Attachment #150499 for bug #195910

View | Details | Raw Unified | Return to bug 195910 | Differences between
Collapse All | Expand All




WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
USES=		gmake tar:bzip2
GNU_CONFIGURE=	yes
USE_AUTOTOOLS=	autoconf
CONFIGURE_ARGS=	--disable-pcap-restart
MAKE_JOBS_UNSAFE=	yes

OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS CAPSICUM
OPTIONS_DEFAULT=	PCRE IPV6 CAPSICUM
PCRE_DESC=		Use PCRE instead of GNU regex
PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
CAPSICUM_DESC=		Build with capsicum if kernel supports it

PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz


CONFIGURE_ARGS+=	--enable-ipv6
.endif

.if ${PORT_OPTIONS:CAPSICUM}
CONFIGURE_ARGS+=        --enable-capsicum
.endif

post-patch:
.if ${PORT_OPTIONS:MPORTS_PCAP}
	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \




--- configure.in.orig	2006-11-15 07:43:56.000000000 +0400
+++ configure.in	2014-12-12 00:01:00.000000000 +0400
@@ -110,6 +110,34 @@ else
    USE_IPv6="0"
 fi
 
+AC_ARG_ENABLE(capsicum,
+[  --enable-capsicum           enable capsicum support],
+[
+  use_capsicum="$enableval"
+],
+[ 
+  use_capsicum="no"
+])  
+
+#
+# Check whether various functions are available.  If any are, set
+# ac_lbl_capsicum_function_seen to yes; if any are not, set
+# ac_lbl_capsicum_function_not_seen to yes.
+#
+# All of them must be available in order to enable capsicum sandboxing.
+#
+if test $use_capsicum = yes && test $use_capsicum != no ; then
+	AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
+	    ac_lbl_capsicum_function_seen=yes,
+	    ac_lbl_capsicum_function_not_seen=yes)
+fi
+AC_MSG_CHECKING([whether to sandbox using capsicum])
+if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
+	HAVE_CAPSICUM="1"
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)
+fi
 
 dnl
 dnl Configure the regular expression library.
@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,    
 
 AC_DEFINE_UNQUOTED(USE_PCRE,                  $USE_PCRE,                  [whether to use PCRE (default GNU Regex)])
 AC_DEFINE_UNQUOTED(USE_IPv6,                  $USE_IPv6,                  [whether to use IPv6 (default off)])
+AC_DEFINE_UNQUOTED(HAVE_CAPSICUM,	      $HAVE_CAPSICUM,		  [whether to use capsicum])
 
 AC_DEFINE_UNQUOTED(USE_DROPPRIVS,             $USE_DROPPRIVS,             [whether to use privileges dropping (default yes)])
 AC_DEFINE_UNQUOTED(DROPPRIVS_USER,           "$DROPPRIVS_USER",           [pseudo-user for running ngrep (default "nobody")])




--- ngrep.c.orig	2006-11-28 17:38:43.000000000 +0400
+++ ngrep.c	2014-12-12 00:38:24.000000000 +0400
@@ -97,6 +97,10 @@
 #include "regex-0.12/regex.h"
 #endif
 
+#ifdef HAVE_CAPSICUM
+#include <sys/capability.h>
+#endif /* HAVE CAPSICUM */
+
 #include "ngrep.h"
 
 
@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
 int main(int argc, char **argv) {
     int32_t c;
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_t rights;
+#endif /* HAVE_CAPSICUM */
+
     signal(SIGINT,   clean_exit);
     signal(SIGABRT,  clean_exit);
 
@@ -416,6 +424,15 @@ int main(int argc, char **argv) {
         clean_exit(-1);
     }
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+    if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
+        errno != ENOSYS) {
+        fprintf(stderr, "unable to limit pcap descriptor");
+        clean_exit(-1);  
+        }
+#endif /* HAVE CAPSICUM */
+
     if (match_data) {
         if (bin_match) {
             uint32_t i = 0, n;
@@ -603,6 +620,20 @@ int main(int argc, char **argv) {
     drop_privs();
 #endif
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_init(&rights);
+
+   if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
+       fprintf(stderr, "can't limit stdin");
+       clean_exit(-1);
+   }
+
+   if (cap_enter() < 0 && errno != ENOSYS) {
+       fprintf(stderr, "Can't enter capability mode");
+       clean_exit(-1);
+    }
+#endif /* HAVE_CAPSICUM */
+
     while (pcap_loop(pd, 0, (pcap_handler)process, 0));
 
     clean_exit(0);

Return to bug 195910

Lines 13-25 Link Here

(-)Makefile (-2 / +8 lines)
13	WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}	13	WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
14	USES= gmake tar:bzip2	14	USES= gmake tar:bzip2
15	GNU_CONFIGURE= yes	15	GNU_CONFIGURE= yes
		16	USE_AUTOTOOLS= autoconf
16	CONFIGURE_ARGS= --disable-pcap-restart	17	CONFIGURE_ARGS= --disable-pcap-restart
17	MAKE_JOBS_UNSAFE= yes	18	MAKE_JOBS_UNSAFE= yes
18		19
19	OPTIONS_DEFINE= PCRE PORTS_PCAP IPV6 DOCS	20	OPTIONS_DEFINE= PCRE PORTS_PCAP IPV6 DOCS CAPSICUM
20	OPTIONS_DEFAULT= PCRE IPV6	21	OPTIONS_DEFAULT= PCRE IPV6 CAPSICUM
21	PCRE_DESC= Use PCRE instead of GNU regex	22	PCRE_DESC= Use PCRE instead of GNU regex
22	PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP	23	PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP
		24	CAPSICUM_DESC= Build with capsicum if kernel supports it
23		25
24	PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz	26	PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz
25		27
Lines 43-48 Link Here
43	CONFIGURE_ARGS+= --enable-ipv6	45	CONFIGURE_ARGS+= --enable-ipv6
44	.endif	46	.endif
45		47
		48	.if ${PORT_OPTIONS:CAPSICUM}
		49	CONFIGURE_ARGS+= --enable-capsicum
		50	.endif
		51
46	post-patch:	52	post-patch:
47	.if ${PORT_OPTIONS:MPORTS_PCAP}	53	.if ${PORT_OPTIONS:MPORTS_PCAP}
48	@${REINPLACE_CMD} -e "s\|-lpcap\|${LOCALBASE}/lib/libpcap.a\|g" \	54	@${REINPLACE_CMD} -e "s\|-lpcap\|${LOCALBASE}/lib/libpcap.a\|g" \

Line 0 Link Here

(-)files/patch-Configure.in (+45 lines)
	1	--- configure.in.orig 2006-11-15 07:43:56.000000000 +0400
	2	+++ configure.in 2014-12-12 00:01:00.000000000 +0400
	3	@@ -110,6 +110,34 @@ else
	4	USE_IPv6="0"
	5	fi
	6
	7	+AC_ARG_ENABLE(capsicum,
	8	+[ --enable-capsicum enable capsicum support],
	9	+[
	10	+ use_capsicum="$enableval"
	11	+],
	12	+[
	13	+ use_capsicum="no"
	14	+])
	15	+
	16	+#
	17	+# Check whether various functions are available. If any are, set
	18	+# ac_lbl_capsicum_function_seen to yes; if any are not, set
	19	+# ac_lbl_capsicum_function_not_seen to yes.
	20	+#
	21	+# All of them must be available in order to enable capsicum sandboxing.
	22	+#
	23	+if test $use_capsicum = yes && test $use_capsicum != no ; then
	24	+ AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
	25	+ ac_lbl_capsicum_function_seen=yes,
	26	+ ac_lbl_capsicum_function_not_seen=yes)
	27	+fi
	28	+AC_MSG_CHECKING([whether to sandbox using capsicum])
	29	+if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
	30	+ HAVE_CAPSICUM="1"
	31	+ AC_MSG_RESULT(yes)
	32	+else
	33	+ AC_MSG_RESULT(no)
	34	+fi
	35
	36	dnl
	37	dnl Configure the regular expression library.
	38	@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,
	39
	40	AC_DEFINE_UNQUOTED(USE_PCRE, $USE_PCRE, [whether to use PCRE (default GNU Regex)])
	41	AC_DEFINE_UNQUOTED(USE_IPv6, $USE_IPv6, [whether to use IPv6 (default off)])
	42	+AC_DEFINE_UNQUOTED(HAVE_CAPSICUM, $HAVE_CAPSICUM, [whether to use capsicum])
	43
	44	AC_DEFINE_UNQUOTED(USE_DROPPRIVS, $USE_DROPPRIVS, [whether to use privileges dropping (default yes)])
	45	AC_DEFINE_UNQUOTED(DROPPRIVS_USER, "$DROPPRIVS_USER", [pseudo-user for running ngrep (default "nobody")])

Line 0 Link Here

(-)files/patch-ngrep.c (+61 lines)
	1	--- ngrep.c.orig 2006-11-28 17:38:43.000000000 +0400
	2	+++ ngrep.c 2014-12-12 00:38:24.000000000 +0400
	3	@@ -97,6 +97,10 @@
	4	#include "regex-0.12/regex.h"
	5	#endif
	6
	7	+#ifdef HAVE_CAPSICUM
	8	+#include <sys/capability.h>
	9	+#endif /* HAVE CAPSICUM */
	10	+
	11	#include "ngrep.h"
	12
	13
	14	@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
	15	int main(int argc, char **argv) {
	16	int32_t c;
	17
	18	+#ifdef HAVE_CAPSICUM
	19	+ cap_rights_t rights;
	20	+#endif /* HAVE_CAPSICUM */
	21	+
	22	signal(SIGINT, clean_exit);
	23	signal(SIGABRT, clean_exit);
	24
	25	@@ -416,6 +424,15 @@ int main(int argc, char **argv) {
	26	clean_exit(-1);
	27	}
	28
	29	+#ifdef HAVE_CAPSICUM
	30	+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
	31	+ if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
	32	+ errno != ENOSYS) {
	33	+ fprintf(stderr, "unable to limit pcap descriptor");
	34	+ clean_exit(-1);
	35	+ }
	36	+#endif /* HAVE CAPSICUM */
	37	+
	38	if (match_data) {
	39	if (bin_match) {
	40	uint32_t i = 0, n;
	41	@@ -603,6 +620,20 @@ int main(int argc, char **argv) {
	42	drop_privs();
	43	#endif
	44
	45	+#ifdef HAVE_CAPSICUM
	46	+ cap_rights_init(&rights);
	47	+
	48	+ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
	49	+ fprintf(stderr, "can't limit stdin");
	50	+ clean_exit(-1);
	51	+ }
	52	+
	53	+ if (cap_enter() < 0 && errno != ENOSYS) {
	54	+ fprintf(stderr, "Can't enter capability mode");
	55	+ clean_exit(-1);
	56	+ }
	57	+#endif /* HAVE_CAPSICUM */
	58	+
	59	while (pcap_loop(pd, 0, (pcap_handler)process, 0));
	60
	61	clean_exit(0);