diff options
author | koobs <koobs@FreeBSD.org> | 2014-12-22 20:08:12 +0800 |
---|---|---|
committer | koobs <koobs@FreeBSD.org> | 2014-12-22 20:08:12 +0800 |
commit | e7135b0f77019be9798e94ad678d7c3e0f4ee39b (patch) | |
tree | 79010b095eebcfd33c0348a7847e270929267c53 /net/ngrep | |
parent | 1018b3576db886bbb807c31d1097d3a53a77dbd9 (diff) | |
download | freebsd-ports-gnome-e7135b0f77019be9798e94ad678d7c3e0f4ee39b.tar.gz freebsd-ports-gnome-e7135b0f77019be9798e94ad678d7c3e0f4ee39b.tar.zst freebsd-ports-gnome-e7135b0f77019be9798e94ad678d7c3e0f4ee39b.zip |
net/ngrep: Add Capcisum sandboxing support
- Add OPTION and patches for Capsicum support
- Update MAINTAINER
- Add LICENSE (BSD4CLAUSE) and LICENSE_FILE
- Use OPTIONS helpers
- Sort USES/USE section
- Sort OPTIONS_DEFAULT
PR: 195910 (with changes)
Submitted by: logan at elandsys com
Submitted by: feld
Approved by: maintainer (edwin)
Diffstat (limited to 'net/ngrep')
-rw-r--r-- | net/ngrep/Makefile | 36 | ||||
-rw-r--r-- | net/ngrep/files/patch-Configure.in | 45 | ||||
-rw-r--r-- | net/ngrep/files/patch-ngrep.c | 69 |
3 files changed, 132 insertions, 18 deletions
diff --git a/net/ngrep/Makefile b/net/ngrep/Makefile index 459608ace5f3..713c737ee07a 100644 --- a/net/ngrep/Makefile +++ b/net/ngrep/Makefile @@ -3,45 +3,45 @@ PORTNAME= ngrep PORTVERSION= 1.45 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net security MASTER_SITES= SF -MAINTAINER= edwin@mavetju.org +MAINTAINER= logan@elandsys.com COMMENT= Network grep -WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} +LICENSE= BSD4CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE.txt + USES= gmake tar:bzip2 + GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-pcap-restart + MAKE_JOBS_UNSAFE= yes -OPTIONS_DEFINE= PCRE PORTS_PCAP IPV6 DOCS -OPTIONS_DEFAULT= PCRE IPV6 +OPTIONS_DEFINE= CAPSICUM DOCS IPV6 PCRE PORTS_PCAP +OPTIONS_DEFAULT= CAPSICUM IPV6 PCRE + PCRE_DESC= Use PCRE instead of GNU regex PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP +CAPSICUM_DESC= Build with capsicum if kernel supports it PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz PORTDOCS= CHANGES.txt CREDITS.txt INSTALL.txt LICENSE.txt \ README.txt REGEX.txt -.include <bsd.port.options.mk> +CAPSICUM_CONFIGURE_ON= --enable-capsicum -.if ${PORT_OPTIONS:MPCRE} -CONFIGURE_ARGS+= --enable-pcre -.endif +IPV6_CONFIGURE_ENABLE= ipv6 +PCRE_CONFIGURE_ENABLE= pcre -.if ${PORT_OPTIONS:MPORTS_PCAP} -CONFIGURE_ARGS+= --with-pcap-includes=${LOCALBASE}/include -BUILD_DEPENDS+= ${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap -.else -CONFIGURE_ARGS+= --with-pcap-includes=/usr/include -.endif +PORTS_PCAP_CONFIGURE_ON= --with-pcap-includes=${LOCALBASE}/include +PORTS_PCAP_CONFIGURE_OFF= --with-pcap-includes=/usr/include +PORTS_PCAP_BUILD_DEPENDS= ${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap -.if ${PORT_OPTIONS:MIPV6} -CONFIGURE_ARGS+= --enable-ipv6 -.endif +.include <bsd.port.options.mk> post-patch: .if ${PORT_OPTIONS:MPORTS_PCAP} diff --git a/net/ngrep/files/patch-Configure.in b/net/ngrep/files/patch-Configure.in new file mode 100644 index 000000000000..84439ba05e64 --- /dev/null +++ b/net/ngrep/files/patch-Configure.in @@ -0,0 +1,45 @@ +--- configure.in.orig 2006-11-15 07:43:56.000000000 +0400 ++++ configure.in 2014-12-12 00:01:00.000000000 +0400 +@@ -110,6 +110,34 @@ else + USE_IPv6="0" + fi + ++AC_ARG_ENABLE(capsicum, ++[ --enable-capsicum enable capsicum support], ++[ ++ use_capsicum="$enableval" ++], ++[ ++ use_capsicum="no" ++]) ++ ++# ++# Check whether various functions are available. If any are, set ++# ac_lbl_capsicum_function_seen to yes; if any are not, set ++# ac_lbl_capsicum_function_not_seen to yes. ++# ++# All of them must be available in order to enable capsicum sandboxing. ++# ++if test $use_capsicum = yes && test $use_capsicum != no ; then ++ AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat, ++ ac_lbl_capsicum_function_seen=yes, ++ ac_lbl_capsicum_function_not_seen=yes) ++fi ++AC_MSG_CHECKING([whether to sandbox using capsicum]) ++if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then ++ HAVE_CAPSICUM="1" ++ AC_MSG_RESULT(yes) ++else ++ AC_MSG_RESULT(no) ++fi + + dnl + dnl Configure the regular expression library. +@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART, + + AC_DEFINE_UNQUOTED(USE_PCRE, $USE_PCRE, [whether to use PCRE (default GNU Regex)]) + AC_DEFINE_UNQUOTED(USE_IPv6, $USE_IPv6, [whether to use IPv6 (default off)]) ++AC_DEFINE_UNQUOTED(HAVE_CAPSICUM, $HAVE_CAPSICUM, [whether to use capsicum]) + + AC_DEFINE_UNQUOTED(USE_DROPPRIVS, $USE_DROPPRIVS, [whether to use privileges dropping (default yes)]) + AC_DEFINE_UNQUOTED(DROPPRIVS_USER, "$DROPPRIVS_USER", [pseudo-user for running ngrep (default "nobody")]) diff --git a/net/ngrep/files/patch-ngrep.c b/net/ngrep/files/patch-ngrep.c new file mode 100644 index 000000000000..a3873b51280a --- /dev/null +++ b/net/ngrep/files/patch-ngrep.c @@ -0,0 +1,69 @@ +--- ngrep.c.orig 2006-11-28 17:38:43.000000000 +0400 ++++ ngrep.c 2014-12-12 11:14:13.000000000 +0400 +@@ -97,6 +97,10 @@ + #include "regex-0.12/regex.h" + #endif + ++#ifdef HAVE_CAPSICUM ++#include <sys/capability.h> ++#endif /* HAVE CAPSICUM */ ++ + #include "ngrep.h" + + +@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for + int main(int argc, char **argv) { + int32_t c; + ++#ifdef HAVE_CAPSICUM ++ cap_rights_t rights; ++#endif /* HAVE_CAPSICUM */ ++ + signal(SIGINT, clean_exit); + signal(SIGABRT, clean_exit); + +@@ -416,6 +424,23 @@ int main(int argc, char **argv) { + clean_exit(-1); + } + ++#ifdef HAVE_CAPSICUM ++ cap_rights_init(&rights, CAP_IOCTL, CAP_READ); ++ if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && ++ errno != ENOSYS) { ++ fprintf(stderr, "unable to limit pcap descriptor"); ++ clean_exit(-1); ++ } ++ ++ static const unsigned long cmds[] = { BIOCGSTATS }; ++ if (cap_ioctls_limit(pcap_fileno(pd), cmds, ++ sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { ++ fprintf(stderr, "unable to limit ioctls on pcap descriptor"); ++ clean_exit(-1); ++ } ++ ++#endif /* HAVE CAPSICUM */ ++ + if (match_data) { + if (bin_match) { + uint32_t i = 0, n; +@@ -603,6 +628,20 @@ int main(int argc, char **argv) { + drop_privs(); + #endif + ++#ifdef HAVE_CAPSICUM ++ cap_rights_init(&rights); ++ ++ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) { ++ fprintf(stderr, "can't limit stdin"); ++ clean_exit(-1); ++ } ++ ++ if (cap_enter() < 0 && errno != ENOSYS) { ++ fprintf(stderr, "Can't enter capability mode"); ++ clean_exit(-1); ++ } ++#endif /* HAVE_CAPSICUM */ ++ + while (pcap_loop(pd, 0, (pcap_handler)process, 0)); + + clean_exit(0); |