iputils/iputils-20101006-drop_caps.patch

103 lines
3.1 KiB
Diff
Raw Normal View History

diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
--- iputils-s20101006/Makefile.drop_caps 2010-11-08 09:31:42.000000000 +0100
+++ iputils-s20101006/Makefile 2010-11-08 09:34:26.858580455 +0100
@@ -13,7 +13,7 @@ ADDLIB=
CC=gcc
# What a pity, all new gccs are buggy and -Werror does not work. Sigh.
CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
-DEFINES += -D_GNU_SOURCE
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
arping: arping.o
ping: ping.o ping_common.o
- $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
ping6: ping6.o ping_common.o
- $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
tftpd.o tftpsubs.o: tftp.h
diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
--- iputils-s20101006/ping6.c.drop_caps 2010-11-08 09:31:42.120827826 +0100
+++ iputils-s20101006/ping6.c 2010-11-08 09:31:42.125837869 +0100
@@ -73,6 +73,10 @@ char copyright[] =
#include <netinet/icmp6.h>
#include <resolv.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
#include "ping6_niquery.h"
#include "in6_flowlabel.h"
@@ -533,10 +537,22 @@ int main(int argc, char *argv[])
int csum_offset, sz_opt;
#endif
static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
socket_errno = errno;
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+#endif
+
uid = getuid();
if (setuid(uid)) {
perror("ping: setuid");
diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
--- iputils-s20101006/ping.c.drop_caps 2010-11-08 09:31:42.096854873 +0100
+++ iputils-s20101006/ping.c 2010-11-08 09:31:42.127870437 +0100
@@ -66,6 +66,10 @@ char copyright[] =
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
#ifndef ICMP_FILTER
#define ICMP_FILTER 1
struct icmp_filter {
@@ -125,6 +129,9 @@ main(int argc, char **argv)
u_char *packet;
char *target, hnamebuf[MAX_HOSTNAMELEN];
char rspace[3 + 4 * NROUTES + 1]; /* record route space */
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
char *idn;
int rc = 0;
@@ -133,6 +140,15 @@ main(int argc, char **argv)
icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
socket_errno = errno;
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+#endif
+
uid = getuid();
if (setuid(uid)) {
perror("ping: setuid");