Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist - More NetBSD like installation struc...
details: https://anonhg.NetBSD.org/src/rev/5e216623e80d
branches: trunk
changeset: 335737:5e216623e80d
user: christos <christos%NetBSD.org@localhost>
date: Thu Jan 22 17:49:41 2015 +0000
description:
- More NetBSD like installation structure and rc glue
- Don't require cred passing for ones that don't have it.
diffstat:
external/bsd/blacklist/Makefile | 4 +-
external/bsd/blacklist/README | 8 +-
external/bsd/blacklist/bin/Makefile | 4 +-
external/bsd/blacklist/bin/internal.h | 9 +--
external/bsd/blacklist/bin/run.c | 13 ++--
external/bsd/blacklist/bin/state.c | 13 ++--
external/bsd/blacklist/etc/Makefile | 10 ++++
external/bsd/blacklist/etc/blacklistd.conf | 10 ++++
external/bsd/blacklist/etc/rc.d/Makefile | 6 ++
external/bsd/blacklist/etc/rc.d/blacklistd | 57 ++++++++++++++++++++++++
external/bsd/blacklist/lib/bl.c | 27 ++++++++--
external/bsd/blacklist/libexec/Makefile | 6 ++
external/bsd/blacklist/libexec/blacklistd-helper | 25 ++++++++++
13 files changed, 159 insertions(+), 33 deletions(-)
diffs (truncated from 374 to 300 lines):
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/Makefile
--- a/external/bsd/blacklist/Makefile Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/Makefile Thu Jan 22 17:49:41 2015 +0000
@@ -1,5 +1,5 @@
-# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
+# $NetBSD: Makefile,v 1.2 2015/01/22 17:49:41 christos Exp $
-SUBDIR = lib .WAIT include bin
+SUBDIR = lib .WAIT include bin etc libexec
.include <bsd.subdir.mk>
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/README
--- a/external/bsd/blacklist/README Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/README Thu Jan 22 17:49:41 2015 +0000
@@ -1,12 +1,12 @@
-# $NetBSD: README,v 1.4 2015/01/22 15:29:27 christos Exp $
+# $NetBSD: README,v 1.5 2015/01/22 17:49:41 christos Exp $
This package contains library that can be used by network daemons to
communicate with a packet filter via a daemon to enforce opening and
closing ports dynamically based on policy.
-The interface to the packet filter is in etc/control (this is currently
-designed for npf) and the configuration file (inspired from inetd.conf)
-is in etc/conf.
+The interface to the packet filter is in libexec/blacklistd-helper
+(this is currently designed for npf) and the configuration file
+(inspired from inetd.conf) is in etc/blacklistd.conf.
Patches to various daemons to add blacklisting capabilitiers are in the
diff directory:
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/bin/Makefile
--- a/external/bsd/blacklist/bin/Makefile Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/bin/Makefile Thu Jan 22 17:49:41 2015 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.9 2015/01/22 03:08:09 christos Exp $
+# $NetBSD: Makefile,v 1.10 2015/01/22 17:49:41 christos Exp $
-BINDIR=/usr/sbin
+BINDIR=/sbin
PROGS=blacklistd blacklistctl
MAN.blacklistd=blacklistd.8
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/bin/internal.h
--- a/external/bsd/blacklist/bin/internal.h Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/bin/internal.h Thu Jan 22 17:49:41 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: internal.h,v 1.8 2015/01/22 07:57:31 christos Exp $ */
+/* $NetBSD: internal.h,v 1.9 2015/01/22 17:49:41 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,13 +32,10 @@
#define _INTERNAL_H
#ifndef _PATH_BLCONF
-#define _PATH_BLCONF "/etc/blacklistd/conf"
+#define _PATH_BLCONF "/etc/blacklistd.conf"
#endif
#ifndef _PATH_BLCONTROL
-#define _PATH_BLCONTROL "/etc/blacklistd/control"
-#endif
-#ifndef _PATH_BLSOCKETS
-#define _PATH_BLSOCKETS "/etc/blacklistd/sockets"
+#define _PATH_BLCONTROL "/libexec/blacklist-helper"
#endif
#ifndef _PATH_BLSTATE
#define _PATH_BLSTATE "/var/db/blacklistd.db"
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/bin/run.c
--- a/external/bsd/blacklist/bin/run.c Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/bin/run.c Thu Jan 22 17:49:41 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: run.c,v 1.10 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: run.c,v 1.11 2015/01/22 17:49:41 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: run.c,v 1.10 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: run.c,v 1.11 2015/01/22 17:49:41 christos Exp $");
#include <stdio.h>
#ifdef HAVE_UTIL_H
@@ -73,14 +73,15 @@
if (debug) {
size_t z;
+ int r;
- z = snprintf(buf, sizeof(buf), "run %s [", controlprog);
- if (z >= sizeof(buf))
+ r = snprintf(buf, sizeof(buf), "run %s [", controlprog);
+ if (r == -1 || (z = (size_t)r) >= sizeof(buf))
z = sizeof(buf);
for (i = 0; argv[i]; i++) {
- z = snprintf(buf + z, sizeof(buf) - z, "%s%s",
+ r = snprintf(buf + z, sizeof(buf) - z, "%s%s",
argv[i], argv[i + 1] ? " " : "");
- if (z >= sizeof(buf))
+ if (r == -1 || (z += (size_t)r) >= sizeof(buf))
z = sizeof(buf);
}
(*lfun)(LOG_DEBUG, "%s]", buf);
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/bin/state.c
--- a/external/bsd/blacklist/bin/state.c Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/bin/state.c Thu Jan 22 17:49:41 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: state.c,v 1.10 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: state.c,v 1.11 2015/01/22 17:49:41 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: state.c,v 1.10 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: state.c,v 1.11 2015/01/22 17:49:41 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -98,14 +98,15 @@
{
char buf[10240];
size_t z;
+ int r;
const unsigned char *p = (const void *)k;
const unsigned char *e = p + sizeof(*k);
- z = snprintf(buf, sizeof(buf), "%s: ", __func__);
- if (z >= sizeof(buf))
+ r = snprintf(buf, sizeof(buf), "%s: ", __func__);
+ if (r == -1 || (z = (size_t)r) >= sizeof(buf))
z = sizeof(buf);
while (p < e) {
- z += snprintf(buf + z, sizeof(buf) - z, "%.2x", *p++);
- if (z >= sizeof(buf))
+ r = snprintf(buf + z, sizeof(buf) - z, "%.2x", *p++);
+ if (r == -1 || (z += (size_t)r) >= sizeof(buf))
z = sizeof(buf);
}
(*lfun)(LOG_DEBUG, "%s", buf);
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/etc/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/etc/Makefile Thu Jan 22 17:49:41 2015 +0000
@@ -0,0 +1,10 @@
+# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $
+
+SUBDIR=rc.d
+
+FILESDIR= /etc
+FILESMODE= 644
+FILES= blacklistd.conf
+
+.include <bsd.files.mk>
+.include <bsd.subdir.mk>
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/etc/blacklistd.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/etc/blacklistd.conf Thu Jan 22 17:49:41 2015 +0000
@@ -0,0 +1,10 @@
+# Blacklist rule
+# Port type protocol owner name nfail disable
+ssh stream tcp * * 3 6h
+ssh stream tcp6 * * 3 6h
+domain stream tcp named * 3 12h
+domain dgram udp named * 3 12h
+domain stream tcp6 named * 3 12h
+domain dgram udp6 named * 3 12h
+6161 stream tcp6 christos * 2 10m
+* * * * * 3 60
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/etc/rc.d/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/etc/rc.d/Makefile Thu Jan 22 17:49:41 2015 +0000
@@ -0,0 +1,6 @@
+# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $
+
+SCRIPTS=blacklistd
+SCRIPTSDIR=/etc/rc.d
+
+.include <bsd.prog.mk>
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/etc/rc.d/blacklistd
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/etc/rc.d/blacklistd Thu Jan 22 17:49:41 2015 +0000
@@ -0,0 +1,57 @@
+#!/bin/sh
+#
+# $NetBSD: blacklistd,v 1.1 2015/01/22 17:49:41 christos Exp $
+#
+
+# PROVIDE: blacklistd
+# REQUIRE: npf
+# BEFORE: SERVERS
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="blacklistd"
+rcvar=$name
+command="/sbin/${name}"
+pidfile="/var/run/${name}.pid"
+required_files="/etc/${name}.conf"
+start_precmd="${name}_precmd"
+extra_commands="reload"
+
+_sockfile="/var/run/${name}.sockets"
+_sockname="blsock"
+
+blacklistd_precmd()
+{
+ # Create default list of blacklistd sockets to watch
+ #
+ ( umask 022 ; > $_sockfile )
+
+ # Find /etc/rc.d scripts with "chrootdir" rcorder(8) keyword,
+ # and if $${app}_chrootdir is a directory, add appropriate
+ # blacklistd socket to list of sockets to watch.
+ #
+ for _lr in $(rcorder -k chrootdir /etc/rc.d/*); do
+ (
+ _l=${_lr##*/}
+ load_rc_config ${_l}
+ eval _ldir=\$${_l}_chrootdir
+ if checkyesno $_l && [ -n "$_ldir" ]; then
+ echo "${_ldir}/var/run/${_sockname}" >> $_sockfile
+ fi
+ )
+ done
+
+ # If other sockets have been provided, change run_rc_command()'s
+ # internal copy of $blacklistd_flags to force use of specific
+ # blacklistd sockets.
+ #
+ if [ -s $_sockfile ]; then
+ echo "/var/run/${_sockname}" >> $_sockfile
+ rc_flags="-P $_sockfile $rc_flags"
+ fi
+
+ return 0
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff -r f1bcaa765ccc -r 5e216623e80d external/bsd/blacklist/lib/bl.c
--- a/external/bsd/blacklist/lib/bl.c Thu Jan 22 17:06:15 2015 +0000
+++ b/external/bsd/blacklist/lib/bl.c Thu Jan 22 17:49:41 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.18 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: bl.c,v 1.19 2015/01/22 17:49:41 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.18 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: bl.c,v 1.19 2015/01/22 17:49:41 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -202,7 +202,7 @@
#define CRED_SC_GID sc_egid
#define CRED_MESSAGE SCM_CREDS
#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX)
-#define CRED_TYPE sockcred
+#define CRED_TYPE struct sockcred
#elif defined(SO_PASSCRED)
#define CRED_LEVEL SOL_SOCKET
#define CRED_NAME SO_PASSCRED
@@ -210,17 +210,24 @@
#define CRED_SC_GID gid
#define CRED_MESSAGE SCM_CREDENTIALS
#define CRED_SIZE sizeof(struct ucred)
-#define CRED_TYPE ucred
+#define CRED_TYPE struct ucred
#else
-#error "don't know how to setup credential passing"
+/*
+ * getpeereid() and LOCAL_PEERCRED don't help here
+ * because we are not a stream socket!
+ */
+#define CRED_SIZE 0
+#define CRED_TYPE void * __unused
#endif
+#ifdef CRED_LEVEL
if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME,
&one, (socklen_t)sizeof(one)) == -1) {
bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s "
"failed (%m)", __func__, __STRING(CRED_NAME));
goto out;
}
+#endif
return 0;
out:
@@ -322,10 +329,10 @@
union {
char ctrl[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(CRED_SIZE)];
Home |
Main Index |
Thread Index |
Old Index