[iputils] - applied patch dropping capabilities of Ludwig Nussel - fixes building ping, pinpg6 with -pie optio
Jiri Skala
jskala at fedoraproject.org
Mon Nov 8 09:03:52 UTC 2010
commit 16554d85fd28cea6c96fc4f94f5264d1d81af710
Author: Jiri Skala <jskala at localhost.(none)>
Date: Mon Nov 8 10:03:47 2010 +0100
- applied patch dropping capabilities of Ludwig Nussel
- fixes building ping, pinpg6 with -pie option
- moves most CFLAGS options from spec to Makefile
iputils-20020927-rh.patch | 10 ++--
iputils-20070202-idn.patch | 4 +-
iputils-20100418-flowlabel.patch | 2 +-
iputils-20101006-drop_caps.patch | 102 ++++++++++++++++++++++++++++++++++++++
iputils.spec | 16 +++++--
5 files changed, 123 insertions(+), 11 deletions(-)
---
diff --git a/iputils-20020927-rh.patch b/iputils-20020927-rh.patch
index 16d4745..0c83bc5 100644
--- a/iputils-20020927-rh.patch
+++ b/iputils-20020927-rh.patch
@@ -1,13 +1,15 @@
--- iputils/Makefile.rh7 2002-09-20 20:23:55.000000000 +0200
+++ iputils/Makefile 2004-05-12 15:08:25.638310270 +0200
-@@ -24,8 +24,8 @@
+@@ -12,9 +12,9 @@ ADDLIB=
+
CC=gcc
# What a pity, all new gccs are buggy and -Werror does not work. Sigh.
- #CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
+-#CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -Werror
-CCOPT=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
-CFLAGS=$(CCOPT) $(GLIBCFIX) $(DEFINES)
-+CCOPT?=-D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g
-+CFLAGS?=$(CCOPT) $(GLIBCFIX) $(DEFINES)
++CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
++DEFINES += -D_GNU_SOURCE
++CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
IPV6_TARGETS=tracepath6 traceroute6 ping6
diff --git a/iputils-20070202-idn.patch b/iputils-20070202-idn.patch
index 7658598..50347d3 100644
--- a/iputils-20070202-idn.patch
+++ b/iputils-20070202-idn.patch
@@ -9,10 +9,10 @@ diff -up iputils-s20100418/Makefile.idn iputils-s20100418/Makefile
+
ping: ping.o ping_common.o
-ping6: ping6.o ping_common.o -lresolv -lcrypto
-+ $(CC) $(CFLAGS) ping.o ping_common.o -lidn -o ping
++ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
+
+ping6: ping6.o ping_common.o
-+ $(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
++ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+
ping.o ping6.o ping_common.o: ping_common.h
tftpd.o tftpsubs.o: tftp.h
diff --git a/iputils-20100418-flowlabel.patch b/iputils-20100418-flowlabel.patch
index 4fe3d0a..9fdf4d3 100644
--- a/iputils-20100418-flowlabel.patch
+++ b/iputils-20100418-flowlabel.patch
@@ -47,7 +47,7 @@ diff -up iputils-s20100418/Makefile.flowlabel iputils-s20100418/Makefile
+++ iputils-s20100418/Makefile 2010-05-17 13:54:03.423585869 +0200
@@ -35,7 +35,7 @@ ping: ping.o ping_common.o
ping6: ping6.o ping_common.o
- $(CC) $(CFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
+ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
-ping.o ping6.o ping_common.o: ping_common.h
+ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
diff --git a/iputils-20101006-drop_caps.patch b/iputils-20101006-drop_caps.patch
new file mode 100644
index 0000000..0967a13
--- /dev/null
+++ b/iputils-20101006-drop_caps.patch
@@ -0,0 +1,102 @@
+diff -up iputils-s20101006/Makefile.drop_caps iputils-s20101006/Makefile
+--- iputils-s20101006/Makefile.drop_caps 2010-11-08 09:31:42.000000000 +0100
++++ iputils-s20101006/Makefile 2010-11-08 09:34:26.858580455 +0100
+@@ -13,7 +13,7 @@ ADDLIB=
+ CC=gcc
+ # What a pity, all new gccs are buggy and -Werror does not work. Sigh.
+ CCOPT=-Wstrict-prototypes -fno-strict-aliasing -Werror
+-DEFINES += -D_GNU_SOURCE
++DEFINES += -D_GNU_SOURCE -DHAVE_CAPABILITIES
+ CFLAGS += $(RPM_OPT_FLAGS) $(CCOPT) $(GLIBCFIX) $(DEFINES)
+
+ IPV4_TARGETS=tracepath ping clockdiff rdisc arping tftpd rarpd
+@@ -30,10 +30,10 @@ tftpd: tftpd.o tftpsubs.o
+ arping: arping.o
+
+ ping: ping.o ping_common.o
+- $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -o ping
++ $(CC) $(CFLAGS) $(LDFLAGS) ping.o ping_common.o -lidn -lcap -o ping
+
+ ping6: ping6.o ping_common.o
+- $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -o ping6
++ $(CC) $(CFLAGS) $(LDFLAGS) ping6.o ping_common.o -lresolv -lcrypto -lcap -o ping6
+
+ ping.o ping6.o ping_common.o: ping_common.h in6_flowlabel.h
+ tftpd.o tftpsubs.o: tftp.h
+diff -up iputils-s20101006/ping6.c.drop_caps iputils-s20101006/ping6.c
+--- iputils-s20101006/ping6.c.drop_caps 2010-11-08 09:31:42.120827826 +0100
++++ iputils-s20101006/ping6.c 2010-11-08 09:31:42.125837869 +0100
+@@ -73,6 +73,10 @@ char copyright[] =
+ #include <netinet/icmp6.h>
+ #include <resolv.h>
+
++#ifdef HAVE_CAPABILITIES
++#include <sys/capability.h>
++#endif
++
+ #include "ping6_niquery.h"
+ #include "in6_flowlabel.h"
+
+@@ -533,10 +537,22 @@ int main(int argc, char *argv[])
+ int csum_offset, sz_opt;
+ #endif
+ static uint32_t scope_id = 0;
++#ifdef HAVE_CAPABILITIES
++ cap_t caps;
++#endif
+
+ icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ socket_errno = errno;
+
++#ifdef HAVE_CAPABILITIES
++ /* drop all capabilities unconditionally so even root isn't special anymore */
++ caps = cap_init();
++ if (cap_set_proc(caps) < 0) {
++ perror("ping: cap_set_proc");
++ exit(-1);
++ }
++#endif
++
+ uid = getuid();
+ if (setuid(uid)) {
+ perror("ping: setuid");
+diff -up iputils-s20101006/ping.c.drop_caps iputils-s20101006/ping.c
+--- iputils-s20101006/ping.c.drop_caps 2010-11-08 09:31:42.096854873 +0100
++++ iputils-s20101006/ping.c 2010-11-08 09:31:42.127870437 +0100
+@@ -66,6 +66,10 @@ char copyright[] =
+ #include <netinet/ip.h>
+ #include <netinet/ip_icmp.h>
+
++#ifdef HAVE_CAPABILITIES
++#include <sys/capability.h>
++#endif
++
+ #ifndef ICMP_FILTER
+ #define ICMP_FILTER 1
+ struct icmp_filter {
+@@ -125,6 +129,9 @@ main(int argc, char **argv)
+ u_char *packet;
+ char *target, hnamebuf[MAX_HOSTNAMELEN];
+ char rspace[3 + 4 * NROUTES + 1]; /* record route space */
++#ifdef HAVE_CAPABILITIES
++ cap_t caps;
++#endif
+
+ char *idn;
+ int rc = 0;
+@@ -133,6 +140,15 @@ main(int argc, char **argv)
+ icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ socket_errno = errno;
+
++#ifdef HAVE_CAPABILITIES
++ /* drop all capabilities unconditionally so even root isn't special anymore */
++ caps = cap_init();
++ if (cap_set_proc(caps) < 0) {
++ perror("ping: cap_set_proc");
++ exit(-1);
++ }
++#endif
++
+ uid = getuid();
+ if (setuid(uid)) {
+ perror("ping: setuid");
diff --git a/iputils.spec b/iputils.spec
index a23d025..b1bcb23 100644
--- a/iputils.spec
+++ b/iputils.spec
@@ -1,7 +1,7 @@
Summary: Network monitoring tools including ping
Name: iputils
Version: 20101006
-Release: 2%{?dist}
+Release: 3%{?dist}
License: BSD
URL: http://www.skbuff.net/iputils
Group: System Environment/Daemons
@@ -24,6 +24,7 @@ Patch10: iputils-20071127-corr_type.patch
Patch11: iputils-20071127-infiniband.patch
Patch12: iputils-20100418-convtoint.patch
Patch13: iputils-20100418-flowlabel.patch
+Patch14: iputils-20101006-drop_caps.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: docbook-utils perl-SGMLSpm
@@ -58,14 +59,16 @@ the target machine is alive and receiving network traffic.
%patch11 -p1 -b .infiniband
%patch12 -p1 -b .convtoint
%patch13 -p1 -b .flowlabel
+%patch14 -p1 -b .drop_caps
%build
%ifarch s390 s390x
-export CFLAGS="$RPM_OPT_FLAGS -fPIE -Werror -D_GNU_SOURCE -fno-strict-aliasing"
+ export CFLAGS="-fPIE"
%else
-export CFLAGS="$RPM_OPT_FLAGS -fpie -Werror -D_GNU_SOURCE -fno-strict-aliasing"
+ export CFLAGS="-fpie"
%endif
-export LDFLAGS="-pie "
+export LDFLAGS="-pie"
+
make %{?_smp_mflags} arping clockdiff ping ping6 rdisc tracepath tracepath6
gcc -Wall $RPM_OPT_FLAGS ifenslave.c -o ifenslave
make -C doc man
@@ -147,6 +150,11 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sysconfdir}/rc.d/init.d/rdisc
%changelog
+* Mon Nov 08 2010 Jiri Skala <jskala at redhat.com> - 20101006-3
+- applied patch dropping capabilities of Ludwig Nussel
+- fixes building ping, pinpg6 with -pie option
+- moves most CFLAGS options from spec to Makefile
+
* Wed Oct 27 2010 Jiri Skala <jskala at redhat.com> - 20101006-2
- fixes #646444 - Replace SETUID in spec file with the correct file capabilities
More information about the scm-commits
mailing list