Attachment #150718 for bug #195910

View | Details | Raw Unified | Return to bug 195910 | Differences between
Collapse All | Expand All





PORTNAME=	ngrep
PORTVERSION=	1.45
PORTREVISION=	2
CATEGORIES=	net security
MASTER_SITES=	SF

MAINTAINER=	logan@elandsys.com
COMMENT=	Network grep

LICENSE=	BSD4CLAUSE

WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
USES=		gmake tar:bzip2
GNU_CONFIGURE=	yes
USE_AUTOTOOLS=	autoconf
CONFIGURE_ARGS=	--disable-pcap-restart
MAKE_JOBS_UNSAFE=	yes

OPTIONS_DEFINE=	CAPSICUM DOCS IPV6 PCRE PORTS_PCAP
OPTIONS_DEFAULT=	PCRE IPV6 CAPSICUM
PCRE_DESC=		Use PCRE instead of GNU regex
PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
CAPSICUM_DESC=		Build with capsicum if kernel supports it

PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz



.include <bsd.port.options.mk>

PCRE_CONFIGURE_ARGS=	--enable-pcre
CONFIGURE_ARGS+=	--enable-pcre
.endif

.if ${PORT_OPTIONS:MPORTS_PCAP}
CONFIGURE_ARGS+=	--with-pcap-includes=${LOCALBASE}/include

CONFIGURE_ARGS+=	--with-pcap-includes=/usr/include
.endif

IPV6_CONFIGURE_ARGS=	--enable-ipv6
CONFIGURE_ARGS+=	--enable-ipv6
.endif

CAPSICUM_CONFIGURE_ARGS=	--enable-capsicum

post-patch:
.if ${PORT_OPTIONS:MPORTS_PCAP}
	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \




--- configure.in.orig	2006-11-15 07:43:56.000000000 +0400
+++ configure.in	2014-12-12 00:01:00.000000000 +0400
@@ -110,6 +110,34 @@ else
    USE_IPv6="0"
 fi
 
+AC_ARG_ENABLE(capsicum,
+[  --enable-capsicum           enable capsicum support],
+[
+  use_capsicum="$enableval"
+],
+[ 
+  use_capsicum="no"
+])  
+
+#
+# Check whether various functions are available.  If any are, set
+# ac_lbl_capsicum_function_seen to yes; if any are not, set
+# ac_lbl_capsicum_function_not_seen to yes.
+#
+# All of them must be available in order to enable capsicum sandboxing.
+#
+if test $use_capsicum = yes && test $use_capsicum != no ; then
+	AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
+	    ac_lbl_capsicum_function_seen=yes,
+	    ac_lbl_capsicum_function_not_seen=yes)
+fi
+AC_MSG_CHECKING([whether to sandbox using capsicum])
+if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
+	HAVE_CAPSICUM="1"
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)
+fi
 
 dnl
 dnl Configure the regular expression library.
@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,    
 
 AC_DEFINE_UNQUOTED(USE_PCRE,                  $USE_PCRE,                  [whether to use PCRE (default GNU Regex)])
 AC_DEFINE_UNQUOTED(USE_IPv6,                  $USE_IPv6,                  [whether to use IPv6 (default off)])
+AC_DEFINE_UNQUOTED(HAVE_CAPSICUM,	      $HAVE_CAPSICUM,		  [whether to use capsicum])
 
 AC_DEFINE_UNQUOTED(USE_DROPPRIVS,             $USE_DROPPRIVS,             [whether to use privileges dropping (default yes)])
 AC_DEFINE_UNQUOTED(DROPPRIVS_USER,           "$DROPPRIVS_USER",           [pseudo-user for running ngrep (default "nobody")])




--- ngrep.c.orig	2006-11-28 17:38:43.000000000 +0400
+++ ngrep.c	2014-12-12 11:14:13.000000000 +0400
@@ -97,6 +97,10 @@
 #include "regex-0.12/regex.h"
 #endif
 
+#ifdef HAVE_CAPSICUM
+#include <sys/capability.h>
+#endif /* HAVE CAPSICUM */
+
 #include "ngrep.h"
 
 
@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
 int main(int argc, char **argv) {
     int32_t c;
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_t rights;
+#endif /* HAVE_CAPSICUM */
+
     signal(SIGINT,   clean_exit);
     signal(SIGABRT,  clean_exit);
 
@@ -416,6 +424,23 @@ int main(int argc, char **argv) {
         clean_exit(-1);
     }
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+    if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
+        errno != ENOSYS) {
+        fprintf(stderr, "unable to limit pcap descriptor");
+        clean_exit(-1);  
+        }
+
+    static const unsigned long cmds[] = { BIOCGSTATS };
+    if (cap_ioctls_limit(pcap_fileno(pd), cmds,
+        sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
+	fprintf(stderr, "unable to limit ioctls on pcap descriptor");
+        clean_exit(-1);
+	}
+
+#endif /* HAVE CAPSICUM */
+
     if (match_data) {
         if (bin_match) {
             uint32_t i = 0, n;
@@ -603,6 +628,20 @@ int main(int argc, char **argv) {
     drop_privs();
 #endif
 
+#ifdef HAVE_CAPSICUM
+    cap_rights_init(&rights);
+
+   if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
+       fprintf(stderr, "can't limit stdin");
+       clean_exit(-1);
+   }
+
+   if (cap_enter() < 0 && errno != ENOSYS) {
+       fprintf(stderr, "Can't enter capability mode");
+       clean_exit(-1);
+    }
+#endif /* HAVE_CAPSICUM */
+
     while (pcap_loop(pd, 0, (pcap_handler)process, 0));
 
     clean_exit(0);

Return to bug 195910

Lines 3-25 Link Here

(-)Makefile (-10 / +12 lines)
3		3
4	PORTNAME= ngrep	4	PORTNAME= ngrep
5	PORTVERSION= 1.45	5	PORTVERSION= 1.45
6	PORTREVISION= 1	6	PORTREVISION= 2
7	CATEGORIES= net security	7	CATEGORIES= net security
8	MASTER_SITES= SF	8	MASTER_SITES= SF
9		9
10	MAINTAINER= edwin@mavetju.org	10	MAINTAINER= logan@elandsys.com
11	COMMENT= Network grep	11	COMMENT= Network grep
12		12
		13	LICENSE= BSD4CLAUSE
		14
13	WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}	15	WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
14	USES= gmake tar:bzip2	16	USES= gmake tar:bzip2
15	GNU_CONFIGURE= yes	17	GNU_CONFIGURE= yes
		18	USE_AUTOTOOLS= autoconf
16	CONFIGURE_ARGS= --disable-pcap-restart	19	CONFIGURE_ARGS= --disable-pcap-restart
17	MAKE_JOBS_UNSAFE= yes	20	MAKE_JOBS_UNSAFE= yes
18		21
19	OPTIONS_DEFINE= PCRE PORTS_PCAP IPV6 DOCS	22	OPTIONS_DEFINE= CAPSICUM DOCS IPV6 PCRE PORTS_PCAP
20	OPTIONS_DEFAULT= PCRE IPV6	23	OPTIONS_DEFAULT= PCRE IPV6 CAPSICUM
21	PCRE_DESC= Use PCRE instead of GNU regex	24	PCRE_DESC= Use PCRE instead of GNU regex
22	PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP	25	PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP
		26	CAPSICUM_DESC= Build with capsicum if kernel supports it
23		27
24	PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz	28	PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz
25		29
Lines 28-36 Link Here
28		32
29	.include <bsd.port.options.mk>	33	.include <bsd.port.options.mk>
30		34
31	.if ${PORT_OPTIONS:MPCRE}	35	PCRE_CONFIGURE_ARGS= --enable-pcre
32	CONFIGURE_ARGS+= --enable-pcre
33	.endif
34		36
35	.if ${PORT_OPTIONS:MPORTS_PCAP}	37	.if ${PORT_OPTIONS:MPORTS_PCAP}
36	CONFIGURE_ARGS+= --with-pcap-includes=${LOCALBASE}/include	38	CONFIGURE_ARGS+= --with-pcap-includes=${LOCALBASE}/include
Lines 39-48 Link Here
39	CONFIGURE_ARGS+= --with-pcap-includes=/usr/include	41	CONFIGURE_ARGS+= --with-pcap-includes=/usr/include
40	.endif	42	.endif
41		43
42	.if ${PORT_OPTIONS:MIPV6}	44	IPV6_CONFIGURE_ARGS= --enable-ipv6
43	CONFIGURE_ARGS+= --enable-ipv6
44	.endif
45		45
		46	CAPSICUM_CONFIGURE_ARGS= --enable-capsicum
		47
46	post-patch:	48	post-patch:
47	.if ${PORT_OPTIONS:MPORTS_PCAP}	49	.if ${PORT_OPTIONS:MPORTS_PCAP}
48	@${REINPLACE_CMD} -e "s\|-lpcap\|${LOCALBASE}/lib/libpcap.a\|g" \	50	@${REINPLACE_CMD} -e "s\|-lpcap\|${LOCALBASE}/lib/libpcap.a\|g" \

Line 0 Link Here

(-)files/patch-Configure.in (+45 lines)
	1	--- configure.in.orig 2006-11-15 07:43:56.000000000 +0400
	2	+++ configure.in 2014-12-12 00:01:00.000000000 +0400
	3	@@ -110,6 +110,34 @@ else
	4	USE_IPv6="0"
	5	fi
	6
	7	+AC_ARG_ENABLE(capsicum,
	8	+[ --enable-capsicum enable capsicum support],
	9	+[
	10	+ use_capsicum="$enableval"
	11	+],
	12	+[
	13	+ use_capsicum="no"
	14	+])
	15	+
	16	+#
	17	+# Check whether various functions are available. If any are, set
	18	+# ac_lbl_capsicum_function_seen to yes; if any are not, set
	19	+# ac_lbl_capsicum_function_not_seen to yes.
	20	+#
	21	+# All of them must be available in order to enable capsicum sandboxing.
	22	+#
	23	+if test $use_capsicum = yes && test $use_capsicum != no ; then
	24	+ AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
	25	+ ac_lbl_capsicum_function_seen=yes,
	26	+ ac_lbl_capsicum_function_not_seen=yes)
	27	+fi
	28	+AC_MSG_CHECKING([whether to sandbox using capsicum])
	29	+if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
	30	+ HAVE_CAPSICUM="1"
	31	+ AC_MSG_RESULT(yes)
	32	+else
	33	+ AC_MSG_RESULT(no)
	34	+fi
	35
	36	dnl
	37	dnl Configure the regular expression library.
	38	@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,
	39
	40	AC_DEFINE_UNQUOTED(USE_PCRE, $USE_PCRE, [whether to use PCRE (default GNU Regex)])
	41	AC_DEFINE_UNQUOTED(USE_IPv6, $USE_IPv6, [whether to use IPv6 (default off)])
	42	+AC_DEFINE_UNQUOTED(HAVE_CAPSICUM, $HAVE_CAPSICUM, [whether to use capsicum])
	43
	44	AC_DEFINE_UNQUOTED(USE_DROPPRIVS, $USE_DROPPRIVS, [whether to use privileges dropping (default yes)])
	45	AC_DEFINE_UNQUOTED(DROPPRIVS_USER, "$DROPPRIVS_USER", [pseudo-user for running ngrep (default "nobody")])

Line 0 Link Here

(-)files/patch-ngrep.c (+69 lines)
		1	--- ngrep.c.orig 2006-11-28 17:38:43.000000000 +0400
		2	+++ ngrep.c 2014-12-12 11:14:13.000000000 +0400
		3	@@ -97,6 +97,10 @@
		4	#include "regex-0.12/regex.h"
		5	#endif
		6
		7	+#ifdef HAVE_CAPSICUM
		8	+#include <sys/capability.h>
		9	+#endif /* HAVE CAPSICUM */
		10	+
		11	#include "ngrep.h"
		12
		13
		14	@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
		15	int main(int argc, char **argv) {
		16	int32_t c;
		17
		18	+#ifdef HAVE_CAPSICUM
		19	+ cap_rights_t rights;
		20	+#endif /* HAVE_CAPSICUM */
		21	+
		22	signal(SIGINT, clean_exit);
		23	signal(SIGABRT, clean_exit);
		24
		25	@@ -416,6 +424,23 @@ int main(int argc, char **argv) {
		26	clean_exit(-1);
		27	}
		28
		29	+#ifdef HAVE_CAPSICUM
		30	+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
		31	+ if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
		32	+ errno != ENOSYS) {
		33	+ fprintf(stderr, "unable to limit pcap descriptor");
		34	+ clean_exit(-1);
		35	+ }
		36	+
		37	+ static const unsigned long cmds[] = { BIOCGSTATS };
		38	+ if (cap_ioctls_limit(pcap_fileno(pd), cmds,
		39	+ sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
		40	+ fprintf(stderr, "unable to limit ioctls on pcap descriptor");
		41	+ clean_exit(-1);
		42	+ }
		43	+
		44	+#endif /* HAVE CAPSICUM */
		45	+
		46	if (match_data) {
		47	if (bin_match) {
		48	uint32_t i = 0, n;
		49	@@ -603,6 +628,20 @@ int main(int argc, char **argv) {
		50	drop_privs();
		51	#endif
		52
		53	+#ifdef HAVE_CAPSICUM
		54	+ cap_rights_init(&rights);
		55	+
		56	+ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
		57	+ fprintf(stderr, "can't limit stdin");
		58	+ clean_exit(-1);
		59	+ }
		60	+
		61	+ if (cap_enter() < 0 && errno != ENOSYS) {
		62	+ fprintf(stderr, "Can't enter capability mode");
		63	+ clean_exit(-1);
		64	+ }
65	+#endif /* HAVE_CAPSICUM */
66	+
67	while (pcap_loop(pd, 0, (pcap_handler)process, 0));
68
69	clean_exit(0);