Date: Mon, 22 Dec 2014 12:08:13 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r375232 - in head/net/ngrep: . files Message-ID: <201412221208.sBMC8DoB000358@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Mon Dec 22 12:08:12 2014 New Revision: 375232 URL: https://svnweb.freebsd.org/changeset/ports/375232 QAT: https://qat.redports.org/buildarchive/r375232/ Log: net/ngrep: Add Capcisum sandboxing support - Add OPTION and patches for Capsicum support - Update MAINTAINER - Add LICENSE (BSD4CLAUSE) and LICENSE_FILE - Use OPTIONS helpers - Sort USES/USE section - Sort OPTIONS_DEFAULT PR: 195910 (with changes) Submitted by: logan at elandsys com Submitted by: feld Approved by: maintainer (edwin) Added: head/net/ngrep/files/patch-Configure.in (contents, props changed) head/net/ngrep/files/patch-ngrep.c (contents, props changed) Modified: head/net/ngrep/Makefile Modified: head/net/ngrep/Makefile ============================================================================== --- head/net/ngrep/Makefile Mon Dec 22 12:02:20 2014 (r375231) +++ head/net/ngrep/Makefile Mon Dec 22 12:08:12 2014 (r375232) @@ -3,45 +3,45 @@ PORTNAME= ngrep PORTVERSION= 1.45 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net security MASTER_SITES= SF -MAINTAINER= edwin@mavetju.org +MAINTAINER= logan@elandsys.com COMMENT= Network grep -WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} +LICENSE= BSD4CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE.txt + USES= gmake tar:bzip2 + GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-pcap-restart + MAKE_JOBS_UNSAFE= yes -OPTIONS_DEFINE= PCRE PORTS_PCAP IPV6 DOCS -OPTIONS_DEFAULT= PCRE IPV6 +OPTIONS_DEFINE= CAPSICUM DOCS IPV6 PCRE PORTS_PCAP +OPTIONS_DEFAULT= CAPSICUM IPV6 PCRE + PCRE_DESC= Use PCRE instead of GNU regex PORTS_PCAP_DESC= Use ports PCAP instead of system PCAP +CAPSICUM_DESC= Build with capsicum if kernel supports it PLIST_FILES= bin/ngrep man/man8/ngrep.8.gz PORTDOCS= CHANGES.txt CREDITS.txt INSTALL.txt LICENSE.txt \ README.txt REGEX.txt -.include <bsd.port.options.mk> +CAPSICUM_CONFIGURE_ON= --enable-capsicum -.if ${PORT_OPTIONS:MPCRE} -CONFIGURE_ARGS+= --enable-pcre -.endif +IPV6_CONFIGURE_ENABLE= ipv6 +PCRE_CONFIGURE_ENABLE= pcre -.if ${PORT_OPTIONS:MPORTS_PCAP} -CONFIGURE_ARGS+= --with-pcap-includes=${LOCALBASE}/include -BUILD_DEPENDS+= ${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap -.else -CONFIGURE_ARGS+= --with-pcap-includes=/usr/include -.endif +PORTS_PCAP_CONFIGURE_ON= --with-pcap-includes=${LOCALBASE}/include +PORTS_PCAP_CONFIGURE_OFF= --with-pcap-includes=/usr/include +PORTS_PCAP_BUILD_DEPENDS= ${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap -.if ${PORT_OPTIONS:MIPV6} -CONFIGURE_ARGS+= --enable-ipv6 -.endif +.include <bsd.port.options.mk> post-patch: .if ${PORT_OPTIONS:MPORTS_PCAP} Added: head/net/ngrep/files/patch-Configure.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/ngrep/files/patch-Configure.in Mon Dec 22 12:08:12 2014 (r375232) @@ -0,0 +1,45 @@ +--- configure.in.orig 2006-11-15 07:43:56.000000000 +0400 ++++ configure.in 2014-12-12 00:01:00.000000000 +0400 +@@ -110,6 +110,34 @@ else + USE_IPv6="0" + fi + ++AC_ARG_ENABLE(capsicum, ++[ --enable-capsicum enable capsicum support], ++[ ++ use_capsicum="$enableval" ++], ++[ ++ use_capsicum="no" ++]) ++ ++# ++# Check whether various functions are available. If any are, set ++# ac_lbl_capsicum_function_seen to yes; if any are not, set ++# ac_lbl_capsicum_function_not_seen to yes. ++# ++# All of them must be available in order to enable capsicum sandboxing. ++# ++if test $use_capsicum = yes && test $use_capsicum != no ; then ++ AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat, ++ ac_lbl_capsicum_function_seen=yes, ++ ac_lbl_capsicum_function_not_seen=yes) ++fi ++AC_MSG_CHECKING([whether to sandbox using capsicum]) ++if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then ++ HAVE_CAPSICUM="1" ++ AC_MSG_RESULT(yes) ++else ++ AC_MSG_RESULT(no) ++fi + + dnl + dnl Configure the regular expression library. +@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART, + + AC_DEFINE_UNQUOTED(USE_PCRE, $USE_PCRE, [whether to use PCRE (default GNU Regex)]) + AC_DEFINE_UNQUOTED(USE_IPv6, $USE_IPv6, [whether to use IPv6 (default off)]) ++AC_DEFINE_UNQUOTED(HAVE_CAPSICUM, $HAVE_CAPSICUM, [whether to use capsicum]) + + AC_DEFINE_UNQUOTED(USE_DROPPRIVS, $USE_DROPPRIVS, [whether to use privileges dropping (default yes)]) + AC_DEFINE_UNQUOTED(DROPPRIVS_USER, "$DROPPRIVS_USER", [pseudo-user for running ngrep (default "nobody")]) Added: head/net/ngrep/files/patch-ngrep.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/ngrep/files/patch-ngrep.c Mon Dec 22 12:08:12 2014 (r375232) @@ -0,0 +1,69 @@ +--- ngrep.c.orig 2006-11-28 17:38:43.000000000 +0400 ++++ ngrep.c 2014-12-12 11:14:13.000000000 +0400 +@@ -97,6 +97,10 @@ + #include "regex-0.12/regex.h" + #endif + ++#ifdef HAVE_CAPSICUM ++#include <sys/capability.h> ++#endif /* HAVE CAPSICUM */ ++ + #include "ngrep.h" + + +@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for + int main(int argc, char **argv) { + int32_t c; + ++#ifdef HAVE_CAPSICUM ++ cap_rights_t rights; ++#endif /* HAVE_CAPSICUM */ ++ + signal(SIGINT, clean_exit); + signal(SIGABRT, clean_exit); + +@@ -416,6 +424,23 @@ int main(int argc, char **argv) { + clean_exit(-1); + } + ++#ifdef HAVE_CAPSICUM ++ cap_rights_init(&rights, CAP_IOCTL, CAP_READ); ++ if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && ++ errno != ENOSYS) { ++ fprintf(stderr, "unable to limit pcap descriptor"); ++ clean_exit(-1); ++ } ++ ++ static const unsigned long cmds[] = { BIOCGSTATS }; ++ if (cap_ioctls_limit(pcap_fileno(pd), cmds, ++ sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { ++ fprintf(stderr, "unable to limit ioctls on pcap descriptor"); ++ clean_exit(-1); ++ } ++ ++#endif /* HAVE CAPSICUM */ ++ + if (match_data) { + if (bin_match) { + uint32_t i = 0, n; +@@ -603,6 +628,20 @@ int main(int argc, char **argv) { + drop_privs(); + #endif + ++#ifdef HAVE_CAPSICUM ++ cap_rights_init(&rights); ++ ++ if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) { ++ fprintf(stderr, "can't limit stdin"); ++ clean_exit(-1); ++ } ++ ++ if (cap_enter() < 0 && errno != ENOSYS) { ++ fprintf(stderr, "Can't enter capability mode"); ++ clean_exit(-1); ++ } ++#endif /* HAVE_CAPSICUM */ ++ + while (pcap_loop(pd, 0, (pcap_handler)process, 0)); + + clean_exit(0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412221208.sBMC8DoB000358>