Attachment 150499 Details for Bug 195910 – capsicum for ngrep

[patch] capsicum for ngrep

port_ngrep.diff_2 (text/plain), 5.25 KB, created by logan on 2014-12-12 03:59:46 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: logan

Created: 2014-12-12 03:59:46 UTC

Size: 5.25 KB

patch

obsolete

>Index: Makefile
>===================================================================
>--- Makefile	(revision 374537)
>+++ Makefile	(working copy)
>@@ -13,13 +13,15 @@
> WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
> USES=		gmake tar:bzip2
> GNU_CONFIGURE=	yes
>+USE_AUTOTOOLS=	autoconf
> CONFIGURE_ARGS=	--disable-pcap-restart
> MAKE_JOBS_UNSAFE=	yes
> 
>-OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS
>-OPTIONS_DEFAULT=	PCRE IPV6
>+OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS CAPSICUM
>+OPTIONS_DEFAULT=	PCRE IPV6 CAPSICUM
> PCRE_DESC=		Use PCRE instead of GNU regex
> PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
>+CAPSICUM_DESC=		Build with capsicum if kernel supports it
> 
> PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz
> 
>@@ -43,6 +45,10 @@
> CONFIGURE_ARGS+=	--enable-ipv6
> .endif
> 
>+.if ${PORT_OPTIONS:CAPSICUM}
>+CONFIGURE_ARGS+=        --enable-capsicum
>+.endif
>+
> post-patch:
> .if ${PORT_OPTIONS:MPORTS_PCAP}
> 	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \
>Index: files/patch-Configure.in
>===================================================================
>--- files/patch-Configure.in	(revision 0)
>+++ files/patch-Configure.in	(working copy)
>@@ -0,0 +1,45 @@
>+--- configure.in.orig	2006-11-15 07:43:56.000000000 +0400
>++++ configure.in	2014-12-12 00:01:00.000000000 +0400
>+@@ -110,6 +110,34 @@ else
>+    USE_IPv6="0"
>+ fi
>+ 
>++AC_ARG_ENABLE(capsicum,
>++[  --enable-capsicum           enable capsicum support],
>++[
>++  use_capsicum="$enableval"
>++],
>++[ 
>++  use_capsicum="no"
>++])  
>++
>++#
>++# Check whether various functions are available.  If any are, set
>++# ac_lbl_capsicum_function_seen to yes; if any are not, set
>++# ac_lbl_capsicum_function_not_seen to yes.
>++#
>++# All of them must be available in order to enable capsicum sandboxing.
>++#
>++if test $use_capsicum = yes && test $use_capsicum != no ; then
>++	AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
>++	    ac_lbl_capsicum_function_seen=yes,
>++	    ac_lbl_capsicum_function_not_seen=yes)
>++fi
>++AC_MSG_CHECKING([whether to sandbox using capsicum])
>++if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
>++	HAVE_CAPSICUM="1"
>++	AC_MSG_RESULT(yes)
>++else
>++	AC_MSG_RESULT(no)
>++fi
>+ 
>+ dnl
>+ dnl Configure the regular expression library.
>+@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,    
>+ 
>+ AC_DEFINE_UNQUOTED(USE_PCRE,                  $USE_PCRE,                  [whether to use PCRE (default GNU Regex)])
>+ AC_DEFINE_UNQUOTED(USE_IPv6,                  $USE_IPv6,                  [whether to use IPv6 (default off)])
>++AC_DEFINE_UNQUOTED(HAVE_CAPSICUM,	      $HAVE_CAPSICUM,		  [whether to use capsicum])
>+ 
>+ AC_DEFINE_UNQUOTED(USE_DROPPRIVS,             $USE_DROPPRIVS,             [whether to use privileges dropping (default yes)])
>+ AC_DEFINE_UNQUOTED(DROPPRIVS_USER,           "$DROPPRIVS_USER",           [pseudo-user for running ngrep (default "nobody")])
>
>Property changes on: files/patch-Configure.in
>___________________________________________________________________
>Added: svn:mime-type
>## -0,0 +1 ##
>+text/plain
>\ No newline at end of property
>Added: fbsd:nokeywords
>## -0,0 +1 ##
>+yes
>\ No newline at end of property
>Added: svn:eol-style
>## -0,0 +1 ##
>+native
>\ No newline at end of property
>Index: files/patch-ngrep.c
>===================================================================
>--- files/patch-ngrep.c	(revision 0)
>+++ files/patch-ngrep.c	(working copy)
>@@ -0,0 +1,61 @@
>+--- ngrep.c.orig	2006-11-28 17:38:43.000000000 +0400
>++++ ngrep.c	2014-12-12 00:38:24.000000000 +0400
>+@@ -97,6 +97,10 @@
>+ #include "regex-0.12/regex.h"
>+ #endif
>+ 
>++#ifdef HAVE_CAPSICUM
>++#include <sys/capability.h>
>++#endif /* HAVE CAPSICUM */
>++
>+ #include "ngrep.h"
>+ 
>+ 
>+@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
>+ int main(int argc, char **argv) {
>+     int32_t c;
>+ 
>++#ifdef HAVE_CAPSICUM
>++    cap_rights_t rights;
>++#endif /* HAVE_CAPSICUM */
>++
>+     signal(SIGINT,   clean_exit);
>+     signal(SIGABRT,  clean_exit);
>+ 
>+@@ -416,6 +424,15 @@ int main(int argc, char **argv) {
>+         clean_exit(-1);
>+     }
>+ 
>++#ifdef HAVE_CAPSICUM
>++    cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
>++    if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
>++        errno != ENOSYS) {
>++        fprintf(stderr, "unable to limit pcap descriptor");
>++        clean_exit(-1);  
>++        }
>++#endif /* HAVE CAPSICUM */
>++
>+     if (match_data) {
>+         if (bin_match) {
>+             uint32_t i = 0, n;
>+@@ -603,6 +620,20 @@ int main(int argc, char **argv) {
>+     drop_privs();
>+ #endif
>+ 
>++#ifdef HAVE_CAPSICUM
>++    cap_rights_init(&rights);
>++
>++   if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
>++       fprintf(stderr, "can't limit stdin");
>++       clean_exit(-1);
>++   }
>++
>++   if (cap_enter() < 0 && errno != ENOSYS) {
>++       fprintf(stderr, "Can't enter capability mode");
>++       clean_exit(-1);
>++    }
>++#endif /* HAVE_CAPSICUM */
>++
>+     while (pcap_loop(pd, 0, (pcap_handler)process, 0));
>+ 
>+     clean_exit(0);
>
>Property changes on: files/patch-ngrep.c
>___________________________________________________________________
>Added: svn:mime-type
>## -0,0 +1 ##
>+text/plain
>\ No newline at end of property
>Added: fbsd:nokeywords
>## -0,0 +1 ##
>+yes
>\ No newline at end of property
>Added: svn:eol-style
>## -0,0 +1 ##
>+native
>\ No newline at end of property

Actions: View | Diff

Attachments on bug 195910: 150498 | 150499 | 150500 | 150502 | 150718 | 150719