- applied patch dropping capabilities of Ludwig Nussel

- fixes building ping, pinpg6 with -pie option - moves most CFLAGS options from spec to Makefile
2010-11-08 10:03:47 +01:00 · 2010-11-08 10:03:47 +01:00 · 16554d85fd
commit 16554d85fd
parent 37d219fe53
5 changed files with 123 additions and 11 deletions
--- a/iputils-20020927-rh.patch
+++ b/iputils-20020927-rh.patch
@ -1,13 +1,15 @@
 --- iputils/Makefile.rh7	2002-09-20 20:23:55.000000000 +0200
 +++ iputils/Makefile	2004-05-12 15:08:25.638310270 +0200
-@@ -24,8 +24,8 @@
+@@ -12,9 +12,9 @@ ADDLIB=
+ 
 CC=gcc
 # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
- #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
+-#CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
 -CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
 -CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES) 
-+CCOPT?=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
-+CFLAGS?=$(CCOPT) $(GLIBCFIX) $(DEFINES) 
+CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
+DEFINES += -D_GNU_SOURCE
+CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
 
 IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
 IPV6_TARGETS=tracepath6 traceroute6 ping6
--- a/iputils-20070202-idn.patch
+++ b/iputils-20070202-idn.patch
@ -9,10 +9,10 @@ diff -up iputils-s20100418/Makefile.idn iputils-s20100418/Makefile
 +
 ping: ping.o ping_common.o
 -ping6: ping6.o ping_common.o -lresolv -lcrypto
-+	$(CC) $(CFLAGS) ping.o ping_common.o -lidn -o ping
+	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
 +
 +ping6: ping6.o ping_common.o
-+	$(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
 +
 ping.o ping6.o ping_common.o: ping_common.h
 tftpd.o tftpsubs.o: tftp.h
--- a/iputils-20100418-flowlabel.patch
+++ b/iputils-20100418-flowlabel.patch
@ -47,7 +47,7 @@ diff -up iputils-s20100418/Makefile.flowlabel iputils-s20100418/Makefile
 +++ iputils-s20100418/Makefile	2010-05-17 13:54:03.423585869 +0200
@@ -35,7 +35,7 @@ ping: ping.o ping_common.o
 ping6: ping6.o ping_common.o
- 	$(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+ 	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
 
 -ping.o ping6.o ping_common.o: ping_common.h
 +ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
--- a/iputils-20101006-drop_caps.patch
+++ b/iputils-20101006-drop_caps.patch
@ -0,0 +1,102 @@
+diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
+--- iputils-s20101006/Makefile.drop_caps	2010-11-08 09:31:42.000000000 +0100
+++ iputils-s20101006/Makefile	2010-11-08 09:34:26.858580455 +0100
+@@ -13,7 +13,7 @@ ADDLIB=
+ CC=gcc
+ # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
+ CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
+-DEFINES += -D_GNU_SOURCE
+DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
+ CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
+ 
+ IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
+@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
+ arping: arping.o
+ 
+ ping: ping.o ping_common.o
+-	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+	$(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
+ 
+ ping6: ping6.o ping_common.o
+-	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+	$(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
+ 
+ ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
+ tftpd.o tftpsubs.o: tftp.h
+diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
+--- iputils-s20101006/ping6.c.drop_caps	2010-11-08 09:31:42.120827826 +0100
+++ iputils-s20101006/ping6.c	2010-11-08 09:31:42.125837869 +0100
+@@ -73,6 +73,10 @@ char copyright[] =
+ #include <netinet/icmp6.h>
+ #include <resolv.h>
+ 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
+ #include "ping6_niquery.h"
+ #include "in6_flowlabel.h"
+ 
+@@ -533,10 +537,22 @@ int main(int argc, char *argv[])
+ 	int csum_offset, sz_opt;
+ #endif
+ 	static uint32_t scope_id = 0;
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
+ 
+ 	icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ 	socket_errno = errno;
+ 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+#endif
+
+ 	uid = getuid();
+ 	if (setuid(uid)) {
+ 		perror("ping: setuid");
+diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
+--- iputils-s20101006/ping.c.drop_caps	2010-11-08 09:31:42.096854873 +0100
+++ iputils-s20101006/ping.c	2010-11-08 09:31:42.127870437 +0100
+@@ -66,6 +66,10 @@ char copyright[] =
+ #include <netinet/ip.h>
+ #include <netinet/ip_icmp.h>
+ 
+#ifdef HAVE_CAPABILITIES
+#include <sys/capability.h>
+#endif
+
+ #ifndef ICMP_FILTER
+ #define ICMP_FILTER	1
+ struct icmp_filter {
+@@ -125,6 +129,9 @@ main(int argc, char **argv)
+ 	u_char *packet;
+ 	char *target, hnamebuf[MAX_HOSTNAMELEN];
+ 	char rspace[3 + 4 * NROUTES + 1];	/* record route space */
+#ifdef HAVE_CAPABILITIES
+	cap_t caps;
+#endif
+ 
+ 	char *idn;
+ 	int rc = 0;
+@@ -133,6 +140,15 @@ main(int argc, char **argv)
+ 	icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ 	socket_errno = errno;
+ 
+#ifdef HAVE_CAPABILITIES
+	/* drop all capabilities unconditionally so even root isn't special anymore */
+	caps = cap_init();
+	if (cap_set_proc(caps) < 0) {
+		perror("ping: cap_set_proc");
+		exit(-1);
+	}
+#endif
+
+ 	uid = getuid();
+ 	if (setuid(uid)) {
+ 		perror("ping: setuid");
--- a/iputils.spec
+++ b/iputils.spec
@ -1,7 +1,7 @@
 Summary: Network monitoring tools including ping
 Name: iputils
 Version: 20101006
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: BSD
 URL: http://www.skbuff.net/iputils
 Group: System Environment/Daemons
@ -24,6 +24,7 @@ Patch10: iputils-20071127-corr_type.patch
 Patch11: iputils-20071127-infiniband.patch
 Patch12: iputils-20100418-convtoint.patch
 Patch13: iputils-20100418-flowlabel.patch
+Patch14: iputils-20101006-drop_caps.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: docbook-utils perl-SGMLSpm
@ -58,14 +59,16 @@ the target machine is alive and receiving network traffic.
 %patch11 -p1 -b .infiniband
 %patch12 -p1 -b .convtoint
 %patch13 -p1 -b .flowlabel
+%patch14 -p1 -b .drop_caps

 %build
 %ifarch s390 s390x
-export CFLAGS="$RPM_OPT_FLAGS -fPIE -Werror -D_GNU_SOURCE -fno-strict-aliasing"
+  export CFLAGS="-fPIE"
 %else
-export CFLAGS="$RPM_OPT_FLAGS -fpie -Werror -D_GNU_SOURCE -fno-strict-aliasing"
+  export CFLAGS="-fpie"
 %endif
-export LDFLAGS="-pie "
+export LDFLAGS="-pie"
+
 make %{?_smp_mflags} arping clockdiff ping ping6 rdisc tracepath tracepath6
 gcc -Wall $RPM_OPT_FLAGS ifenslave.c -o ifenslave
 make -C doc man
@ -147,6 +150,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sysconfdir}/rc.d/init.d/rdisc

 %changelog
+* Mon Nov 08 2010 Jiri Skala <jskala@redhat.com> - 20101006-3
+- applied patch dropping capabilities of Ludwig Nussel
+- fixes building ping, pinpg6 with -pie option
+- moves most CFLAGS options from spec to Makefile
+
 * Wed Oct 27 2010 Jiri Skala <jskala@redhat.com> - 20101006-2
 - fixes #646444 - Replace SETUID in spec file with the correct file capabilities