ebtables: Improve security to pass QA checks.

* Added patches for CFLAGS, install permissions and location.
* Add -Wall CFLAG to improve security

diff --git a/pkgs/core/ebtables/ebtables.nm b/pkgs/core/ebtables/ebtables.nm
index 5eb314ebbd0b24a32c5d31674c6fa532125dc871..be4c3c76f6f56b0d80de91c8ad3ad8f3bb4884b1 100644 (file)
--- a/pkgs/core/ebtables/ebtables.nm
+++ b/pkgs/core/ebtables/ebtables.nm
@@ -42,7 +42,9 @@ endef
 
 PKG_TARBALL    = $(THISAPP).tar.gz
 
-CFLAGS        += -fno-stack-protector # XXX Why do we need this?
+CFLAGS += -Wall
+
+PARALLELISMFLAGS = # No paralellism build
 
 define QUALITY_AGENT_WHITELIST_RPATH
        /sbin/ebtables-restore \

diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch b/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch
new file mode 100644 (file)
index 0000000..1e34a9e
--- /dev/null
+++ b/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch
@@ -0,0 +1,19 @@
+diff -up ebtables-v2.0.8-1/extensions/Makefile.BAD ebtables-v2.0.8-1/extensions/Makefile
+--- ebtables-v2.0.8-1/extensions/Makefile.BAD  2007-08-23 09:52:37.000000000 -0400
++++ ebtables-v2.0.8-1/extensions/Makefile      2007-08-23 09:52:50.000000000 -0400
+@@ -11,13 +11,13 @@ EXT_LIBSI+=$(foreach T,$(EXT_FUNC), -leb
+ EXT_LIBSI+=$(foreach T,$(EXT_TABLES), -lebtable_$(T))
+ 
+ extensions/ebt_%.so: extensions/ebt_%.o
+-      $(CC) -shared -o $@ -lc $< -nostartfiles
++      $(CC) $(CFLAGS) -shared -o $@ -lc $< -nostartfiles
+ 
+ extensions/libebt_%.so: extensions/ebt_%.so
+       mv $< $@
+ 
+ extensions/ebtable_%.so: extensions/ebtable_%.o
+-      $(CC) -shared -o $@ -lc $< -nostartfiles
++      $(CC) $(CFLAGS) -shared -o $@ -lc $< -nostartfiles
+ 
+ extensions/libebtable_%.so: extensions/ebtable_%.so
+       mv $< $@

diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch b/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch
new file mode 100644 (file)
index 0000000..d475928
--- /dev/null
+++ b/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch
@@ -0,0 +1,63 @@
+diff -up ebtables-v2.0.8-2/Makefile.orig ebtables-v2.0.8-2/Makefile
+--- ebtables-v2.0.8-2/Makefile.orig    2007-09-21 13:27:20.000000000 -0400
++++ ebtables-v2.0.8-2/Makefile 2007-10-28 15:09:01.000000000 -0400
+@@ -154,28 +154,28 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
+ .PHONY: scripts
+ scripts: ebtables-save ebtables.sysv ebtables-config
+       cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
+-      install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
++      install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
+       cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
+-      install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables
++      install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables
+       cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
+-      install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config
++      install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config
+       rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
+ 
+ $(MANDIR)/man8/ebtables.8: ebtables.8
+       mkdir -p $(DESTDIR)$(@D)
+       sed 's/$$(VERSION)/$(PROGVERSION)/' ebtables.8 | sed 's/$$(DATE)/$(PROGDATE)/' > ebtables.8_
+-      install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
++      install -m 0644 ebtables.8_ $(DESTDIR)$@
+       rm -f ebtables.8_
+ 
+ $(ETHERTYPESFILE): ethertypes
+       mkdir -p $(DESTDIR)$(@D)
+-      install -m 0644 -o root -g root $< $(DESTDIR)$@
++      install -m 0644 $< $(DESTDIR)$@
+ 
+ .PHONY: exec
+ exec: ebtables ebtables-restore
+       mkdir -p $(DESTDIR)$(BINDIR)
+-      install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
+-      install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
++      install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
++      install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
+ 
+ .PHONY: install
+ install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec scripts
+@@ -199,18 +199,18 @@ release:
+       rm -f extensions/ebt_inat.c
+       rm -rf $(CVSDIRS)
+       mkdir -p include/linux/netfilter_bridge
+-      install -m 0644 -o root -g root \
++      install -m 0644 \
+               $(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
+ # To keep possible compile error complaints about undefined ETH_P_8021Q
+ # off my back
+-      install -m 0644 -o root -g root \
++      install -m 0644 \
+               $(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
+-      install -m 0644 -o root -g root \
++      install -m 0644 \
+               $(KERNEL_INCLUDES)/linux/types.h include/linux/
+-      install -m 0644 -o root -g root \
++      install -m 0644 \
+               $(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
+               include/linux/netfilter_bridge/
+-      install -m 0644 -o root -g root \
++      install -m 0644 \
+               include/ebtables.h include/linux/netfilter_bridge/
+       make clean
+       touch *

diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch b/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch
new file mode 100644 (file)
index 0000000..721deea
--- /dev/null
+++ b/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch
@@ -0,0 +1,106 @@
+diff -up ebtables-v2.0.9-1/ebtables.sysv.lsb ebtables-v2.0.9-1/ebtables.sysv
+--- ebtables-v2.0.9-1/ebtables.sysv.lsb        2010-01-15 11:39:31.000000000 +0100
++++ ebtables-v2.0.9-1/ebtables.sysv    2010-01-15 12:52:24.000000000 +0100
+@@ -18,9 +18,9 @@ source /etc/sysconfig/network
+ # Check that networking is up.
+ [ ${NETWORKING} = "no" ] && exit 0
+ 
+-[ -x __EXEC_PATH__/ebtables ] || exit 1
+-[ -x __EXEC_PATH__/ebtables-save ] || exit 1
+-[ -x __EXEC_PATH__/ebtables-restore ] || exit 1
++[ -x __EXEC_PATH__/ebtables ] || exit 5
++[ -x __EXEC_PATH__/ebtables-save ] || exit 5
++[ -x __EXEC_PATH__/ebtables-restore ] || exit 5
+ 
+ RETVAL=0
+ prog="ebtables"
+@@ -39,6 +39,7 @@ config=__SYSCONFIG__/$prog-config
+ [ -f "$config" ] && . "$config"
+ 
+ start() {
++      [ "$EUID" != "0" ] && exit 4
+       echo -n $"Starting $desc ($prog): "
+       if [ "$EBTABLES_BINARY_FORMAT" = "yes" ]; then
+               for table in $(ls __SYSCONFIG__/ebtables.* 2>/dev/null | sed -e 's/.*ebtables\.//' -e '/save/d' ); do
+@@ -50,7 +51,7 @@ start() {
+ 
+       if [ $RETVAL -eq 0 ]; then
+               success "$prog startup"
+-              rm -f /var/lock/subsys/$prog
++              touch "/var/lock/subsys/$prog"
+       else
+               failure "$prog startup"
+       fi
+@@ -58,6 +59,7 @@ start() {
+ }
+ 
+ stop() {
++      [ "$EUID" != "0" ] && exit 4
+       echo -n $"Stopping $desc ($prog): "
+       for table in $(grep '^ebtable_' /proc/modules | sed -e 's/ebtable_\([^ ]*\).*/\1/'); do
+               __EXEC_PATH__/ebtables -t $table --init-table || RETVAL=1
+@@ -71,7 +73,7 @@ stop() {
+ 
+       if [ $RETVAL -eq 0 ]; then
+               success "$prog shutdown"
+-              rm -f /var/lock/subsys/$prog
++              rm -f "/var/lock/subsys/$prog"
+       else
+               failure "$prog shutdown"
+       fi
+@@ -79,11 +81,13 @@ stop() {
+ }
+ 
+ restart() {
++      [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
+       stop
+       start
+ }
+ 
+ save() {
++      [ "$EUID" != "0" ] && exit 4
+       echo -n $"Saving $desc ($prog): "
+       if [ "$EBTABLES_TEXT_FORMAT" = "yes" ]; then
+               if [ -e __SYSCONFIG__/ebtables ]; then
+@@ -116,30 +120,34 @@ save() {
+ 
+ case "$1" in
+   start)
++      [ -f "/var/lock/subsys/$prog" ] && exit 0
+       start
+       ;;
+   stop)
+       [ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
+       stop
+       ;;
+-  restart|reload)
+-      [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
++  restart|force-reload)
+       restart
+       ;;
+-  condrestart)
+-      [ -e /var/lock/subsys/$prog ] && restart
+-      RETVAL=$?
++  reload)
++      [ ! -f "/var/lock/subsys/$prog" ] && exit 7
++      restart
++      ;;
++  condrestart|try-restart)
++      [ ! -e "/var/lock/subsys/$prog" ] && exit 0
++      restart
+       ;;
+   save)
+       save
+       ;;
+   status)
++      [ -f "/var/lock/subsys/$prog" ] && RETVAL=0 || RETVAL=3
+       __EXEC_PATH__/ebtables-save
+-      RETVAL=$?
+       ;;
+   *)
+       echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
+-      RETVAL=1
++      RETVAL=2
+ esac
+ 
+ exit $RETVAL