[src/trunk]: src Add blocklist support to libwrap which enables all programs ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src Add blocklist support to libwrap which enables all programs ...
From: christos <christos%NetBSD.org@localhost>
Date: Sun, 07 Mar 2021 17:14:37 +0000
details:   https://anonhg.NetBSD.org/src/rev/1995239f71cb
branches:  trunk
changeset: 953379:1995239f71cb
user:      christos <christos%NetBSD.org@localhost>
date:      Sun Mar 07 15:09:12 2021 +0000

description:
Add blocklist support to libwrap which enables all programs using libwrap
to block access from hosts we deny. (libwrap support from Greg A. Woods)

diffstat:

 lib/Makefile                     |   6 ++++--
 lib/libwrap/Makefile             |   5 ++++-
 lib/libwrap/hosts_access.c       |  38 +++++++++++++++++++++++++++++++++-----
 tests/fs/nfs/nfsservice/Makefile |   6 +++---
 usr.sbin/inetd/Makefile          |   6 +++---
 usr.sbin/lpr/lpd/Makefile        |   6 +++---
 usr.sbin/syslogd/Makefile        |   6 +++---
 usr.sbin/tcpdchk/Makefile        |   6 +++---
 usr.sbin/tcpdmatch/Makefile      |   6 +++---
 usr.sbin/ypserv/ypserv/Makefile  |   6 +++---
 usr.sbin/ypserv/ypserv/ypserv.c  |   6 +++---
 11 files changed, 65 insertions(+), 32 deletions(-)

diffs (290 lines):

diff -r 8f04fceec467 -r 1995239f71cb lib/Makefile
--- a/lib/Makefile      Sun Mar 07 15:03:32 2021 +0000
+++ b/lib/Makefile      Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.286 2020/10/29 20:11:17 nia Exp $
+#      $NetBSD: Makefile,v 1.287 2021/03/07 15:09:12 christos Exp $
 #      from: @(#)Makefile      5.25.1.1 (Berkeley) 5/7/91
 
 .include <bsd.own.mk>
@@ -27,7 +27,7 @@
                libossaudio libpci libposix libprop libpthread \
                libpuffs libresolv librmt librpcsvc librt \
                libtelnet libterminfo \
-               libusbhid libutil libwrap liby libz
+               libusbhid libutil liby libz
 
 .if !defined(BSD_MK_COMPAT_FILE)
 SUBDIR+=       libkern
@@ -178,6 +178,8 @@
 #==================== 2nd library dependency barrier ====================
 SUBDIR+=       .WAIT
 
+SUBDIR+=       libwrap
+
 .if (${MKGCC} != "no" && ${MKCXX} != "no" && ${MKLIBSTDCXX} != "no")
 .for sanitizer in asan lsan ubsan
 .if exists(../external/gpl3/${EXTERNAL_GCC_SUBDIR}/lib/lib${sanitizer})
diff -r 8f04fceec467 -r 1995239f71cb lib/libwrap/Makefile
--- a/lib/libwrap/Makefile      Sun Mar 07 15:03:32 2021 +0000
+++ b/lib/libwrap/Makefile      Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.11 2019/01/11 20:37:30 christos Exp $
+#      $NetBSD: Makefile,v 1.12 2021/03/07 15:09:12 christos Exp $
 
 USE_FORT?= yes # network server
 
@@ -14,6 +14,9 @@
 MLINKS+=hosts_access.3 request_init.3
 MLINKS+=hosts_access.3 request_set.3
 
+#LDADD+=-lblocklist
+PADD+=${LIBBLOCKLIST}
+
 INCS= tcpd.h
 INCSDIR=/usr/include
 
diff -r 8f04fceec467 -r 1995239f71cb lib/libwrap/hosts_access.c
--- a/lib/libwrap/hosts_access.c        Sun Mar 07 15:03:32 2021 +0000
+++ b/lib/libwrap/hosts_access.c        Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $    */
+/*     $NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $       */
 
  /*
   * This module implements a simple access control language that is based on
@@ -24,7 +24,7 @@
 #if 0
 static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
 #else
-__RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
+__RCSID("$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $");
 #endif
 #endif
 
@@ -37,6 +37,7 @@
 #endif
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <blocklist.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
@@ -103,6 +104,24 @@
 
 #define        BUFLEN 2048
 
+static void
+pfilter_notify(struct request_info *request, int b)
+{
+    static struct blocklist *blstate;
+
+    if (blstate == NULL) {
+       blstate = blocklist_open();
+    }
+    if (request->client->sin != NULL) {
+           blocklist_sa_r(blstate, b, request->fd != -1 ? request->fd : 3,
+               request->client->sin, request->client->sin->sa_len,
+               request->daemon ? request->daemon : getprogname());
+    } else {
+           blocklist_r(blstate, b, (request->fd != -1) ? request->fd : 3,
+               request->daemon ? request->daemon : getprogname());
+    }
+}
+
 /* hosts_access - host access control facility */
 
 int
@@ -128,12 +147,21 @@
     if (resident <= 0)
        resident++;
     verdict = setjmp(tcpd_buf);
-    if (verdict != 0)
+    if (verdict != 0) {
+       if (verdict != AC_PERMIT)
+           pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
+       /* XXX pfilter_notify(0)??? */
        return (verdict == AC_PERMIT);
-    if (table_match(hosts_allow_table, request))
+    }
+    if (table_match(hosts_allow_table, request)) {
+       /* XXX pfilter_notify(0)??? */
        return (YES);
-    if (table_match(hosts_deny_table, request))
+    }
+    if (table_match(hosts_deny_table, request)) {
+       pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
        return (NO);
+    }
+    /* XXX pfilter_notify(0)??? */
     return (YES);
 }
 
diff -r 8f04fceec467 -r 1995239f71cb tests/fs/nfs/nfsservice/Makefile
--- a/tests/fs/nfs/nfsservice/Makefile  Sun Mar 07 15:03:32 2021 +0000
+++ b/tests/fs/nfs/nfsservice/Makefile  Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.15 2020/03/01 18:08:14 christos Exp $
+#      $NetBSD: Makefile,v 1.16 2021/03/07 15:09:12 christos Exp $
 #
 
 NOMAN= 1
@@ -45,8 +45,8 @@
 # CPPFLAGS+=   -DRPCBIND_DEBUG
 # CPPFLAGS+=   -DSVC_RUN_DEBUG
 
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 SANITIZER_RENAME_SYMBOL+=      __getmntinfo13
 
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/inetd/Makefile
--- a/usr.sbin/inetd/Makefile   Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/inetd/Makefile   Sun Mar 07 15:09:12 2021 +0000
@@ -1,5 +1,5 @@
 #      from: @(#)Makefile      8.1 (Berkeley) 6/6/93
-#      $NetBSD: Makefile,v 1.23 2009/10/22 22:50:35 tsarna Exp $
+#      $NetBSD: Makefile,v 1.24 2021/03/07 15:09:12 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -13,8 +13,8 @@
 CPPFLAGS+=-DLIBWRAP
 # Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
 #CPPFLAGS+=-DLIBWRAP_INTERNAL
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/lpr/lpd/Makefile
--- a/usr.sbin/lpr/lpd/Makefile Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/lpr/lpd/Makefile Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.18 2005/01/10 02:58:59 lukem Exp $
+#      $NetBSD: Makefile,v 1.19 2021/03/07 15:09:12 christos Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/6/93
 
 .include <bsd.own.mk>
@@ -8,8 +8,8 @@
 SRCS=  lpd.c printjob.c recvjob.c lpdchar.c key.c modes.c ttcompat.c rcmd.c
 
 CPPFLAGS+=-DLIBWRAP
-LDADD+=        -lwrap
-DPADD+=        ${LIBWRAP}
+LDADD+=        -lwrap -lblocklist
+DPADD+=        ${LIBWRAP} ${LIBBLOCKLIST}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS.rcmd.c=       -DINET6
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/syslogd/Makefile
--- a/usr.sbin/syslogd/Makefile Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/syslogd/Makefile Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.30 2019/10/13 07:28:22 mrg Exp $
+#      $NetBSD: Makefile,v 1.31 2021/03/07 15:09:12 christos Exp $
 #      from: @(#)Makefile      8.1 (Berkeley) 6/6/93
 .include <bsd.own.mk>
 
@@ -25,8 +25,8 @@
 .if ${HAVE_OPENSSL} < 11
 CPPFLAGS+=-DOPENSSL_API_COMPAT=0x10100000L
 .endif
-LDADD+=        -lwrap
-DPADD+=        ${LIBWRAP}
+LDADD+=        -lwrap -lblocklist 
+DPADD+=        ${LIBWRAP} ${LIBBLOCKLIST} 
 
 LDADD+=        -lssl -lcrypto
 
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/tcpdchk/Makefile
--- a/usr.sbin/tcpdchk/Makefile Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/tcpdchk/Makefile Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.13 2009/04/22 15:23:08 lukem Exp $
+#      $NetBSD: Makefile,v 1.14 2021/03/07 15:09:12 christos Exp $
 
 WARNS?=        1       # XXX: many issues in lib/libwrap to address first
 
@@ -7,8 +7,8 @@
 PROG=  tcpdchk
 SRCS=  tcpdchk.c fakelog.c inetcf.c scaffold.c percent_m.c
 MAN=   tcpdchk.8
-LDADD= -lwrap
-DPADD= ${LIBWRAP}
+LDADD= -lwrap -lblocklist 
+DPADD= ${LIBWRAP} ${LIBBLOCKLIST} 
 
 CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
 
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/tcpdmatch/Makefile
--- a/usr.sbin/tcpdmatch/Makefile       Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/tcpdmatch/Makefile       Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.12 2009/04/22 15:23:09 lukem Exp $
+#      $NetBSD: Makefile,v 1.13 2021/03/07 15:09:13 christos Exp $
 #
 
 WARNS?=        1       # XXX: many issues in lib/libwrap to address first
@@ -11,8 +11,8 @@
 TCPDCHK=${NETBSDSRCDIR}/usr.sbin/tcpdchk
 .PATH: ${TCPDCHK}
 CPPFLAGS+= -I${TCPDCHK} -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
-LDADD= -lwrap
-DPADD= ${LIBWRAP}
+LDADD= -lwrap -lblocklist
+DPADD= ${LIBWRAP} ${LIBBLOCKLIST}
 
 .include "${NETBSDSRCDIR}/lib/libwrap/Makefile.cflags"
 
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/ypserv/ypserv/Makefile
--- a/usr.sbin/ypserv/ypserv/Makefile   Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/ypserv/ypserv/Makefile   Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.20 2019/10/13 07:28:22 mrg Exp $
+#      $NetBSD: Makefile,v 1.21 2021/03/07 15:09:13 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -12,8 +12,8 @@
 CPPFLAGS+=-DOPTIMIZE_DB -DLIBWRAP -I. -I${LIBCDIR}/include
 YHEADER=1
 
-LDADD+=        -lwrap -lutil
-DPADD+=        ${LIBWRAP} ${LIBUTIL}
+LDADD+=        -lwrap -lblocklist -lutil
+DPADD+=        ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 CPPFLAGS.gethnamaddr.c=        -UYP -D_LIBC
 CPPFLAGS.getnetnamadr.c=-UYP -D_LIBC
diff -r 8f04fceec467 -r 1995239f71cb usr.sbin/ypserv/ypserv/ypserv.c
--- a/usr.sbin/ypserv/ypserv/ypserv.c   Sun Mar 07 15:03:32 2021 +0000
+++ b/usr.sbin/ypserv/ypserv/ypserv.c   Sun Mar 07 15:09:12 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $        */
+/*     $NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $     */
 
 /*
  * Copyright (c) 1994 Mats O Jansson <moj%stacken.kth.se@localhost>
@@ -28,7 +28,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $");
+__RCSID("$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $");
 #endif
 
 #include <sys/types.h>
@@ -141,7 +141,7 @@
 #ifdef LIBWRAP
        caller = svc_getrpccaller(transp)->buf;
        (void)request_init(&req, RQ_DAEMON, getprogname(), RQ_CLIENT_SIN,
-           caller, NULL);
+           caller, RQ_FILE, transp->xp_fd, NULL);
        sock_methods(&req);
 
        /*
Prev by Date: [src/trunk]: src/sys/netinet6 Amend missed messages:
Next by Date: [src/trunk]: src/sys/arch/mips/mips add TRAP_SIGDEBUG support to mips.
Previous by Thread: [src/trunk]: src/sys/netinet6 Amend missed messages:
Next by Thread: [src/trunk]: src/sys/arch/mips/mips add TRAP_SIGDEBUG support to mips.
Indexes:
Home | Main Index | Thread Index | Old Index