
41
 AC_DEFINE_UNQUOTED(USE_IPv6,                  $USE_IPv6,                  [whether to use IPv6 (default off)])
42
+AC_DEFINE_UNQUOTED(HAVE_CAPSICUM,	      $HAVE_CAPSICUM,		  [whether to use capsicum])
43
 
44
 AC_DEFINE_UNQUOTED(USE_DROPPRIVS,             $USE_DROPPRIVS,             [whether to use privileges dropping (default yes)])
45
 AC_DEFINE_UNQUOTED(DROPPRIVS_USER,           "$DROPPRIVS_USER",           [pseudo-user for running ngrep (default "nobody")])
(-)files/patch-ngrep.c (+61 lines)
Line 0 Link Here
1
--- ngrep.c.orig	2006-11-28 17:38:43.000000000 +0400
2
+++ ngrep.c	2014-12-12 00:38:24.000000000 +0400
3
@@ -97,6 +97,10 @@
4
 #include "regex-0.12/regex.h"
5
 #endif
6
 
7
+#ifdef HAVE_CAPSICUM
8
+#include <sys/capability.h>
9
+#endif /* HAVE CAPSICUM */
10
+
11
 #include "ngrep.h"
12
 
13
 
14
@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
15
 int main(int argc, char **argv) {
16
     int32_t c;
17
 
18
+#ifdef HAVE_CAPSICUM
19
+    cap_rights_t rights;
20
+#endif /* HAVE_CAPSICUM */
21
+
22
     signal(SIGINT,   clean_exit);
23
     signal(SIGABRT,  clean_exit);
24
 
25
@@ -416,6 +424,15 @@ int main(int argc, char **argv) {
26
         clean_exit(-1);
27
     }
28
 
29
+#ifdef HAVE_CAPSICUM
30
+    cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
31
+    if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
32
+        errno != ENOSYS) {
33
+        fprintf(stderr, "unable to limit pcap descriptor");
34
+        clean_exit(-1);  
35
+        }
36
+#endif /* HAVE CAPSICUM */
37
+
38
     if (match_data) {
39
         if (bin_match) {
40
             uint32_t i = 0, n;
41
@@ -603,6 +620,20 @@ int main(int argc, char **argv) {
42
     drop_privs();
43
 #endif
44
 
45
+#ifdef HAVE_CAPSICUM
46
+    cap_rights_init(&rights);
47
+
48
+   if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
49
+       fprintf(stderr, "can't limit stdin");
50
+       clean_exit(-1);
51
+   }
52
+
53
+   if (cap_enter() < 0 && errno != ENOSYS) {
54
+       fprintf(stderr, "Can't enter capability mode");
55
+       clean_exit(-1);
56
+    }
57
+#endif /* HAVE_CAPSICUM */
58
+
59
     while (pcap_loop(pd, 0, (pcap_handler)process, 0));
60
 
61
     clean_exit(0);

Return to bug 195910