- applied patch dropping capabilities of Ludwig Nussel

- fixes building ping, pinpg6 with -pie option
- moves most CFLAGS options from spec to Makefile
This commit is contained in:
Jiri Skala 2010-11-08 10:03:47 +01:00
parent 37d219fe53
commit 16554d85fd
5 changed files with 123 additions and 11 deletions

View File

@ -1,13 +1,15 @@
--- iputils/Makefile.rh7 2002-09-20 20:23:55.000000000 +0200
+++ iputils/Makefile 2004-05-12 15:08:25.638310270 +0200
@@ -24,8 +24,8 @@
@@ -12,9 +12,9 @@ ADDLIB=
CC=gcc
# What a pity, all new gccs are buggy and -Werror does not work. Sigh.
#CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
-#CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
-CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
-CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES)
+CCOPT?=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
+CFLAGS?=$(CCOPT) $(GLIBCFIX) $(DEFINES)
+CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
+DEFINES += -D_GNU_SOURCE
+CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
IPV6_TARGETS=tracepath6 traceroute6 ping6

View File

@ -9,10 +9,10 @@ diff -up iputils-s20100418/Makefile.idn iputils-s20100418/Makefile
+
ping: ping.o ping_common.o
-ping6: ping6.o ping_common.o -lresolv -lcrypto
+ $(CC) $(CFLAGS) ping.o ping_common.o -lidn -o ping
+ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+
+ping6: ping6.o ping_common.o
+ $(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+
ping.o ping6.o ping_common.o: ping_common.h
tftpd.o tftpsubs.o: tftp.h

View File

@ -47,7 +47,7 @@ diff -up iputils-s20100418/Makefile.flowlabel iputils-s20100418/Makefile
+++ iputils-s20100418/Makefile 2010-05-17 13:54:03.423585869 +0200
@@ -35,7 +35,7 @@ ping: ping.o ping_common.o
ping6: ping6.o ping_common.o
$(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
-ping.o ping6.o ping_common.o: ping_common.h
+ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h

View File

@ -0,0 +1,102 @@
diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
--- iputils-s20101006/Makefile.drop_caps 2010-11-08 09:31:42.000000000 +0100
+++ iputils-s20101006/Makefile 2010-11-08 09:34:26.858580455 +0100
@@ -13,7 +13,7 @@ ADDLIB=
CC=gcc
# What a pity, all new gccs are buggy and -Werror does not work. Sigh.
CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
-DEFINES += -D_GNU_SOURCE
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
arping: arping.o
ping: ping.o ping_common.o
- $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
ping6: ping6.o ping_common.o
- $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
tftpd.o tftpsubs.o: tftp.h
diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
--- iputils-s20101006/ping6.c.drop_caps 2010-11-08 09:31:42.120827826 +0100
+++ iputils-s20101006/ping6.c 2010-11-08 09:31:42.125837869 +0100
@@ -73,6 +73,10 @@ char copyright[] =
#include <netinet/icmp6.h>
#include <resolv.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
#include "ping6_niquery.h"
#include "in6_flowlabel.h"
@@ -533,10 +537,22 @@ int main(int argc, char *argv[])
int csum_offset, sz_opt;
#endif
static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
socket_errno = errno;
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+#endif
+
uid = getuid();
if (setuid(uid)) {
perror("ping: setuid");
diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
--- iputils-s20101006/ping.c.drop_caps 2010-11-08 09:31:42.096854873 +0100
+++ iputils-s20101006/ping.c 2010-11-08 09:31:42.127870437 +0100
@@ -66,6 +66,10 @@ char copyright[] =
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
#ifndef ICMP_FILTER
#define ICMP_FILTER 1
struct icmp_filter {
@@ -125,6 +129,9 @@ main(int argc, char **argv)
u_char *packet;
char *target, hnamebuf[MAX_HOSTNAMELEN];
char rspace[3 + 4 * NROUTES + 1]; /* record route space */
+#ifdef HAVE_CAPABILITIES
+ cap_t caps;
+#endif
char *idn;
int rc = 0;
@@ -133,6 +140,15 @@ main(int argc, char **argv)
icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
socket_errno = errno;
+#ifdef HAVE_CAPABILITIES
+ /* drop all capabilities unconditionally so even root isn't special anymore */
+ caps = cap_init();
+ if (cap_set_proc(caps) < 0) {
+ perror("ping: cap_set_proc");
+ exit(-1);
+ }
+#endif
+
uid = getuid();
if (setuid(uid)) {
perror("ping: setuid");

View File

@ -1,7 +1,7 @@
Summary: Network monitoring tools including ping
Name: iputils
Version: 20101006
Release: 2%{?dist}
Release: 3%{?dist}
License: BSD
URL: http://www.skbuff.net/iputils
Group: System Environment/Daemons
@ -24,6 +24,7 @@ Patch10: iputils-20071127-corr_type.patch
Patch11: iputils-20071127-infiniband.patch
Patch12: iputils-20100418-convtoint.patch
Patch13: iputils-20100418-flowlabel.patch
Patch14: iputils-20101006-drop_caps.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: docbook-utils perl-SGMLSpm
@ -58,14 +59,16 @@ the target machine is alive and receiving network traffic.
%patch11 -p1 -b .infiniband
%patch12 -p1 -b .convtoint
%patch13 -p1 -b .flowlabel
%patch14 -p1 -b .drop_caps
%build
%ifarch s390 s390x
export CFLAGS="$RPM_OPT_FLAGS -fPIE -Werror -D_GNU_SOURCE -fno-strict-aliasing"
export CFLAGS="-fPIE"
%else
export CFLAGS="$RPM_OPT_FLAGS -fpie -Werror -D_GNU_SOURCE -fno-strict-aliasing"
export CFLAGS="-fpie"
%endif
export LDFLAGS="-pie "
export LDFLAGS="-pie"
make %{?_smp_mflags} arping clockdiff ping ping6 rdisc tracepath tracepath6
gcc -Wall $RPM_OPT_FLAGS ifenslave.c -o ifenslave
make -C doc man
@ -147,6 +150,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sysconfdir}/rc.d/init.d/rdisc
%changelog
* Mon Nov 08 2010 Jiri Skala <jskala@redhat.com> - 20101006-3
- applied patch dropping capabilities of Ludwig Nussel
- fixes building ping, pinpg6 with -pie option
- moves most CFLAGS options from spec to Makefile
* Wed Oct 27 2010 Jiri Skala <jskala@redhat.com> - 20101006-2
- fixes #646444 - Replace SETUID in spec file with the correct file capabilities