rpms/firewalld
5
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase to v1.1.1

Browse Source 
Resolves: rhbz 2040689
Resolves: rhbz 2039542
This commit is contained in:
Eric Garver 2022-05-16 13:34:05 -04:00
parent 3b53f39161
commit 11f401c43c
6 changed files with 7 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -66,3 +66,4 @@
/firewalld-0.9.3.tar.gz
/firewalld-1.0.0-alpha.tar.gz
/firewalld-1.0.0.tar.gz
/firewalld-1.1.1.tar.gz

54
0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
View File

@ -1,54 +0,0 @@
From 09cdc166ddfe53b6e8ce3a2920f798320c170b7f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 11 Aug 2021 14:47:59 -0400
Subject: [PATCH 2/3] fix(firewalld): keep linux capability CAP_SYS_MODULE
When firewalld calls ip6tables it may implicitly load the ip6_tables, et
al kernel modules. As such we need to retain CAP_SYS_MODULE so that
implicit module is allowed. Otherwise we get EPERM from the kernel.
This only affects the -legacy variants and the top level table/chain
modules. The userspace binaries will modprobe the kernel modules.
Extensions, e.g. xt_conntrack, are implicitly loaded by the kernel based
on the rules being added and thus not subject to linux capabilities
checks.
The -nft variants are unaffected because they use the nftables
infrastructure which has implicit module loading in the kernel similar
to the iptables extensions (xt_* modules).
Fixes: rhbz 1990271
Fixes: fb0532e8a200 ("feat(firewalld): drop linux capabilities")
(cherry picked from commit 13801962073f478c68d818b314091badcf8b5614)
(cherry picked from commit d3cd7e088f946c75593b0569bd658266b2e9329d)
---
src/firewalld.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/firewalld.in b/src/firewalld.in
index abcbe3508f86..b1c886c6f02f 100755
--- a/src/firewalld.in
+++ b/src/firewalld.in
@@ -136,6 +136,7 @@ def startup(args):
# attempt to drop Linux capabilities to a minimal set:
# - CAP_NET_ADMIN
# - CAP_NET_RAW
+ # - CAP_SYS_MODULE
try:
import capng
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
@@ -143,8 +144,10 @@ def startup(args):
capng.CAP_NET_ADMIN)
capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
capng.CAP_NET_RAW)
+ capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
+ capng.CAP_SYS_MODULE)
capng.capng_apply(capng.CAPNG_SELECT_BOTH)
- log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW.")
+ log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
except ImportError:
pass
--
2.31.1

48
0003-fix-firewalld-check-capng_apply-return-code.patch
View File

@ -1,48 +0,0 @@
From 4a627847d36afedfca20026fb763fbb71005b92f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 30 Aug 2021 13:24:47 -0400
Subject: [PATCH 3/3] fix(firewalld): check capng_apply() return code
If dropping capabilities is blocked by SELinux, e.g. old selinux-policy,
then capng_apply() will return non-zero. Also check other things that
may fail, i.e. capng_update().
Fixes: rhbz 1999090
(cherry picked from commit 36749f512bbcfc55f0e9e46354009073941d7363)
(cherry picked from commit cf7f3320c78a8b3f2b8f22779c5747f113d25c57)
---
src/firewalld.in | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/firewalld.in b/src/firewalld.in
index b1c886c6f02f..38331a0b49a9 100755
--- a/src/firewalld.in
+++ b/src/firewalld.in
@@ -140,14 +140,16 @@ def startup(args):
try:
import capng
capng.capng_clear(capng.CAPNG_SELECT_BOTH)
- capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
- capng.CAP_NET_ADMIN)
- capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
- capng.CAP_NET_RAW)
- capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
- capng.CAP_SYS_MODULE)
- capng.capng_apply(capng.CAPNG_SELECT_BOTH)
- log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
+ if capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
+ capng.CAP_NET_ADMIN) or \
+ capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
+ capng.CAP_NET_RAW) or \
+ capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
+ capng.CAP_SYS_MODULE) or \
+ capng.capng_apply(capng.CAPNG_SELECT_BOTH):
+ log.info(log.INFO1, "libcap-ng failed to drop Linux capabilities.")
+ else:
+ log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
except ImportError:
pass
--
2.31.1

40
firewalld-0.2.6-MDNS-default.patch
View File

@ -1,40 +0,0 @@
From 0e9306e9df41142503b4efc90032043183a3cb7b Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones
* MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.
* Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.
* See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
---
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
2 files changed, 2 insertions(+)
diff --git a/config/zones/public.xml b/config/zones/public.xml
index 929ad72..a56e95c 100644
--- a/config/zones/public.xml
+++ b/config/zones/public.xml
@@ -3,5 +3,6 @@
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
</zone>
diff --git a/config/zones/work.xml b/config/zones/work.xml
index 7e750fc..77f13c8 100644
--- a/config/zones/work.xml
+++ b/config/zones/work.xml
@@ -3,5 +3,6 @@
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
</zone>
--
1.7.11.2

9
firewalld.spec
View File

@ -1,13 +1,11 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 1.0.0
Release: 4%{?dist}
Version: 1.1.1
Release: 1%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-fix-firewalld-keep-linux-capability-CAP_SYS_MODULE.patch
Patch3: 0003-fix-firewalld-check-capng_apply-return-code.patch
BuildArch: noarch
BuildRequires: autoconf
BuildRequires: automake
@ -229,6 +227,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
%{_mandir}/man1/firewall-config*.1*
%changelog
* Mon May 16 2022 Eric Garver <egarver@redhat.com> - 1.1.1-1
- package rebase to v1.1.1
* Mon Nov 22 2021 Eric Garver <egarver@redhat.com> - 1.0.0-4
- fix(firewalld): check capng_apply() return code

2
sources
View File

@ -1 +1 @@
SHA512 (firewalld-1.0.0.tar.gz) = 4c541453fde3012b9a2cc885f6dcf3dc3ca7c5c6292f365f8b75c262fa7a1bb81a280392c5d7dc0c5ff1a4141ff47d63e9a766784c59f03f918d3e45500fc3c4
SHA512 (firewalld-1.1.1.tar.gz) = d869e40ffba2687e8aa56d6c6b4440d183ad5a61f5288824794737cb617b91bf83a8198256834c93baa432efc70ebfc36fd068dccd4f46f391fcfac909f6ef1f