forked from osmocom/wireshark
354 lines
9.7 KiB
Plaintext
354 lines
9.7 KiB
Plaintext
#! /bin/sh /usr/share/dpatch/dpatch-run
|
|
## 04_drop-capabilities.dpatch by <fpeters@debian.org>
|
|
##
|
|
## All lines beginning with `## DP:' are a description of the patch.
|
|
## DP: Drop all capabilities but CAP_NET_RAW
|
|
|
|
@DPATCH@
|
|
diff -urNad wireshark-0.99.2~/configure.in wireshark-0.99.2/configure.in
|
|
--- wireshark-0.99.2~/configure.in 2006-07-18 21:59:41.000000000 +0200
|
|
+++ wireshark-0.99.2/configure.in 2006-07-18 21:59:46.000000000 +0200
|
|
@@ -831,6 +831,47 @@
|
|
fi
|
|
|
|
|
|
+dnl libcap check
|
|
+AC_MSG_CHECKING(whether to use libcap to improve security)
|
|
+
|
|
+AC_ARG_WITH(cap,
|
|
+[ --with-cap[[=DIR]] use libcap (located in directory DIR, if supplied) to improve security. [[default=yes, if available]]],
|
|
+[
|
|
+ if test $withval = no
|
|
+ then
|
|
+ want_cap=no
|
|
+ elif test $withval = yes
|
|
+ then
|
|
+ want_cap=yes
|
|
+ else
|
|
+ want_cap=yes
|
|
+ cap_dir=$withval
|
|
+ fi
|
|
+],[
|
|
+ #
|
|
+ # Use libcap if it's present, otherwise don't.
|
|
+ #
|
|
+ want_cap=ifavailable
|
|
+ cap_dir=
|
|
+])
|
|
+if test "x$want_cap" = "xno" ; then
|
|
+ AC_MSG_RESULT(no)
|
|
+ cap_message="no (disabled by explicit request)"
|
|
+else
|
|
+ AC_MSG_RESULT(yes)
|
|
+ AC_CHECK_LIB(cap, cap_init, [
|
|
+ AC_DEFINE(HAVE_LIBCAP, 1, [
|
|
+ Define if libcap is available to restrict process capabilities
|
|
+ ])
|
|
+ LIBS="$LIBS -lcap"
|
|
+ cap_message="yes"
|
|
+ ], [
|
|
+ AC_MSG_WARN([libcap check failed])
|
|
+ cap_message="no (check failed)"
|
|
+ ])
|
|
+fi
|
|
+
|
|
+
|
|
dnl Check if wireshark should be installed setuid
|
|
AC_ARG_ENABLE(setuid-install,
|
|
[ --enable-setuid-install install wireshark as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
|
|
@@ -1448,3 +1489,4 @@
|
|
echo " Use IPv6 name resolution : $enable_ipv6"
|
|
echo " Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
|
|
echo " Use gnutls library : $tls_message"
|
|
+echo " Use cap library : $cap_message"
|
|
diff -urNad wireshark-0.99.2~/gtk/main.c wireshark-0.99.2/gtk/main.c
|
|
--- wireshark-0.99.2~/gtk/main.c 2006-07-17 21:56:45.000000000 +0200
|
|
+++ wireshark-0.99.2/gtk/main.c 2006-07-18 21:59:46.000000000 +0200
|
|
@@ -1718,6 +1718,9 @@
|
|
{
|
|
gchar *capture_msg;
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
|
|
gtk_statusbar_pop(GTK_STATUSBAR(packets_bar), packets_ctx);
|
|
|
|
diff -urNad wireshark-0.99.2~/tshark.c wireshark-0.99.2/tshark.c
|
|
--- wireshark-0.99.2~/tshark.c 2006-07-17 22:00:06.000000000 +0200
|
|
+++ wireshark-0.99.2/tshark.c 2006-07-18 22:01:35.000000000 +0200
|
|
@@ -749,6 +749,10 @@
|
|
capture_opts_init(&capture_opts, NULL /* cfile */);
|
|
#endif
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
+
|
|
timestamp_set_type(TS_RELATIVE);
|
|
timestamp_set_precision(TS_PREC_AUTO);
|
|
|
|
diff -urNad wireshark-0.99.2~/util.c wireshark-0.99.2/util.c
|
|
--- wireshark-0.99.2~/util.c 2006-07-17 22:00:05.000000000 +0200
|
|
+++ wireshark-0.99.2/util.c 2006-07-18 21:59:46.000000000 +0200
|
|
@@ -40,6 +40,10 @@
|
|
#include <epan/address.h>
|
|
#include <epan/addr_resolv.h>
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+#include <sys/capability.h>
|
|
+#endif
|
|
+
|
|
#include "util.h"
|
|
|
|
/*
|
|
@@ -180,3 +184,46 @@
|
|
}
|
|
return "";
|
|
}
|
|
+
|
|
+
|
|
+#ifdef HAVE_LIBCAP
|
|
+void dropexcesscapabilities(void)
|
|
+{
|
|
+ cap_t cap_d;
|
|
+ cap_value_t cap_values[] = {
|
|
+ /* capabilities we need to keep */
|
|
+ CAP_NET_RAW,
|
|
+ CAP_DAC_READ_SEARCH
|
|
+ };
|
|
+ cap_flag_value_t current_cap;
|
|
+
|
|
+ cap_d = cap_get_proc();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not get capabilities\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, ¤t_cap);
|
|
+ cap_free(&cap_d);
|
|
+ if (current_cap == CAP_CLEAR) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_d = cap_init();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not alloc cap struct\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_clear(cap_d);
|
|
+ cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET);
|
|
+ cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
|
|
+
|
|
+ if (cap_set_proc(cap_d) != 0) {
|
|
+ g_warning("Could not set capabilities: %s\n", strerror(errno));
|
|
+ cap_free(&cap_d);
|
|
+ return;
|
|
+ }
|
|
+ cap_free(&cap_d);
|
|
+}
|
|
+#endif /* HAVE_LIBCAP */
|
|
diff -urNad wireshark-0.99.2~/util.h wireshark-0.99.2/util.h
|
|
--- wireshark-0.99.2~/util.h 2006-07-17 22:00:06.000000000 +0200
|
|
+++ wireshark-0.99.2/util.h 2006-07-18 22:01:52.000000000 +0200
|
|
@@ -53,6 +53,15 @@
|
|
const char *get_conn_cfilter(void);
|
|
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+/*
|
|
+ * Limit the potential impact of undiscovered security vulnerabilities by
|
|
+ * dropping all capabilities except the sniffer capability we need to do our
|
|
+ * job.
|
|
+ */
|
|
+void dropexcesscapabilities(void);
|
|
+#endif /* HAVE_LIBCAP */
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif /* __cplusplus */
|
|
#! /bin/sh /usr/share/dpatch/dpatch-run
|
|
## 04_drop-capabilities.dpatch by <fpeters@debian.org>
|
|
##
|
|
## All lines beginning with `## DP:' are a description of the patch.
|
|
## DP: Drop all capabilities but CAP_NET_RAW
|
|
|
|
@DPATCH@
|
|
diff -urNad --exclude=CVS --exclude=.svn ./config.h.in /tmp/dpep-work.rT2mW8/ethereal-0.10.12/config.h.in
|
|
--- ./config.h.in 2005-07-31 12:50:13.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/config.h.in 2005-07-31 12:54:13.000000000 +0200
|
|
@@ -55,6 +55,9 @@
|
|
/* Define if krb5.h defines KEYTYPE_ARCFOUR_56 */
|
|
#undef HAVE_KEYTYPE_ARCFOUR_56
|
|
|
|
+/* Define if libcap is available to restrict process capabilities */
|
|
+#undef HAVE_LIBCAP
|
|
+
|
|
/* Define to use libpcap library */
|
|
#undef HAVE_LIBPCAP
|
|
|
|
diff -urNad --exclude=CVS --exclude=.svn ./configure.in /tmp/dpep-work.rT2mW8/ethereal-0.10.12/configure.in
|
|
--- ./configure.in 2005-07-31 12:50:26.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/configure.in 2005-07-31 12:54:13.000000000 +0200
|
|
@@ -737,6 +737,47 @@
|
|
fi
|
|
|
|
|
|
+dnl libcap check
|
|
+AC_MSG_CHECKING(whether to use libcap to improve security)
|
|
+
|
|
+AC_ARG_WITH(cap,
|
|
+[ --with-cap[[=DIR]] use libcap (located in directory DIR, if supplied) to improve security. [[default=yes, if available]]],
|
|
+[
|
|
+ if test $withval = no
|
|
+ then
|
|
+ want_cap=no
|
|
+ elif test $withval = yes
|
|
+ then
|
|
+ want_cap=yes
|
|
+ else
|
|
+ want_cap=yes
|
|
+ cap_dir=$withval
|
|
+ fi
|
|
+],[
|
|
+ #
|
|
+ # Use libcap if it's present, otherwise don't.
|
|
+ #
|
|
+ want_cap=ifavailable
|
|
+ cap_dir=
|
|
+])
|
|
+if test "x$want_cap" = "xno" ; then
|
|
+ AC_MSG_RESULT(no)
|
|
+ cap_message="no (disabled by explicit request)"
|
|
+else
|
|
+ AC_MSG_RESULT(yes)
|
|
+ AC_CHECK_LIB(cap, cap_init, [
|
|
+ AC_DEFINE(HAVE_LIBCAP, 1, [
|
|
+ Define if libcap is available to restrict process capabilities
|
|
+ ])
|
|
+ LIBS="$LIBS -lcap"
|
|
+ cap_message="yes"
|
|
+ ], [
|
|
+ AC_MSG_WARN([libcap check failed])
|
|
+ cap_message="no (check failed)"
|
|
+ ])
|
|
+fi
|
|
+
|
|
+
|
|
dnl Check if wireshark should be installed setuid
|
|
AC_ARG_ENABLE(setuid-install,
|
|
[ --enable-setuid-install install ethereal as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
|
|
@@ -1322,3 +1363,4 @@
|
|
echo " Use SSL crypto library : $ssl_message"
|
|
echo " Use IPv6 name resolution : $enable_ipv6"
|
|
echo " Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
|
|
+echo " Use cap library : $cap_message"
|
|
diff -urNad --exclude=CVS --exclude=.svn ./gtk/main.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/gtk/main.c
|
|
--- ./gtk/main.c 2005-07-31 12:50:37.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/gtk/main.c 2005-07-31 12:54:13.000000000 +0200
|
|
@@ -1671,6 +1671,9 @@
|
|
runtime_info_str = g_string_new("Running ");
|
|
get_runtime_version_info(runtime_info_str);
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
|
|
/*** "pre-scan" the command line parameters, if we have "console only" parameters ***/
|
|
/* (e.g. don't start GTK+, if we only have to show the command line help) */
|
|
diff -urNad --exclude=CVS --exclude=.svn ./tethereal.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/tethereal.c
|
|
--- ./tethereal.c 2005-07-31 12:49:37.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/tethereal.c 2005-07-31 12:54:13.000000000 +0200
|
|
@@ -663,6 +663,10 @@
|
|
capture_opts_init(&capture_opts, NULL /* cfile */);
|
|
#endif
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
+
|
|
set_timestamp_setting(TS_RELATIVE);
|
|
|
|
/* Register all dissectors; we must do this before checking for the
|
|
diff -urNad --exclude=CVS --exclude=.svn ./util.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.c
|
|
--- ./util.c 2005-07-31 12:49:42.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.c 2005-07-31 12:56:35.000000000 +0200
|
|
@@ -69,6 +69,10 @@
|
|
#include <windows.h>
|
|
#endif
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+#include <sys/capability.h>
|
|
+#endif
|
|
+
|
|
#include "util.h"
|
|
|
|
/*
|
|
@@ -311,3 +315,46 @@
|
|
}
|
|
return "";
|
|
}
|
|
+
|
|
+
|
|
+#ifdef HAVE_LIBCAP
|
|
+void dropexcesscapabilities(void)
|
|
+{
|
|
+ cap_t cap_d;
|
|
+ cap_value_t cap_values[] = {
|
|
+ /* capabilities we need to keep */
|
|
+ CAP_NET_RAW,
|
|
+ CAP_DAC_READ_SEARCH
|
|
+ };
|
|
+ cap_flag_value_t current_cap;
|
|
+
|
|
+ cap_d = cap_get_proc();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not get capabilities\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, ¤t_cap);
|
|
+ cap_free(&cap_d);
|
|
+ if (current_cap == CAP_CLEAR) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_d = cap_init();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not alloc cap struct\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_clear(cap_d);
|
|
+ cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET);
|
|
+ cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
|
|
+
|
|
+ if (cap_set_proc(cap_d) != 0) {
|
|
+ g_warning("Could not set capabilities: %s\n", strerror(errno));
|
|
+ cap_free(&cap_d);
|
|
+ return;
|
|
+ }
|
|
+ cap_free(&cap_d);
|
|
+}
|
|
+#endif /* HAVE_LIBCAP */
|
|
diff -urNad --exclude=CVS --exclude=.svn ./util.h /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.h
|
|
--- ./util.h 2005-07-31 12:49:42.000000000 +0200
|
|
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.h 2005-07-31 12:54:13.000000000 +0200
|
|
@@ -43,6 +43,15 @@
|
|
/* Create a capture filter for the connection */
|
|
char *get_conn_cfilter(void);
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+/*
|
|
+ * Limit the potential impact of undiscovered security vulnerabilities by
|
|
+ * dropping all capabilities except the sniffer capability we need to do our
|
|
+ * job.
|
|
+ */
|
|
+void dropexcesscapabilities(void);
|
|
+#endif /* HAVE_LIBCAP */
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif /* __cplusplus */
|