[iputils/f17: 2/7] Backport capability handling from master (#870722) and drop unnecessary patches

jsynacek jsynacek at fedoraproject.org
Fri Dec 7 14:11:17 UTC 2012 

commit 5983ed68085d7bbe3b73cd71f10104e5bd488494
Author: Jan Synacek <jsynacek at redhat.com>
Date:   Fri Dec 7 14:35:57 2012 +0100

    Backport capability handling from master (#870722) and drop unnecessary patches
    
    fixes #870722 - ping -I interface isn't working

 iputils-20101006-caps.patch                        |  249 ++++++++++++++++++++
 iputils-20101006-drop_caps.patch                   |  107 ---------
 ...ping-defer-caps-drop-when-marking-packets.patch |  150 ------------
 iputils.spec                                       |   12 +-
 4 files changed, 256 insertions(+), 262 deletions(-)
---
diff --git a/iputils-20101006-caps.patch b/iputils-20101006-caps.patch
new file mode 100644
index 0000000..442013f
--- /dev/null
+++ b/iputils-20101006-caps.patch
@@ -0,0 +1,249 @@
+--- iputils-s20101006/ping.c.orig	2012-12-07 14:25:08.724509944 +0100
++++ iputils-s20101006/ping.c	2012-12-07 14:20:38.000000000 +0100
+@@ -115,7 +115,6 @@ struct sockaddr_in source;
+ char *device;
+ int pmtudisc = -1;
+ 
+-
+ int
+ main(int argc, char **argv)
+ {
+@@ -128,11 +127,17 @@ main(int argc, char **argv)
+ 
+ 	char *idn;
+ 	int rc = 0;
++
++	limit_capabilities();
+ 	setlocale(LC_ALL, "");
+ 
++	enable_capability_raw();
++
+ 	icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ 	socket_errno = errno;
+ 
++	disable_capability_raw();
++
+ 	uid = getuid();
+ 	if (setuid(uid)) {
+ 		perror("ping: setuid");
+@@ -298,9 +303,16 @@ main(int argc, char **argv)
+ 		}
+ 		if (device) {
+ 			struct ifreq ifr;
++			int rc;
++
+ 			memset(&ifr, 0, sizeof(ifr));
+ 			strncpy(ifr.ifr_name, device, IFNAMSIZ-1);
+-			if (setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(device)+1) == -1) {
++
++			enable_capability_raw();
++			rc = setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(device)+1);
++			disable_capability_raw();
++
++			if (rc == -1) {
+ 				if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
+ 					struct ip_mreqn imr;
+ 					if (ioctl(probe_fd, SIOCGIFINDEX, &ifr) < 0) {
+--- iputils-s20101006/ping_common.c.orig	2012-12-07 14:25:15.051513072 +0100
++++ iputils-s20101006/ping_common.c	2012-12-07 14:20:38.000000000 +0100
+@@ -58,10 +58,144 @@ int datalen = DEFDATALEN;
+ 
+ char *hostname;
+ int uid;
++uid_t euid;
+ int ident;			/* process id to identify our packets */
+ 
+ static int screen_width = INT_MAX;
+ 
++#ifdef HAVE_CAPABILITIES
++static cap_value_t cap_raw = CAP_NET_RAW;
++static cap_value_t cap_admin = CAP_NET_ADMIN;
++#endif
++
++void limit_capabilities(void)
++{
++#ifdef HAVE_CAPABILITIES
++	cap_t cap_cur_p;
++	cap_t cap_p;
++	cap_flag_value_t cap_ok;
++
++	cap_cur_p = cap_get_proc();
++	if (!cap_cur_p) {
++		perror("ping: cap_get_proc");
++		exit(-1);
++	}
++
++	cap_p = cap_init();
++	if (!cap_p) {
++		perror("ping: cap_init");
++		exit(-1);
++	}
++
++	cap_ok = CAP_CLEAR;
++	cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);
++
++	if (cap_ok != CAP_CLEAR)
++		cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_admin, CAP_SET);
++
++	cap_ok = CAP_CLEAR;
++	cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok);
++
++	if (cap_ok != CAP_CLEAR)
++		cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_raw, CAP_SET);
++
++	if (cap_set_proc(cap_p) < 0) {
++		perror("ping: cap_set_proc");
++		exit(-1);
++	}
++
++	if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
++		perror("ping: prctl");
++		exit(-1);
++	}
++
++	if (setuid(getuid()) < 0) {
++		perror("setuid");
++		exit(-1);
++	}
++
++	if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
++		perror("ping: prctl");
++		exit(-1);
++	}
++
++	cap_free(cap_p);
++	cap_free(cap_cur_p);
++#endif
++	uid = getuid();
++	euid = geteuid();
++#ifndef HAVE_CAPABILITIES
++	if (seteuid(uid)) {
++		perror("ping: setuid");
++		exit(-1);
++	}
++#endif
++}
++
++#ifdef HAVE_CAPABILITIES
++int modify_capability(cap_value_t cap, cap_flag_value_t on)
++{
++	cap_t cap_p = cap_get_proc();
++	cap_flag_value_t cap_ok;
++	int rc = -1;
++
++	if (!cap_p) {
++		perror("ping: cap_get_proc");
++		goto out;
++	}
++
++	cap_ok = CAP_CLEAR;
++	cap_get_flag(cap_p, cap, CAP_PERMITTED, &cap_ok);
++	if (cap_ok == CAP_CLEAR) {
++		rc = on ? -1 : 0;
++		goto out;
++	}
++
++	cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &cap, on);
++
++	if (cap_set_proc(cap_p) < 0) {
++		perror("ping: cap_set_proc");
++		goto out;
++	}
++
++	cap_free(cap_p);
++
++	rc = 0;
++out:
++	if (cap_p)
++		cap_free(cap_p);
++	return rc;
++}
++#else
++int modify_capability(int on)
++{
++	if (seteuid(on ? euid : getuid())) {
++		perror("seteuid");
++		return -1;
++	}
++
++	return 0;
++}
++#endif
++
++void drop_capabilities(void)
++{
++#ifdef HAVE_CAPABILITIES
++	cap_t cap = cap_init();
++	if (cap_set_proc(cap) < 0) {
++		perror("ping: cap_set_proc");
++		exit(-1);
++	}
++	cap_free(cap);
++#else
++	if (setuid(getuid())) {
++		perror("ping: setuid");
++		exit(-1);
++	}
++#endif
++}
++
++
+ /* Fills all the outpack, excluding ICMP header, but _including_
+  * timestamp area with supplied pattern.
+  */
+@@ -480,8 +614,13 @@ void setup(int icmp_sock)
+ 	}
+ #endif
+ 	if (options & F_MARK) {
+-		if (setsockopt(icmp_sock, SOL_SOCKET, SO_MARK,
+-				&mark, sizeof(mark)) == -1) {
++		int ret;
++
++		enable_capability_admin();
++		ret = setsockopt(icmp_sock, SOL_SOCKET, SO_MARK, &mark, sizeof(mark));
++		disable_capability_admin();
++
++		if (ret == -1) {
+ 			/* we probably dont wanna exit since old kernels
+ 			 * dont support mark ..
+ 			*/
+--- iputils-s20101006/ping_common.h.orig	2012-12-07 14:25:22.315516660 +0100
++++ iputils-s20101006/ping_common.h	2012-12-07 14:20:38.000000000 +0100
+@@ -17,6 +17,11 @@
+ #include <string.h>
+ #include <netdb.h>
+ 
++#ifdef HAVE_CAPABILITIES
++#include <sys/prctl.h>
++#include <sys/capability.h>
++#endif
++
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <linux/types.h>
+@@ -188,6 +193,25 @@ static inline void advance_ntransmitted(
+ 		acked = (__u16)ntransmitted + 1;
+ }
+ 
++extern void limit_capabilities(void);
++static int enable_capability_raw(void);
++static int disable_capability_raw(void);
++static int enable_capability_admin(void);
++static int disable_capability_admin(void);
++#ifdef HAVE_CAPABILITIES
++extern int modify_capability(cap_value_t, cap_flag_value_t);
++static inline int enable_capability_raw(void)		{ return modify_capability(CAP_NET_RAW,   CAP_SET);   };
++static inline int disable_capability_raw(void)		{ return modify_capability(CAP_NET_RAW,   CAP_CLEAR); };
++static inline int enable_capability_admin(void)		{ return modify_capability(CAP_NET_ADMIN, CAP_SET);   };
++static inline int disable_capability_admin(void)	{ return modify_capability(CAP_NET_ADMIN, CAP_CLEAR); };
++#else
++extern int modify_capability(int);
++static inline int enable_capability_raw(void)		{ return modify_capability(1); };
++static inline int disable_capability_raw(void)		{ return modify_capability(0); };
++static inline int enable_capability_admin(void)		{ return modify_capability(1); };
++static inline int disable_capability_admin(void)	{ return modify_capability(0); };
++#endif
++extern void drop_capabilities(void);
+ 
+ extern int send_probe(void);
+ extern int receive_error_msg(void);
diff --git a/iputils.spec b/iputils.spec
index a14b3a0..325e3ed 100644
--- a/iputils.spec
+++ b/iputils.spec
@@ -1,7 +1,7 @@
 Summary: Network monitoring tools including ping
 Name: iputils
 Version: 20101006
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: BSD
 URL: http://www.skbuff.net/iputils
 Group: System Environment/Daemons
@@ -26,12 +26,11 @@ Patch10: iputils-20071127-corr_type.patch
 Patch11: iputils-20071127-infiniband.patch
 Patch12: iputils-20100418-convtoint.patch
 Patch13: iputils-20100418-flowlabel.patch
-Patch14: iputils-20101006-drop_caps.patch
 Patch15: iputils-20101006-unused.patch
 Patch16: iputils-20101006-man.patch
 Patch17: iputils-20101006-eth.patch
 Patch18: iputils-20101006-rr.patch
-Patch20: iputils-20101006-ping-defer-caps-drop-when-marking-packets.patch
+Patch21: iputils-20101006-caps.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: docbook-utils perl-SGMLSpm
@@ -84,12 +83,11 @@ The iputils-sysvinit contains SysV initscritps support.
 %patch11 -p1 -b .infiniband
 %patch12 -p1 -b .convtoint
 %patch13 -p1 -b .flowlabel
-%patch14 -p1 -b .drop_caps
 %patch15 -p1 -b .unused
 %patch16 -p1 -b .man
 %patch17 -p1 -b .eth
 %patch18 -p1 -b .rr
-%patch20 -p1
+%patch21 -p1 -b .caps
 
 %build
 %ifarch s390 s390x
@@ -193,6 +191,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sysconfdir}/rc.d/init.d/rdisc
 
 %changelog
+* Fri Dec 07 2012 Jan Synáček <jsynacek at redhat.com> 20101006-16
+- Backport capability handling from master (fixes #870722 - ping -I interface
+  isn't working) and drop unnecessary patches
+
 * Mon Jun 25 2012 Jan Synáček <jsynacek at redhat.com> 20101006-15
 - Ping fixes:
   + enable marking packets when the correct capabilities are set (#802197)

More information about the scm-commits mailing list