iputils/iputils-20101006-drop_caps.patch

diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
--- iputils-s20101006/Makefile.drop_caps	2010-11-08 14:49:53.334577997 +0100
+++ iputils-s20101006/Makefile	2010-11-08 14:49:53.342599113 +0100
@@ -13,7 +13,7 @@ ADDLIB=
 CC=gcc
 # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
 CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
-DEFINES += -D_GNU_SOURCE
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
 CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
 
 IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
 arping: arping.o
 
 ping: ping.o ping_common.o
-	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
 
 ping6: ping6.o ping_common.o
-	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
 
 ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
 tftpd.o tftpsubs.o: tftp.h
diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
--- iputils-s20101006/ping6.c.drop_caps	2010-11-08 14:49:53.338587611 +0100
+++ iputils-s20101006/ping6.c	2010-12-15 16:06:16.949794002 +0100
@@ -73,6 +73,10 @@ char copyright[] =
 #include <netinet/icmp6.h>
 #include <resolv.h>
 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
 #include "ping6_niquery.h"
 #include "in6_flowlabel.h"
 
@@ -533,6 +537,9 @@ int main(int argc, char *argv[])
 	int csum_offset, sz_opt;
 #endif
 	static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
 
 	icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
 	socket_errno = errno;
@@ -543,6 +550,16 @@ int main(int argc, char *argv[])
 		exit(-1);
 	}
 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
 	source.sin6_family = AF_INET6;
 	memset(&firsthop, 0, sizeof(firsthop));
 	firsthop.sin6_family = AF_INET6;
diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
--- iputils-s20101006/ping.c.drop_caps	2010-11-08 14:49:53.314577272 +0100
+++ iputils-s20101006/ping.c	2010-12-15 16:05:52.113794002 +0100
@@ -66,6 +66,10 @@ char copyright[] =
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
 #ifndef ICMP_FILTER
 #define ICMP_FILTER	1
 struct icmp_filter {
@@ -125,6 +129,9 @@ main(int argc, char **argv)
 	u_char *packet;
 	char *target, hnamebuf[MAX_HOSTNAMELEN];
 	char rspace[3 + 4 * NROUTES + 1];	/* record route space */
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
 
 	char *idn;
 	int rc = 0;
@@ -139,6 +146,16 @@ main(int argc, char **argv)
 		exit(-1);
 	}
 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+	cap_free(caps);
+#endif
+
 	source.sin_family = AF_INET;
 
 	preload = 1;
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`--- iputils-s20101006/Makefile.drop_caps 2010-11-08 14:49:53.334577997 +0100`
			`+++ iputils-s20101006/Makefile 2010-11-08 14:49:53.342599113 +0100`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`@@ -13,7 +13,7 @@ ADDLIB=`
			`CC=gcc`
			`# What a pity, all new gccs are buggy and -Werror does not work. Sigh.`
			`CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror`
			`-DEFINES += -D_GNU_SOURCE`
			`+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES`
			`CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)`

			`IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd`
			`@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o`
			`arping: arping.o`

			`ping: ping.o ping_common.o`
			`- $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping`
			`+ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping`

			`ping6: ping6.o ping_common.o`
			`- $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6`
			`+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6`

			`ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h`
			`tftpd.o tftpsubs.o: tftp.h`
			`diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`--- iputils-s20101006/ping6.c.drop_caps 2010-11-08 14:49:53.338587611 +0100`
			`+++ iputils-s20101006/ping6.c 2010-12-15 16:06:16.949794002 +0100`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`@@ -73,6 +73,10 @@ char copyright[] =`
			`#include <netinet/icmp6.h>`
			`#include <resolv.h>`

			`+#ifdef HAVE_CAPABILITIES`
			`+#include <sys/capability.h>`
			`+#endif`
			`+`
			`#include "ping6_niquery.h"`
			`#include "in6_flowlabel.h"`

- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`@@ -533,6 +537,9 @@ int main(int argc, char *argv[])`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`int csum_offset, sz_opt;`
			`#endif`
			`static uint32_t scope_id = 0;`
			`+#ifdef HAVE_CAPABILITIES`
			`+ cap_t caps;`
			`+#endif`

			`icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);`
			`socket_errno = errno;`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`@@ -543,6 +550,16 @@ int main(int argc, char *argv[])`
			`exit(-1);`
			`}`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00
			`+#ifdef HAVE_CAPABILITIES`
			`+ /* drop all capabilities unconditionally so even root isn't special anymore */`
			`+ caps = cap_init();`
			`+ if (cap_set_proc(caps) < 0) {`
			`+ perror("ping: cap_set_proc");`
			`+ exit(-1);`
			`+ }`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`+ cap_free(caps);`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`+#endif`
			`+`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`source.sin6_family = AF_INET6;`
			`memset(&firsthop, 0, sizeof(firsthop));`
			`firsthop.sin6_family = AF_INET6;`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`--- iputils-s20101006/ping.c.drop_caps 2010-11-08 14:49:53.314577272 +0100`
			`+++ iputils-s20101006/ping.c 2010-12-15 16:05:52.113794002 +0100`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`@@ -66,6 +66,10 @@ char copyright[] =`
			`#include <netinet/ip.h>`
			`#include <netinet/ip_icmp.h>`

			`+#ifdef HAVE_CAPABILITIES`
			`+#include <sys/capability.h>`
			`+#endif`
			`+`
			`#ifndef ICMP_FILTER`
			`#define ICMP_FILTER 1`
			`struct icmp_filter {`
			`@@ -125,6 +129,9 @@ main(int argc, char **argv)`
			`u_char *packet;`
			`char *target, hnamebuf[MAX_HOSTNAMELEN];`
			`char rspace[3 + 4 * NROUTES + 1]; /* record route space */`
			`+#ifdef HAVE_CAPABILITIES`
			`+ cap_t caps;`
			`+#endif`

			`char *idn;`
			`int rc = 0;`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`@@ -139,6 +146,16 @@ main(int argc, char **argv)`
			`exit(-1);`
			`}`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00
			`+#ifdef HAVE_CAPABILITIES`
			`+ /* drop all capabilities unconditionally so even root isn't special anymore */`
			`+ caps = cap_init();`
			`+ if (cap_set_proc(caps) < 0) {`
			`+ perror("ping: cap_set_proc");`
			`+ exit(-1);`
			`+ }`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`+ cap_free(caps);`
- applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile 2010-11-08 09:03:47 +00:00			`+#endif`
			`+`
- fixes #662720 - Providing native systemd file - freeing memory when capabilities are dropped 2010-12-15 15:27:40 +00:00			`source.sin_family = AF_INET;`

			`preload = 1;`