Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/external/bsd/blacklist Pull up following revision(s) (req...
details: https://anonhg.NetBSD.org/src/rev/a7d608de1ac1
branches: netbsd-7
changeset: 799398:a7d608de1ac1
user: snj <snj%NetBSD.org@localhost>
date: Tue Jun 02 20:32:44 2015 +0000
description:
Pull up following revision(s) (requested by christos in ticket #815):
external/bsd/blacklist/bin/conf.c: revision 1.19, 1.20
external/bsd/blacklist/etc/blacklistd.conf: revision 1.4
external/bsd/blacklist/lib/bl.c: revisions 1.25, 1.26
external/bsd/blacklist/test/Makefile: revision 1.3
external/bsd/blacklist/test/srvtest.c: revision 1.10
Centralize and fix =/* parsing, now =/24 works again.
XXX: pullup-7
--
fix example.
--
Add ability to test using a local socket.
--
put back setting uid and gid to -1 if they are not available.
--
Merge the uid data too, so that we don't end up with multiple entries
when we don't care about the uid in the config file. In this case sshd
returns either uid=root|sshd depending on how we failed, so we used to
get two entries.
--
Make sure that we get the socket messages we expect, otherwise return NULL.
diffstat:
external/bsd/blacklist/bin/conf.c | 95 ++++++++++-------------------
external/bsd/blacklist/etc/blacklistd.conf | 4 +-
external/bsd/blacklist/lib/bl.c | 24 ++++++-
external/bsd/blacklist/test/Makefile | 3 +-
external/bsd/blacklist/test/srvtest.c | 16 ++++-
5 files changed, 75 insertions(+), 67 deletions(-)
diffs (truncated from 383 to 300 lines):
diff -r 485aca5dba38 -r a7d608de1ac1 external/bsd/blacklist/bin/conf.c
--- a/external/bsd/blacklist/bin/conf.c Tue Jun 02 20:03:37 2015 +0000
+++ b/external/bsd/blacklist/bin/conf.c Tue Jun 02 20:32:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: conf.c,v 1.18.2.2 2015/04/30 06:07:33 riz Exp $ */
+/* $NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: conf.c,v 1.18.2.2 2015/04/30 06:07:33 riz Exp $");
+__RCSID("$NetBSD: conf.c,v 1.18.2.3 2015/06/02 20:32:44 snj Exp $");
#include <stdio.h>
#include <string.h>
@@ -83,20 +83,38 @@
}
static int
-getnum(const char *f, size_t l, void *r, const char *p)
+getnum(const char *f, size_t l, bool local, void *rp, const char *name,
+ const char *p)
{
int e;
intmax_t im;
+ int *r = rp;
+
+ if (strcmp(p, "*") == 0) {
+ *r = -1;
+ return 0;
+ }
+ if (strcmp(p, "=") == 0) {
+ if (local)
+ goto out;
+ *r = -2;
+ return 0;
+ }
im = strtoi(p, NULL, 0, 0, INT_MAX, &e);
if (e == 0) {
- *(int *)r = (int)im;
+ *r = (int)im;
return 0;
}
if (f == NULL)
return -1;
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad number [%s]", __func__, f, l, p);
+ (*lfun)(LOG_ERR, "%s: %s, %zu: Bad number for %s [%s]", __func__, f, l,
+ name, p);
+ return -1;
+out:
+ (*lfun)(LOG_ERR, "%s: %s, %zu: `=' for %s not allowed in local config",
+ __func__, f, l, name);
return -1;
}
@@ -104,25 +122,7 @@
static int
getnfail(const char *f, size_t l, bool local, struct conf *c, const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_nfail = -1;
- return 0;
- }
- if (strcmp(p, "=") == 0) {
- if (local)
- goto out;
- c->c_nfail = -2;
- return 0;
- }
- if (getnum(NULL, 0, &c->c_nfail, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad nfail [%s]", __func__, f, l, p);
- return -1;
-out:
- (*lfun)(LOG_ERR, "%s: %s, %zu: `=' nfail not allowed in local config",
- __func__, f, l);
- return -1;
+ return getnum(f, l, local, &c->c_nfail, "nfail", p);
}
static int
@@ -186,7 +186,7 @@
}
static int
-getport(const char *f, size_t l, void *r, const char *p)
+getport(const char *f, size_t l, bool local, void *r, const char *p)
{
struct servent *sv;
@@ -200,11 +200,7 @@
return 0;
}
- if (getnum(NULL, 0, r, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad service [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, r, "service", p);
}
static int
@@ -317,7 +313,7 @@
if (strcmp(pstr, "*") == 0)
c->c_port = -1;
- else if (getport(f, l, &c->c_port, pstr) == -1)
+ else if (getport(f, l, local, &c->c_port, pstr) == -1)
return -1;
if (port && c->c_port != -1)
@@ -336,10 +332,6 @@
getproto(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_proto = -1;
- return 0;
- }
if (strcmp(p, "stream") == 0) {
c->c_proto = IPPROTO_TCP;
return 0;
@@ -348,31 +340,18 @@
c->c_proto = IPPROTO_UDP;
return 0;
}
- if (getnum(NULL, 0, &c->c_proto, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad protocol [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_proto, "protocol", p);
}
static int
getfamily(const char *f, size_t l, bool local __unused, struct conf *c,
const char *p)
{
- if (strcmp(p, "*") == 0) {
- c->c_family = -1;
- return 0;
- }
-
if (strncmp(p, "tcp", 3) == 0 || strncmp(p, "udp", 3) == 0) {
c->c_family = p[3] == '6' ? AF_INET6 : AF_INET;
return 0;
}
- if (getnum(NULL, 0, &c->c_family, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad family [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_family, "family", p);
}
static int
@@ -381,21 +360,12 @@
{
struct passwd *pw;
- if (strcmp(p, "*") == 0) {
- c->c_uid = -1;
- return 0;
- }
-
if ((pw = getpwnam(p)) != NULL) {
c->c_uid = (int)pw->pw_uid;
return 0;
}
- if (getnum(NULL, 0, &c->c_uid, p) == 0)
- return 0;
-
- (*lfun)(LOG_ERR, "%s: %s, %zu: Bad user [%s]", __func__, f, l, p);
- return -1;
+ return getnum(f, l, local, &c->c_uid, "user", p);
}
@@ -720,7 +690,7 @@
return 0;
#define CMP(a, b, f) \
- if ((a)->f != (b)->f && (b)->f != -1) { \
+ if ((a)->f != (b)->f && (b)->f != -1 && (b)->f != -2) { \
if (debug > 1) \
(*lfun)(LOG_DEBUG, "%s: %s fail %d != %d", __func__, \
__STRING(f), (a)->f, (b)->f); \
@@ -882,6 +852,7 @@
conf_print(buf, sizeof(buf), "to:\t", "", c));
}
memcpy(c->c_name, sc->c_name, CONFNAMESZ);
+ c->c_uid = sc->c_uid;
c->c_rmask = sc->c_rmask;
c->c_nfail = sc->c_nfail;
c->c_duration = sc->c_duration;
@@ -908,6 +879,8 @@
if (sc->c_name[0])
memcpy(c->c_name, sc->c_name, CONFNAMESZ);
+ if (sc->c_uid != -2)
+ c->c_uid = sc->c_uid;
if (sc->c_rmask != -2)
c->c_lmask = c->c_rmask = sc->c_rmask;
if (sc->c_nfail != -2)
diff -r 485aca5dba38 -r a7d608de1ac1 external/bsd/blacklist/etc/blacklistd.conf
--- a/external/bsd/blacklist/etc/blacklistd.conf Tue Jun 02 20:03:37 2015 +0000
+++ b/external/bsd/blacklist/etc/blacklistd.conf Tue Jun 02 20:32:44 2015 +0000
@@ -13,6 +13,8 @@
* * * * * 3 60
# adr/mask:port type proto owner name nfail disable
+[remote]
bge0 stream tcp * =/24 = =
129.168.0.0/16 * * * = * *
-default stream tcp * = = =
+6161 = = = =/24 = =
+* stream tcp * = = =
diff -r 485aca5dba38 -r a7d608de1ac1 external/bsd/blacklist/lib/bl.c
--- a/external/bsd/blacklist/lib/bl.c Tue Jun 02 20:03:37 2015 +0000
+++ b/external/bsd/blacklist/lib/bl.c Tue Jun 02 20:32:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.c,v 1.24.2.2 2015/04/30 06:07:34 riz Exp $ */
+/* $NetBSD: bl.c,v 1.24.2.3 2015/06/02 20:32:44 snj Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: bl.c,v 1.24.2.2 2015/04/30 06:07:34 riz Exp $");
+__RCSID("$NetBSD: bl.c,v 1.24.2.3 2015/06/02 20:32:44 snj Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -199,6 +199,7 @@
}
b->b_connected = 0;
+#define GOT_FD 1
#if defined(LOCAL_CREDS)
#define CRED_LEVEL 0
#define CRED_NAME LOCAL_CREDS
@@ -207,6 +208,7 @@
#define CRED_MESSAGE SCM_CREDS
#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX)
#define CRED_TYPE struct sockcred
+#define GOT_CRED 2
#elif defined(SO_PASSCRED)
#define CRED_LEVEL SOL_SOCKET
#define CRED_NAME SO_PASSCRED
@@ -215,7 +217,9 @@
#define CRED_MESSAGE SCM_CREDENTIALS
#define CRED_SIZE sizeof(struct ucred)
#define CRED_TYPE struct ucred
+#define GOT_CRED 2
#else
+#define GOT_CRED 0
/*
* getpeereid() and LOCAL_PEERCRED don't help here
* because we are not a stream socket!
@@ -395,9 +399,13 @@
bl_message_t bl;
char buf[512];
} ub;
+ int got;
ssize_t rlen;
bl_info_t *bi = &b->b_info;
+ got = 0;
+ memset(bi, 0, sizeof(*bi));
+
iov.iov_base = ub.buf;
iov.iov_len = sizeof(ub);
@@ -433,12 +441,14 @@
continue;
}
memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd));
+ got |= GOT_FD;
break;
#ifdef CRED_MESSAGE
case CRED_MESSAGE:
sc = (void *)CMSG_DATA(cmsg);
bi->bi_uid = sc->CRED_SC_UID;
bi->bi_gid = sc->CRED_SC_GID;
+ got |= GOT_CRED;
break;
#endif
default:
@@ -450,6 +460,16 @@
Home |
Main Index |
Thread Index |
Old Index