From: Schantl Stefan Date: Mon, 5 Apr 2010 19:46:53 +0000 (+0200) Subject: ebtables: Improve security to pass QA checks. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f95d3a12e4467838f4a7a954c22fbf1b633de45;p=ipfire-3.x.git ebtables: Improve security to pass QA checks. * Added patches for CFLAGS, install permissions and location. * Add -Wall CFLAG to improve security --- diff --git a/pkgs/core/ebtables/ebtables.nm b/pkgs/core/ebtables/ebtables.nm index 5eb314ebb..be4c3c76f 100644 --- a/pkgs/core/ebtables/ebtables.nm +++ b/pkgs/core/ebtables/ebtables.nm @@ -42,7 +42,9 @@ endef PKG_TARBALL = $(THISAPP).tar.gz -CFLAGS += -fno-stack-protector # XXX Why do we need this? +CFLAGS += -Wall + +PARALLELISMFLAGS = # No paralellism build define QUALITY_AGENT_WHITELIST_RPATH /sbin/ebtables-restore \ diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch b/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch new file mode 100644 index 000000000..1e34a9e8c --- /dev/null +++ b/pkgs/core/ebtables/patches/ebtables-2.0.8-cflags.patch @@ -0,0 +1,19 @@ +diff -up ebtables-v2.0.8-1/extensions/Makefile.BAD ebtables-v2.0.8-1/extensions/Makefile +--- ebtables-v2.0.8-1/extensions/Makefile.BAD 2007-08-23 09:52:37.000000000 -0400 ++++ ebtables-v2.0.8-1/extensions/Makefile 2007-08-23 09:52:50.000000000 -0400 +@@ -11,13 +11,13 @@ EXT_LIBSI+=$(foreach T,$(EXT_FUNC), -leb + EXT_LIBSI+=$(foreach T,$(EXT_TABLES), -lebtable_$(T)) + + extensions/ebt_%.so: extensions/ebt_%.o +- $(CC) -shared -o $@ -lc $< -nostartfiles ++ $(CC) $(CFLAGS) -shared -o $@ -lc $< -nostartfiles + + extensions/libebt_%.so: extensions/ebt_%.so + mv $< $@ + + extensions/ebtable_%.so: extensions/ebtable_%.o +- $(CC) -shared -o $@ -lc $< -nostartfiles ++ $(CC) $(CFLAGS) -shared -o $@ -lc $< -nostartfiles + + extensions/libebtable_%.so: extensions/ebtable_%.so + mv $< $@ diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch b/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch new file mode 100644 index 000000000..d47592845 --- /dev/null +++ b/pkgs/core/ebtables/patches/ebtables-2.0.8-norootinst.patch @@ -0,0 +1,63 @@ +diff -up ebtables-v2.0.8-2/Makefile.orig ebtables-v2.0.8-2/Makefile +--- ebtables-v2.0.8-2/Makefile.orig 2007-09-21 13:27:20.000000000 -0400 ++++ ebtables-v2.0.8-2/Makefile 2007-10-28 15:09:01.000000000 -0400 +@@ -154,28 +154,28 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/ + .PHONY: scripts + scripts: ebtables-save ebtables.sysv ebtables-config + cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_ +- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save ++ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save + cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_ +- install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables ++ install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables + cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_ +- install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config ++ install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config + rm -f ebtables-save_ ebtables.sysv_ ebtables-config_ + + $(MANDIR)/man8/ebtables.8: ebtables.8 + mkdir -p $(DESTDIR)$(@D) + sed 's/$$(VERSION)/$(PROGVERSION)/' ebtables.8 | sed 's/$$(DATE)/$(PROGDATE)/' > ebtables.8_ +- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@ ++ install -m 0644 ebtables.8_ $(DESTDIR)$@ + rm -f ebtables.8_ + + $(ETHERTYPESFILE): ethertypes + mkdir -p $(DESTDIR)$(@D) +- install -m 0644 -o root -g root $< $(DESTDIR)$@ ++ install -m 0644 $< $(DESTDIR)$@ + + .PHONY: exec + exec: ebtables ebtables-restore + mkdir -p $(DESTDIR)$(BINDIR) +- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME) +- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore ++ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME) ++ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore + + .PHONY: install + install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec scripts +@@ -199,18 +199,18 @@ release: + rm -f extensions/ebt_inat.c + rm -rf $(CVSDIRS) + mkdir -p include/linux/netfilter_bridge +- install -m 0644 -o root -g root \ ++ install -m 0644 \ + $(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/ + # To keep possible compile error complaints about undefined ETH_P_8021Q + # off my back +- install -m 0644 -o root -g root \ ++ install -m 0644 \ + $(KERNEL_INCLUDES)/linux/if_ether.h include/linux/ +- install -m 0644 -o root -g root \ ++ install -m 0644 \ + $(KERNEL_INCLUDES)/linux/types.h include/linux/ +- install -m 0644 -o root -g root \ ++ install -m 0644 \ + $(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \ + include/linux/netfilter_bridge/ +- install -m 0644 -o root -g root \ ++ install -m 0644 \ + include/ebtables.h include/linux/netfilter_bridge/ + make clean + touch * diff --git a/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch b/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch new file mode 100644 index 000000000..721deea91 --- /dev/null +++ b/pkgs/core/ebtables/patches/ebtables-2.0.9-lsb.patch @@ -0,0 +1,106 @@ +diff -up ebtables-v2.0.9-1/ebtables.sysv.lsb ebtables-v2.0.9-1/ebtables.sysv +--- ebtables-v2.0.9-1/ebtables.sysv.lsb 2010-01-15 11:39:31.000000000 +0100 ++++ ebtables-v2.0.9-1/ebtables.sysv 2010-01-15 12:52:24.000000000 +0100 +@@ -18,9 +18,9 @@ source /etc/sysconfig/network + # Check that networking is up. + [ ${NETWORKING} = "no" ] && exit 0 + +-[ -x __EXEC_PATH__/ebtables ] || exit 1 +-[ -x __EXEC_PATH__/ebtables-save ] || exit 1 +-[ -x __EXEC_PATH__/ebtables-restore ] || exit 1 ++[ -x __EXEC_PATH__/ebtables ] || exit 5 ++[ -x __EXEC_PATH__/ebtables-save ] || exit 5 ++[ -x __EXEC_PATH__/ebtables-restore ] || exit 5 + + RETVAL=0 + prog="ebtables" +@@ -39,6 +39,7 @@ config=__SYSCONFIG__/$prog-config + [ -f "$config" ] && . "$config" + + start() { ++ [ "$EUID" != "0" ] && exit 4 + echo -n $"Starting $desc ($prog): " + if [ "$EBTABLES_BINARY_FORMAT" = "yes" ]; then + for table in $(ls __SYSCONFIG__/ebtables.* 2>/dev/null | sed -e 's/.*ebtables\.//' -e '/save/d' ); do +@@ -50,7 +51,7 @@ start() { + + if [ $RETVAL -eq 0 ]; then + success "$prog startup" +- rm -f /var/lock/subsys/$prog ++ touch "/var/lock/subsys/$prog" + else + failure "$prog startup" + fi +@@ -58,6 +59,7 @@ start() { + } + + stop() { ++ [ "$EUID" != "0" ] && exit 4 + echo -n $"Stopping $desc ($prog): " + for table in $(grep '^ebtable_' /proc/modules | sed -e 's/ebtable_\([^ ]*\).*/\1/'); do + __EXEC_PATH__/ebtables -t $table --init-table || RETVAL=1 +@@ -71,7 +73,7 @@ stop() { + + if [ $RETVAL -eq 0 ]; then + success "$prog shutdown" +- rm -f /var/lock/subsys/$prog ++ rm -f "/var/lock/subsys/$prog" + else + failure "$prog shutdown" + fi +@@ -79,11 +81,13 @@ stop() { + } + + restart() { ++ [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save + stop + start + } + + save() { ++ [ "$EUID" != "0" ] && exit 4 + echo -n $"Saving $desc ($prog): " + if [ "$EBTABLES_TEXT_FORMAT" = "yes" ]; then + if [ -e __SYSCONFIG__/ebtables ]; then +@@ -116,30 +120,34 @@ save() { + + case "$1" in + start) ++ [ -f "/var/lock/subsys/$prog" ] && exit 0 + start + ;; + stop) + [ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save + stop + ;; +- restart|reload) +- [ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save ++ restart|force-reload) + restart + ;; +- condrestart) +- [ -e /var/lock/subsys/$prog ] && restart +- RETVAL=$? ++ reload) ++ [ ! -f "/var/lock/subsys/$prog" ] && exit 7 ++ restart ++ ;; ++ condrestart|try-restart) ++ [ ! -e "/var/lock/subsys/$prog" ] && exit 0 ++ restart + ;; + save) + save + ;; + status) ++ [ -f "/var/lock/subsys/$prog" ] && RETVAL=0 || RETVAL=3 + __EXEC_PATH__/ebtables-save +- RETVAL=$? + ;; + *) + echo $"Usage $0 {start|stop|restart|condrestart|save|status}" +- RETVAL=1 ++ RETVAL=2 + esac + + exit $RETVAL