diff options
author | Jaap Keuter <jaap.keuter@xs4all.nl> | 2008-05-31 16:44:02 +0000 |
---|---|---|
committer | Jaap Keuter <jaap.keuter@xs4all.nl> | 2008-05-31 16:44:02 +0000 |
commit | 9323e90cc525f8acd2b35254f5e90bce9dd96b83 (patch) | |
tree | ca7b9be16043104bf492eddd25561e444597784b /debian/patches/04_drop-capabilities.dpatch | |
parent | fa2b419e608f752c5051f62d84ec7e5cdffb1436 (diff) | |
download | wireshark-9323e90cc525f8acd2b35254f5e90bce9dd96b83.tar.gz |
Update Debian packaging files for Wireshark 1.0.
These files build the package with all features and
minimum changes from the released sources.
svn path=/trunk/; revision=25406
Diffstat (limited to 'debian/patches/04_drop-capabilities.dpatch')
-rw-r--r-- | debian/patches/04_drop-capabilities.dpatch | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/debian/patches/04_drop-capabilities.dpatch b/debian/patches/04_drop-capabilities.dpatch deleted file mode 100644 index b11f6fea9e..0000000000 --- a/debian/patches/04_drop-capabilities.dpatch +++ /dev/null @@ -1,170 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 04_drop-capabilities.dpatch by <fpeters@debian.org> -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Drop all capabilities but CAP_NET_RAW - -@DPATCH@ -diff -urNad wireshark-0.99.4/configure.in /tmp/dpep.4XA51P/wireshark-0.99.4/configure.in ---- wireshark-0.99.4/configure.in 2006-11-01 10:29:08.241544023 +0100 -+++ /tmp/dpep.4XA51P/wireshark-0.99.4/configure.in 2006-11-01 10:29:56.756554526 +0100 -@@ -869,6 +869,47 @@ - fi - - -+dnl libcap check -+AC_MSG_CHECKING(whether to use libcap to improve security) -+ -+AC_ARG_WITH(cap, -+[ --with-cap[[=DIR]] use libcap (located in directory DIR, if supplied) to improve security. [[default=yes, if available]]], -+[ -+ if test $withval = no -+ then -+ want_cap=no -+ elif test $withval = yes -+ then -+ want_cap=yes -+ else -+ want_cap=yes -+ cap_dir=$withval -+ fi -+],[ -+ # -+ # Use libcap if it's present, otherwise don't. -+ # -+ want_cap=ifavailable -+ cap_dir= -+]) -+if test "x$want_cap" = "xno" ; then -+ AC_MSG_RESULT(no) -+ cap_message="no (disabled by explicit request)" -+else -+ AC_MSG_RESULT(yes) -+ AC_CHECK_LIB(cap, cap_init, [ -+ AC_DEFINE(HAVE_LIBCAP, 1, [ -+ Define if libcap is available to restrict process capabilities -+ ]) -+ LIBS="$LIBS -lcap" -+ cap_message="yes" -+ ], [ -+ AC_MSG_WARN([libcap check failed]) -+ cap_message="no (check failed)" -+ ]) -+fi -+ -+ - dnl Check if wireshark should be installed setuid - AC_ARG_ENABLE(setuid-install, - [ --enable-setuid-install install wireshark as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no) -@@ -1480,3 +1521,4 @@ - echo " Use IPv6 name resolution : $enable_ipv6" - echo " Use UCD SNMP/Net-SNMP library : $snmp_libs_message" - echo " Use gnutls library : $tls_message" -+echo " Use cap library : $cap_message" -diff -urNad wireshark-0.99.4/gtk/main.c /tmp/dpep.4XA51P/wireshark-0.99.4/gtk/main.c ---- wireshark-0.99.4/gtk/main.c 2006-11-01 10:28:14.113375310 +0100 -+++ /tmp/dpep.4XA51P/wireshark-0.99.4/gtk/main.c 2006-11-01 10:29:11.095132827 +0100 -@@ -1775,6 +1775,9 @@ - { - gchar *capture_msg; - -+#ifdef HAVE_LIBCAP -+ dropexcesscapabilities(); -+#endif - - gtk_statusbar_pop(GTK_STATUSBAR(packets_bar), packets_ctx); - -diff -urNad wireshark-0.99.4/tshark.c /tmp/dpep.4XA51P/wireshark-0.99.4/tshark.c ---- wireshark-0.99.4/tshark.c 2006-11-01 10:28:14.115375722 +0100 -+++ /tmp/dpep.4XA51P/wireshark-0.99.4/tshark.c 2006-11-01 10:29:11.097133240 +0100 -@@ -751,6 +751,10 @@ - capture_opts_init(&capture_opts, NULL /* cfile */); - #endif - -+#ifdef HAVE_LIBCAP -+ dropexcesscapabilities(); -+#endif -+ - timestamp_set_type(TS_RELATIVE); - timestamp_set_precision(TS_PREC_AUTO); - -diff -urNad wireshark-0.99.4/util.c /tmp/dpep.4XA51P/wireshark-0.99.4/util.c ---- wireshark-0.99.4/util.c 2006-11-01 10:28:14.116375929 +0100 -+++ /tmp/dpep.4XA51P/wireshark-0.99.4/util.c 2006-11-01 10:29:11.098133446 +0100 -@@ -40,6 +40,10 @@ - #include <epan/address.h> - #include <epan/addr_resolv.h> - -+#ifdef HAVE_LIBCAP -+#include <sys/capability.h> -+#endif -+ - #include "util.h" - - /* -@@ -192,3 +196,46 @@ - } - return ""; - } -+ -+ -+#ifdef HAVE_LIBCAP -+void dropexcesscapabilities(void) -+{ -+ cap_t cap_d; -+ cap_value_t cap_values[] = { -+ /* capabilities we need to keep */ -+ CAP_NET_RAW, -+ CAP_DAC_READ_SEARCH -+ }; -+ cap_flag_value_t current_cap; -+ -+ cap_d = cap_get_proc(); -+ if (!cap_d) { -+ g_warning("Could not get capabilities\n"); -+ return; -+ } -+ -+ cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, ¤t_cap); -+ cap_free(&cap_d); -+ if (current_cap == CAP_CLEAR) { -+ return; -+ } -+ -+ cap_d = cap_init(); -+ if (!cap_d) { -+ g_warning("Could not alloc cap struct\n"); -+ return; -+ } -+ -+ cap_clear(cap_d); -+ cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET); -+ cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET); -+ -+ if (cap_set_proc(cap_d) != 0) { -+ g_warning("Could not set capabilities: %s\n", strerror(errno)); -+ cap_free(&cap_d); -+ return; -+ } -+ cap_free(&cap_d); -+} -+#endif /* HAVE_LIBCAP */ -diff -urNad wireshark-0.99.4/util.h /tmp/dpep.4XA51P/wireshark-0.99.4/util.h ---- wireshark-0.99.4/util.h 2006-11-01 10:28:14.116375929 +0100 -+++ /tmp/dpep.4XA51P/wireshark-0.99.4/util.h 2006-11-01 10:29:11.098133446 +0100 -@@ -53,6 +53,15 @@ - const char *get_conn_cfilter(void); - - -+#ifdef HAVE_LIBCAP -+/* -+ * Limit the potential impact of undiscovered security vulnerabilities by -+ * dropping all capabilities except the sniffer capability we need to do our -+ * job. -+ */ -+void dropexcesscapabilities(void); -+#endif /* HAVE_LIBCAP */ -+ - #ifdef __cplusplus - } - #endif /* __cplusplus */ |