From 48c3985b3a85747a806f811a93364e17bec1d243 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Fri, 1 Jul 2011 15:20:42 +0200 Subject: [PATCH] Drop all capabilities in dhcpd/dhcrelay (#699713) --- dhcp-4.2.1-capability.patch | 178 -------------------- dhcp-4.2.2-PIE-RELRO.patch | 27 +-- dhcp-4.2.2-capability.patch | 323 ++++++++++++++++++++++++++++++++++++ dhcp.spec | 6 +- dhcp420-sharedlib.patch | 58 +++---- 5 files changed, 371 insertions(+), 221 deletions(-) delete mode 100644 dhcp-4.2.1-capability.patch create mode 100644 dhcp-4.2.2-capability.patch diff --git a/dhcp-4.2.1-capability.patch b/dhcp-4.2.1-capability.patch deleted file mode 100644 index cbd2fc5..0000000 --- a/dhcp-4.2.1-capability.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff -up dhcp-4.2.1b1/client/dhclient.8.capability dhcp-4.2.1b1/client/dhclient.8 ---- dhcp-4.2.1b1/client/dhclient.8.capability 2011-01-28 08:05:51.000000000 +0100 -+++ dhcp-4.2.1b1/client/dhclient.8 2011-01-28 08:24:48.000000000 +0100 -@@ -115,6 +115,9 @@ dhclient - Dynamic Host Configuration Pr - .B -w - ] - [ -+.B -nc -+] -+[ - .B -B - ] - [ -@@ -293,6 +296,32 @@ has been added or removed, so that the c - address on that interface. - - .TP -+.BI \-nc -+Do not drop capabilities. -+ -+Normally, if -+.B dhclient -+was compiled with libcap-ng support, -+.B dhclient -+drops most capabilities immediately upon startup. While more secure, -+this greatly restricts the additional actions that hooks in -+.B dhclient-script (8) -+can take. (For example, any daemons that -+.B dhclient-script (8) -+starts or restarts will inherit the restricted capabilities as well, -+which may interfere with their correct operation.) Thus, the -+.BI \-nc -+option can be used to prevent -+.B dhclient -+from dropping capabilities. -+ -+The -+.BI \-nc -+option is ignored if -+.B dhclient -+was not compiled with libcap-ng support. -+ -+.TP - .BI \-B - Set the BOOTP broadcast flag in request packets so servers will always - broadcast replies. -diff -up dhcp-4.2.1b1/client/dhclient.c.capability dhcp-4.2.1b1/client/dhclient.c ---- dhcp-4.2.1b1/client/dhclient.c.capability 2011-01-28 08:05:51.000000000 +0100 -+++ dhcp-4.2.1b1/client/dhclient.c 2011-01-28 08:05:51.000000000 +0100 -@@ -39,6 +39,10 @@ - #include - #include - -+#ifdef HAVE_LIBCAP_NG -+#include -+#endif -+ - /* - * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define - * that when building ISC code. -@@ -91,6 +95,9 @@ int wanted_ia_ta = 0; - int wanted_ia_pd = 0; - char *mockup_relay = NULL; - int bootp_broadcast_always = 0; -+#ifdef HAVE_LIBCAP_NG -+static int keep_capabilities = 0; -+#endif - - extern u_int32_t default_requested_options[]; - -@@ -399,6 +406,10 @@ main(int argc, char **argv) { - } - - dhclient_request_options = argv[i]; -+ } else if (!strcmp(argv[i], "-nc")) { -+#ifdef HAVE_LIBCAP_NG -+ keep_capabilities = 1; -+#endif - } else if (argv[i][0] == '-') { - usage(); - } else if (interfaces_requested < 0) { -@@ -447,6 +458,19 @@ main(int argc, char **argv) { - path_dhclient_script = s; - } - -+#ifdef HAVE_LIBCAP_NG -+ /* Drop capabilities */ -+ if (!keep_capabilities) { -+ capng_clear(CAPNG_SELECT_CAPS); -+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, -+ CAP_DAC_OVERRIDE); // Drop this someday -+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, -+ CAP_NET_ADMIN, CAP_NET_RAW, -+ CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1); -+ capng_apply(CAPNG_SELECT_CAPS); -+ } -+#endif -+ - /* Set up the initial dhcp option universe. */ - initialize_common_option_spaces(); - -diff -up dhcp-4.2.1b1/client/dhclient-script.8.capability dhcp-4.2.1b1/client/dhclient-script.8 ---- dhcp-4.2.1b1/client/dhclient-script.8.capability 2011-01-28 08:05:51.000000000 +0100 -+++ dhcp-4.2.1b1/client/dhclient-script.8 2011-01-28 08:05:51.000000000 +0100 -@@ -239,6 +239,16 @@ repeatedly initialized to the values pro - the other. Assuming the information provided by both servers is - valid, this shouldn't cause any real problems, but it could be - confusing. -+.PP -+Normally, if dhclient was compiled with libcap-ng support, -+dhclient drops most capabilities immediately upon startup. -+While more secure, this greatly restricts the additional actions that -+hooks in dhclient-script can take. For example, any daemons that -+dhclient-script starts or restarts will inherit the restricted -+capabilities as well, which may interfere with their correct operation. -+Thus, the -+.BI \-nc -+option can be used to prevent dhclient from dropping capabilities. - .SH SEE ALSO - dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and - dhclient.leases(5). -diff -up dhcp-4.2.1b1/client/Makefile.am.capability dhcp-4.2.1b1/client/Makefile.am ---- dhcp-4.2.1b1/client/Makefile.am.capability 2010-09-15 00:32:36.000000000 +0200 -+++ dhcp-4.2.1b1/client/Makefile.am 2011-01-28 08:05:51.000000000 +0100 -@@ -5,7 +5,7 @@ dhclient_SOURCES = clparse.c dhclient.c - scripts/netbsd scripts/nextstep scripts/openbsd \ - scripts/solaris scripts/openwrt - dhclient_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ -- $(BIND9_LIBDIR) -ldns-export -lisc-export -+ $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) - man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 - EXTRA_DIST = $(man_MANS) - -diff -up dhcp-4.2.1b1/configure.ac.capability dhcp-4.2.1b1/configure.ac ---- dhcp-4.2.1b1/configure.ac.capability 2011-01-28 08:05:51.000000000 +0100 -+++ dhcp-4.2.1b1/configure.ac 2011-01-28 08:26:11.000000000 +0100 -@@ -425,6 +425,41 @@ AC_TRY_LINK( - # Look for optional headers. - AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) - -+# look for capabilities library -+AC_ARG_WITH(libcap-ng, -+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, -+ with_libcap_ng=auto) -+ -+# Check for Libcap-ng API -+# -+# libcap-ng detection -+if test x$with_libcap_ng = xno ; then -+ have_libcap_ng=no; -+else -+ # Start by checking for header file -+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) -+ -+ # See if we have libcap-ng library -+ AC_CHECK_LIB(cap-ng, capng_clear, -+ CAPNG_LDADD=-lcap-ng,) -+ -+ # Check results are usable -+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then -+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found) -+ fi -+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then -+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing) -+ fi -+fi -+AC_SUBST(CAPNG_LDADD) -+AC_MSG_CHECKING(whether to use libcap-ng) -+if test x$CAPNG_LDADD != x ; then -+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) -+ AC_MSG_RESULT(yes) -+else -+ AC_MSG_RESULT(no) -+fi -+ - # Solaris needs some libraries for functions - AC_SEARCH_LIBS(socket, [socket]) - AC_SEARCH_LIBS(inet_ntoa, [nsl]) diff --git a/dhcp-4.2.2-PIE-RELRO.patch b/dhcp-4.2.2-PIE-RELRO.patch index 0eb68b1..eb7ae4b 100644 --- a/dhcp-4.2.2-PIE-RELRO.patch +++ b/dhcp-4.2.2-PIE-RELRO.patch @@ -1,6 +1,6 @@ diff -up dhcp-4.2.2b1/bind/Makefile.PIE-RELRO dhcp-4.2.2b1/bind/Makefile --- dhcp-4.2.2b1/bind/Makefile.PIE-RELRO 2011-06-27 23:43:09.000000000 +0200 -+++ dhcp-4.2.2b1/bind/Makefile 2011-07-01 14:28:49.134674155 +0200 ++++ dhcp-4.2.2b1/bind/Makefile 2011-07-01 15:13:40.605394073 +0200 @@ -45,7 +45,7 @@ all: # Currently disable the epoll and devpoll options as they don't interact # well with the DHCP code. @@ -11,8 +11,8 @@ diff -up dhcp-4.2.2b1/bind/Makefile.PIE-RELRO dhcp-4.2.2b1/bind/Makefile # Build the export libraries @echo Building BIND Export libraries - this takes some time. diff -up dhcp-4.2.2b1/client/Makefile.am.PIE-RELRO dhcp-4.2.2b1/client/Makefile.am ---- dhcp-4.2.2b1/client/Makefile.am.PIE-RELRO 2011-07-01 14:26:36.995286194 +0200 -+++ dhcp-4.2.2b1/client/Makefile.am 2011-07-01 14:26:37.047285196 +0200 +--- dhcp-4.2.2b1/client/Makefile.am.PIE-RELRO 2011-07-01 15:13:40.554394544 +0200 ++++ dhcp-4.2.2b1/client/Makefile.am 2011-07-01 15:13:40.606394064 +0200 @@ -4,15 +4,11 @@ dhclient_SOURCES = clparse.c dhclient.c scripts/bsdos scripts/freebsd scripts/linux scripts/macos \ scripts/netbsd scripts/nextstep scripts/openbsd \ @@ -35,7 +35,7 @@ diff -up dhcp-4.2.2b1/client/Makefile.am.PIE-RELRO dhcp-4.2.2b1/client/Makefile. - -DLOCALSTATEDIR='"$(localstatedir)"' -c dhc6.c diff -up dhcp-4.2.2b1/common/Makefile.am.PIE-RELRO dhcp-4.2.2b1/common/Makefile.am --- dhcp-4.2.2b1/common/Makefile.am.PIE-RELRO 2011-02-18 19:44:42.000000000 +0100 -+++ dhcp-4.2.2b1/common/Makefile.am 2011-07-01 14:26:37.048285177 +0200 ++++ dhcp-4.2.2b1/common/Makefile.am 2011-07-01 15:13:40.606394064 +0200 @@ -1,5 +1,5 @@ AM_CPPFLAGS = -I.. -DLOCALSTATEDIR='"@localstatedir@"' -AM_CFLAGS = $(LDAP_CFLAGS) @@ -44,8 +44,8 @@ diff -up dhcp-4.2.2b1/common/Makefile.am.PIE-RELRO dhcp-4.2.2b1/common/Makefile. noinst_LIBRARIES = libdhcp.a libdhcp_a_SOURCES = alloc.c bpf.c comapi.c conflex.c ctrace.c discover.c \ diff -up dhcp-4.2.2b1/omapip/Makefile.am.PIE-RELRO dhcp-4.2.2b1/omapip/Makefile.am ---- dhcp-4.2.2b1/omapip/Makefile.am.PIE-RELRO 2011-07-01 14:26:36.884288319 +0200 -+++ dhcp-4.2.2b1/omapip/Makefile.am 2011-07-01 14:26:37.048285177 +0200 +--- dhcp-4.2.2b1/omapip/Makefile.am.PIE-RELRO 2011-07-01 15:13:40.425395732 +0200 ++++ dhcp-4.2.2b1/omapip/Makefile.am 2011-07-01 15:13:40.606394064 +0200 @@ -1,3 +1,5 @@ +AM_CFLAGS = -fpic + @@ -60,31 +60,32 @@ diff -up dhcp-4.2.2b1/omapip/Makefile.am.PIE-RELRO dhcp-4.2.2b1/omapip/Makefile. svtest_LDADD = libomapi.a $(BIND9_LIBDIR) -ldns-export -lisc-export diff -up dhcp-4.2.2b1/relay/Makefile.am.PIE-RELRO dhcp-4.2.2b1/relay/Makefile.am ---- dhcp-4.2.2b1/relay/Makefile.am.PIE-RELRO 2011-07-01 14:26:36.884288319 +0200 -+++ dhcp-4.2.2b1/relay/Makefile.am 2011-07-01 14:26:37.049285158 +0200 +--- dhcp-4.2.2b1/relay/Makefile.am.PIE-RELRO 2011-07-01 15:13:40.000000000 +0200 ++++ dhcp-4.2.2b1/relay/Makefile.am 2011-07-01 15:14:16.178059890 +0200 @@ -2,8 +2,11 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst sbin_PROGRAMS = dhcrelay dhcrelay_SOURCES = dhcrelay.c +dhcrelay_CFLAGS = -fpie dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ - $(BIND9_LIBDIR) -ldns-export -lisc-export + $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) +dhcrelay_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now + man_MANS = dhcrelay.8 EXTRA_DIST = $(man_MANS) diff -up dhcp-4.2.2b1/server/Makefile.am.PIE-RELRO dhcp-4.2.2b1/server/Makefile.am ---- dhcp-4.2.2b1/server/Makefile.am.PIE-RELRO 2011-07-01 14:26:36.885288300 +0200 -+++ dhcp-4.2.2b1/server/Makefile.am 2011-07-01 14:26:37.049285158 +0200 -@@ -6,9 +6,10 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c +--- dhcp-4.2.2b1/server/Makefile.am.PIE-RELRO 2011-07-01 15:13:40.000000000 +0200 ++++ dhcp-4.2.2b1/server/Makefile.am 2011-07-01 15:14:50.248728082 +0200 +@@ -6,10 +6,11 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c omapi.c mdb.c stables.c salloc.c ddns.c dhcpleasequery.c \ dhcpv6.c mdb6.c ldap.c ldap_casa.c -dhcpd_CFLAGS = $(LDAP_CFLAGS) +dhcpd_CFLAGS = $(LDAP_CFLAGS) -fpie dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ - ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export + ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export \ + $(CAPNG_LDADD) +dhcpd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5 diff --git a/dhcp-4.2.2-capability.patch b/dhcp-4.2.2-capability.patch new file mode 100644 index 0000000..115c40b --- /dev/null +++ b/dhcp-4.2.2-capability.patch @@ -0,0 +1,323 @@ +diff -up dhcp-4.2.2b1/client/dhclient.8.capability dhcp-4.2.2b1/client/dhclient.8 +--- dhcp-4.2.2b1/client/dhclient.8.capability 2011-07-01 15:09:06.603784531 +0200 ++++ dhcp-4.2.2b1/client/dhclient.8 2011-07-01 15:09:06.663783913 +0200 +@@ -118,6 +118,9 @@ dhclient - Dynamic Host Configuration Pr + .B -w + ] + [ ++.B -nc ++] ++[ + .B -B + ] + [ +@@ -296,6 +299,32 @@ has been added or removed, so that the c + address on that interface. + + .TP ++.BI \-nc ++Do not drop capabilities. ++ ++Normally, if ++.B dhclient ++was compiled with libcap-ng support, ++.B dhclient ++drops most capabilities immediately upon startup. While more secure, ++this greatly restricts the additional actions that hooks in ++.B dhclient-script (8) ++can take. (For example, any daemons that ++.B dhclient-script (8) ++starts or restarts will inherit the restricted capabilities as well, ++which may interfere with their correct operation.) Thus, the ++.BI \-nc ++option can be used to prevent ++.B dhclient ++from dropping capabilities. ++ ++The ++.BI \-nc ++option is ignored if ++.B dhclient ++was not compiled with libcap-ng support. ++ ++.TP + .BI \-B + Set the BOOTP broadcast flag in request packets so servers will always + broadcast replies. +diff -up dhcp-4.2.2b1/client/dhclient.c.capability dhcp-4.2.2b1/client/dhclient.c +--- dhcp-4.2.2b1/client/dhclient.c.capability 2011-07-01 15:09:06.644784107 +0200 ++++ dhcp-4.2.2b1/client/dhclient.c 2011-07-01 15:09:06.664783903 +0200 +@@ -39,6 +39,10 @@ + #include + #include + ++#ifdef HAVE_LIBCAP_NG ++#include ++#endif ++ + /* + * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define + * that when building ISC code. +@@ -141,6 +145,9 @@ main(int argc, char **argv) { + int timeout_arg = 0; + char *arg_conf = NULL; + int arg_conf_len = 0; ++#ifdef HAVE_LIBCAP_NG ++ int keep_capabilities = 0; ++#endif + + /* Initialize client globals. */ + memset(&default_duid, 0, sizeof(default_duid)); +@@ -410,6 +417,10 @@ main(int argc, char **argv) { + } + + dhclient_request_options = argv[i]; ++ } else if (!strcmp(argv[i], "-nc")) { ++#ifdef HAVE_LIBCAP_NG ++ keep_capabilities = 1; ++#endif + } else if (argv[i][0] == '-') { + usage(); + } else if (interfaces_requested < 0) { +@@ -458,6 +469,19 @@ main(int argc, char **argv) { + path_dhclient_script = s; + } + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop capabilities */ ++ if (!keep_capabilities) { ++ capng_clear(CAPNG_SELECT_CAPS); ++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_DAC_OVERRIDE); // Drop this someday ++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_NET_ADMIN, CAP_NET_RAW, ++ CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1); ++ capng_apply(CAPNG_SELECT_CAPS); ++ } ++#endif ++ + /* Set up the initial dhcp option universe. */ + initialize_common_option_spaces(); + +diff -up dhcp-4.2.2b1/client/dhclient-script.8.capability dhcp-4.2.2b1/client/dhclient-script.8 +--- dhcp-4.2.2b1/client/dhclient-script.8.capability 2011-07-01 15:09:06.604784521 +0200 ++++ dhcp-4.2.2b1/client/dhclient-script.8 2011-07-01 15:09:06.666783883 +0200 +@@ -239,6 +239,16 @@ repeatedly initialized to the values pro + the other. Assuming the information provided by both servers is + valid, this shouldn't cause any real problems, but it could be + confusing. ++.PP ++Normally, if dhclient was compiled with libcap-ng support, ++dhclient drops most capabilities immediately upon startup. ++While more secure, this greatly restricts the additional actions that ++hooks in dhclient-script can take. For example, any daemons that ++dhclient-script starts or restarts will inherit the restricted ++capabilities as well, which may interfere with their correct operation. ++Thus, the ++.BI \-nc ++option can be used to prevent dhclient from dropping capabilities. + .SH SEE ALSO + dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and + dhclient.leases(5). +diff -up dhcp-4.2.2b1/client/Makefile.am.capability dhcp-4.2.2b1/client/Makefile.am +--- dhcp-4.2.2b1/client/Makefile.am.capability 2011-07-01 15:09:06.526785327 +0200 ++++ dhcp-4.2.2b1/client/Makefile.am 2011-07-01 15:09:06.667783873 +0200 +@@ -5,7 +5,7 @@ dhclient_SOURCES = clparse.c dhclient.c + scripts/netbsd scripts/nextstep scripts/openbsd \ + scripts/solaris scripts/openwrt + dhclient_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ +- $(BIND9_LIBDIR) -ldns-export -lisc-export ++ $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) + man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 + EXTRA_DIST = $(man_MANS) + +diff -up dhcp-4.2.2b1/configure.ac.capability dhcp-4.2.2b1/configure.ac +--- dhcp-4.2.2b1/configure.ac.capability 2011-07-01 15:09:06.527785317 +0200 ++++ dhcp-4.2.2b1/configure.ac 2011-07-01 15:09:06.667783873 +0200 +@@ -449,6 +449,41 @@ AC_TRY_LINK( + # Look for optional headers. + AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) + ++# look for capabilities library ++AC_ARG_WITH(libcap-ng, ++ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, ++ with_libcap_ng=auto) ++ ++# Check for Libcap-ng API ++# ++# libcap-ng detection ++if test x$with_libcap_ng = xno ; then ++ have_libcap_ng=no; ++else ++ # Start by checking for header file ++ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) ++ ++ # See if we have libcap-ng library ++ AC_CHECK_LIB(cap-ng, capng_clear, ++ CAPNG_LDADD=-lcap-ng,) ++ ++ # Check results are usable ++ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then ++ AC_MSG_ERROR(libcap-ng support was requested and the library was not found) ++ fi ++ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then ++ AC_MSG_ERROR(libcap-ng libraries found but headers are missing) ++ fi ++fi ++AC_SUBST(CAPNG_LDADD) ++AC_MSG_CHECKING(whether to use libcap-ng) ++if test x$CAPNG_LDADD != x ; then ++ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) ++ AC_MSG_RESULT(yes) ++else ++ AC_MSG_RESULT(no) ++fi ++ + # Solaris needs some libraries for functions + AC_SEARCH_LIBS(socket, [socket]) + AC_SEARCH_LIBS(inet_ntoa, [nsl]) +diff -up dhcp-4.2.2b1/relay/dhcrelay.c.capability dhcp-4.2.2b1/relay/dhcrelay.c +--- dhcp-4.2.2b1/relay/dhcrelay.c.capability 2011-07-01 15:09:06.626784295 +0200 ++++ dhcp-4.2.2b1/relay/dhcrelay.c 2011-07-01 15:12:05.362223794 +0200 +@@ -36,6 +36,11 @@ + #include + #include + ++#ifdef HAVE_LIBCAP_NG ++# include ++ int keep_capabilities = 0; ++#endif ++ + TIME default_lease_time = 43200; /* 12 hours... */ + TIME max_lease_time = 86400; /* 24 hours... */ + struct tree_cache *global_options[256]; +@@ -356,6 +361,10 @@ main(int argc, char **argv) { + sl->next = upstreams; + upstreams = sl; + #endif ++ } else if (!strcmp(argv[i], "-nc")) { ++#ifdef HAVE_LIBCAP_NG ++ keep_capabilities = 1; ++#endif + } else if (!strcmp(argv[i], "-pf")) { + if (++i == argc) + usage(); +@@ -426,6 +435,17 @@ main(int argc, char **argv) { + #endif + } + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop capabilities */ ++ if (!keep_capabilities) { ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); ++ capng_apply(CAPNG_SELECT_BOTH); ++ log_debug ("Dropped all unnecessary capabilities."); ++ } ++#endif ++ + if (!quiet) { + log_info("%s %s", message, PACKAGE_VERSION); + log_info(copyright); +@@ -573,6 +593,15 @@ main(int argc, char **argv) { + dhcpv6_packet_handler = do_packet6; + #endif + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop all capabilities */ ++ if (!keep_capabilities) { ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_apply(CAPNG_SELECT_BOTH); ++ log_debug ("Dropped all capabilities."); ++ } ++#endif ++ + /* Start dispatching packets and timeouts... */ + dispatch(); + +diff -up dhcp-4.2.2b1/relay/Makefile.am.capability dhcp-4.2.2b1/relay/Makefile.am +--- dhcp-4.2.2b1/relay/Makefile.am.capability 2011-07-01 15:09:06.546785121 +0200 ++++ dhcp-4.2.2b1/relay/Makefile.am 2011-07-01 15:09:06.670783841 +0200 +@@ -3,7 +3,7 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst + sbin_PROGRAMS = dhcrelay + dhcrelay_SOURCES = dhcrelay.c + dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ +- $(BIND9_LIBDIR) -ldns-export -lisc-export ++ $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) + man_MANS = dhcrelay.8 + EXTRA_DIST = $(man_MANS) + +diff -up dhcp-4.2.2b1/server/dhcpd.c.capability dhcp-4.2.2b1/server/dhcpd.c +--- dhcp-4.2.2b1/server/dhcpd.c.capability 2011-07-01 15:09:06.636784192 +0200 ++++ dhcp-4.2.2b1/server/dhcpd.c 2011-07-01 15:09:06.670783841 +0200 +@@ -58,6 +58,11 @@ static const char url [] = + # undef group + #endif /* PARANOIA */ + ++#ifdef HAVE_LIBCAP_NG ++# include ++ int keep_capabilities = 0; ++#endif ++ + static void usage(void); + + struct iaddr server_identifier; +@@ -403,6 +408,10 @@ main(int argc, char **argv) { + traceinfile = argv [i]; + trace_replay_init (); + #endif /* TRACING */ ++ } else if (!strcmp(argv[i], "-nc")) { ++#ifdef HAVE_LIBCAP_NG ++ keep_capabilities = 1; ++#endif + } else if (argv [i][0] == '-') { + usage (); + } else { +@@ -459,6 +468,17 @@ main(int argc, char **argv) { + } + #endif /* DHCPv6 */ + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop capabilities */ ++ if (!keep_capabilities) { ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, ++ CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); ++ capng_apply(CAPNG_SELECT_BOTH); ++ log_debug ("Dropped all unnecessary capabilities."); ++ } ++#endif ++ + /* + * convert relative path names to absolute, for files that need + * to be reopened after chdir() has been called +@@ -859,6 +879,15 @@ main(int argc, char **argv) { + omapi_set_int_value ((omapi_object_t *)dhcp_control_object, + (omapi_object_t *)0, "state", server_running); + ++#ifdef HAVE_LIBCAP_NG ++ /* Drop all capabilities */ ++ if (!keep_capabilities) { ++ capng_clear(CAPNG_SELECT_BOTH); ++ capng_apply(CAPNG_SELECT_BOTH); ++ log_debug ("Dropped all capabilities."); ++ } ++#endif ++ + /* Receive packets and dispatch them... */ + dispatch (); + +diff -up dhcp-4.2.2b1/server/Makefile.am.capability dhcp-4.2.2b1/server/Makefile.am +--- dhcp-4.2.2b1/server/Makefile.am.capability 2011-07-01 15:09:06.546785121 +0200 ++++ dhcp-4.2.2b1/server/Makefile.am 2011-07-01 15:09:06.671783830 +0200 +@@ -8,7 +8,8 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c + + dhcpd_CFLAGS = $(LDAP_CFLAGS) + dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ +- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export ++ ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export \ ++ $(CAPNG_LDADD) + + man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5 + EXTRA_DIST = $(man_MANS) diff --git a/dhcp.spec b/dhcp.spec index bedd73c..259548c 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -54,7 +54,7 @@ Patch14: dhcp-4.2.0-garbage-chars.patch Patch15: dhcp-4.2.0-missing-ipv6-not-fatal.patch Patch17: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.2.1-64_bit_lease_parse.patch -Patch19: dhcp-4.2.1-capability.patch +Patch19: dhcp-4.2.2-capability.patch Patch20: dhcp-4.2.0-logpid.patch Patch21: dhcp-4.2.0-UseMulticast.patch Patch22: dhcp-4.2.1-sendDecline.patch @@ -251,7 +251,8 @@ rm bind/bind.tar.gz # (Partly submitted to dhcp-bugs@isc.org - [ISC-Bugs #22033]) %patch18 -p1 -b .64-bit_lease_parse -# Drop unnecessary capabilities in dhclient (#517649, #546765) +# Drop unnecessary capabilities in +# dhclient (#517649, #546765), dhcpd/dhcrelay (#699713) %patch19 -p1 -b .capability # dhclient logs its pid to make troubleshooting NM managed systems @@ -649,6 +650,7 @@ fi %changelog * Fri Jul 01 2011 Jiri Popelka - 12:4.2.2-0.1.b1 - 4.2.2b1: upstream merged initialization-delay.patch +- Drop all capabilities in dhcpd/dhcrelay (#699713) * Fri Jun 17 2011 Jiri Popelka - 12:4.2.1-12.P1 - Removed upstream-merged IFNAMSIZ.patch diff --git a/dhcp420-sharedlib.patch b/dhcp420-sharedlib.patch index 6ed8ea5..749bef6 100644 --- a/dhcp420-sharedlib.patch +++ b/dhcp420-sharedlib.patch @@ -1,6 +1,6 @@ -diff -up dhcp-4.2.0/client/Makefile.am.sharedlib dhcp-4.2.0/client/Makefile.am ---- dhcp-4.2.0/client/Makefile.am.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/client/Makefile.am 2010-10-01 14:22:36.030002772 +0200 +diff -up dhcp-4.2.1-P1/client/Makefile.am.sharedlib dhcp-4.2.1-P1/client/Makefile.am +--- dhcp-4.2.1-P1/client/Makefile.am.sharedlib 2011-06-30 17:04:29.476676590 +0200 ++++ dhcp-4.2.1-P1/client/Makefile.am 2011-06-30 17:04:29.488676414 +0200 @@ -6,7 +6,7 @@ dhclient_SOURCES = clparse.c dhclient.c scripts/solaris scripts/openwrt dhclient_CPPFLAGS = -DCLIENT_PATH='"$(sbindir)"' -DLOCALSTATEDIR='"$(localstatedir)"' @@ -10,9 +10,9 @@ diff -up dhcp-4.2.0/client/Makefile.am.sharedlib dhcp-4.2.0/client/Makefile.am $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) dhclient_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -diff -up dhcp-4.2.0/configure.ac.sharedlib dhcp-4.2.0/configure.ac ---- dhcp-4.2.0/configure.ac.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/configure.ac 2010-10-01 14:22:36.060002772 +0200 +diff -up dhcp-4.2.1-P1/configure.ac.sharedlib dhcp-4.2.1-P1/configure.ac +--- dhcp-4.2.1-P1/configure.ac.sharedlib 2011-06-30 17:04:29.428677294 +0200 ++++ dhcp-4.2.1-P1/configure.ac 2011-06-30 17:04:29.707673194 +0200 @@ -30,7 +30,8 @@ fi # Use this to define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. AC_USE_SYSTEM_EXTENSIONS @@ -23,9 +23,9 @@ diff -up dhcp-4.2.0/configure.ac.sharedlib dhcp-4.2.0/configure.ac AC_CONFIG_HEADERS([includes/config.h]) # we sometimes need to know byte order for building packets -diff -up dhcp-4.2.0/dhcpctl/Makefile.am.sharedlib dhcp-4.2.0/dhcpctl/Makefile.am ---- dhcp-4.2.0/dhcpctl/Makefile.am.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/dhcpctl/Makefile.am 2010-10-01 14:22:36.030002772 +0200 +diff -up dhcp-4.2.1-P1/dhcpctl/Makefile.am.sharedlib dhcp-4.2.1-P1/dhcpctl/Makefile.am +--- dhcp-4.2.1-P1/dhcpctl/Makefile.am.sharedlib 2011-06-30 17:04:29.311679013 +0200 ++++ dhcp-4.2.1-P1/dhcpctl/Makefile.am 2011-06-30 17:04:29.489676399 +0200 @@ -1,15 +1,15 @@ bin_PROGRAMS = omshell -lib_LIBRARIES = libdhcpctl.a @@ -46,9 +46,9 @@ diff -up dhcp-4.2.0/dhcpctl/Makefile.am.sharedlib dhcp-4.2.0/dhcpctl/Makefile.am -cltest_LDADD = libdhcpctl.a ../common/libdhcp.a ../omapip/libomapi.a \ +cltest_LDADD = libdhcpctl.la ../common/libdhcp.a ../omapip/libomapi.la \ $(BIND9_LIBDIR) -ldns-export -lisc-export -diff -up dhcp-4.2.0/dst/base64.c.sharedlib dhcp-4.2.0/dst/base64.c ---- dhcp-4.2.0/dst/base64.c.sharedlib 2010-10-01 14:27:18.280002774 +0200 -+++ dhcp-4.2.0/dst/base64.c 2010-10-01 14:28:10.650002773 +0200 +diff -up dhcp-4.2.1-P1/dst/base64.c.sharedlib dhcp-4.2.1-P1/dst/base64.c +--- dhcp-4.2.1-P1/dst/base64.c.sharedlib 2009-11-20 02:49:01.000000000 +0100 ++++ dhcp-4.2.1-P1/dst/base64.c 2011-06-30 17:04:29.489676399 +0200 @@ -64,6 +64,7 @@ static const char rcsid[] = "$Id: base64 #include @@ -57,9 +57,9 @@ diff -up dhcp-4.2.0/dst/base64.c.sharedlib dhcp-4.2.0/dst/base64.c #include "cdefs.h" #include "osdep.h" #include "arpa/nameser.h" -diff -up dhcp-4.2.0/dst/Makefile.am.sharedlib dhcp-4.2.0/dst/Makefile.am ---- dhcp-4.2.0/dst/Makefile.am.sharedlib 2007-05-29 18:32:10.000000000 +0200 -+++ dhcp-4.2.0/dst/Makefile.am 2010-10-01 14:22:36.030002772 +0200 +diff -up dhcp-4.2.1-P1/dst/Makefile.am.sharedlib dhcp-4.2.1-P1/dst/Makefile.am +--- dhcp-4.2.1-P1/dst/Makefile.am.sharedlib 2007-05-29 18:32:10.000000000 +0200 ++++ dhcp-4.2.1-P1/dst/Makefile.am 2011-06-30 17:04:29.490676384 +0200 @@ -1,8 +1,8 @@ AM_CPPFLAGS = -DMINIRES_LIB -DHMAC_MD5 @@ -71,9 +71,9 @@ diff -up dhcp-4.2.0/dst/Makefile.am.sharedlib dhcp-4.2.0/dst/Makefile.am base64.c prandom.c EXTRA_DIST = dst_internal.h md5.h md5_locl.h -diff -up dhcp-4.2.0/omapip/Makefile.am.sharedlib dhcp-4.2.0/omapip/Makefile.am ---- dhcp-4.2.0/omapip/Makefile.am.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/omapip/Makefile.am 2010-10-01 14:22:36.030002772 +0200 +diff -up dhcp-4.2.1-P1/omapip/Makefile.am.sharedlib dhcp-4.2.1-P1/omapip/Makefile.am +--- dhcp-4.2.1-P1/omapip/Makefile.am.sharedlib 2011-06-30 17:04:29.477676575 +0200 ++++ dhcp-4.2.1-P1/omapip/Makefile.am 2011-06-30 17:04:29.490676384 +0200 @@ -1,9 +1,9 @@ AM_CFLAGS = -fpic @@ -93,29 +93,31 @@ diff -up dhcp-4.2.0/omapip/Makefile.am.sharedlib dhcp-4.2.0/omapip/Makefile.am -svtest_LDADD = libomapi.a $(BIND9_LIBDIR) -ldns-export -lisc-export +svtest_LDADD = libomapi.la $(BIND9_LIBDIR) -ldns-export -lisc-export -diff -up dhcp-4.2.0/relay/Makefile.am.sharedlib dhcp-4.2.0/relay/Makefile.am ---- dhcp-4.2.0/relay/Makefile.am.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/relay/Makefile.am 2010-10-01 14:22:36.030002772 +0200 +diff -up dhcp-4.2.1-P1/relay/Makefile.am.sharedlib dhcp-4.2.1-P1/relay/Makefile.am +--- dhcp-4.2.1-P1/relay/Makefile.am.sharedlib 2011-06-30 17:04:29.478676560 +0200 ++++ dhcp-4.2.1-P1/relay/Makefile.am 2011-06-30 17:04:29.490676384 +0200 @@ -3,7 +3,7 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst sbin_PROGRAMS = dhcrelay dhcrelay_SOURCES = dhcrelay.c dhcrelay_CFLAGS = -fpie -dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ +dhcrelay_LDADD = ../common/libdhcp.a ../omapip/libomapi.la \ - $(BIND9_LIBDIR) -ldns-export -lisc-export + $(BIND9_LIBDIR) -ldns-export -lisc-export $(CAPNG_LDADD) dhcrelay_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -diff -up dhcp-4.2.0/server/Makefile.am.sharedlib dhcp-4.2.0/server/Makefile.am ---- dhcp-4.2.0/server/Makefile.am.sharedlib 2010-10-01 14:22:36.020002772 +0200 -+++ dhcp-4.2.0/server/Makefile.am 2010-10-01 14:22:36.030002772 +0200 -@@ -7,8 +7,8 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c +diff -up dhcp-4.2.1-P1/server/Makefile.am.sharedlib dhcp-4.2.1-P1/server/Makefile.am +--- dhcp-4.2.1-P1/server/Makefile.am.sharedlib 2011-06-30 17:04:29.478676560 +0200 ++++ dhcp-4.2.1-P1/server/Makefile.am 2011-06-30 17:06:32.831862566 +0200 +@@ -7,9 +7,9 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c dhcpv6.c mdb6.c ldap.c ldap_casa.c dhcpd_CFLAGS = $(LDAP_CFLAGS) -fpie -dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ -- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export +- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export \ +- $(CAPNG_LDADD) +dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.la \ -+ ../dhcpctl/libdhcpctl.la $(BIND9_LIBDIR) -ldns-export -lisc-export ++ ../dhcpctl/libdhcpctl.la $(BIND9_LIBDIR) \ ++ -ldns-export -lisc-export $(CAPNG_LDADD) dhcpd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5