forked from osmocom/wireshark
171 lines
4.6 KiB
Plaintext
171 lines
4.6 KiB
Plaintext
#! /bin/sh /usr/share/dpatch/dpatch-run
|
|
## 04_drop-capabilities.dpatch by <fpeters@debian.org>
|
|
##
|
|
## All lines beginning with `## DP:' are a description of the patch.
|
|
## DP: Drop all capabilities but CAP_NET_RAW
|
|
|
|
@DPATCH@
|
|
diff -urNad wireshark-0.99.4/configure.in /tmp/dpep.4XA51P/wireshark-0.99.4/configure.in
|
|
--- wireshark-0.99.4/configure.in 2006-11-01 10:29:08.241544023 +0100
|
|
+++ /tmp/dpep.4XA51P/wireshark-0.99.4/configure.in 2006-11-01 10:29:56.756554526 +0100
|
|
@@ -869,6 +869,47 @@
|
|
fi
|
|
|
|
|
|
+dnl libcap check
|
|
+AC_MSG_CHECKING(whether to use libcap to improve security)
|
|
+
|
|
+AC_ARG_WITH(cap,
|
|
+[ --with-cap[[=DIR]] use libcap (located in directory DIR, if supplied) to improve security. [[default=yes, if available]]],
|
|
+[
|
|
+ if test $withval = no
|
|
+ then
|
|
+ want_cap=no
|
|
+ elif test $withval = yes
|
|
+ then
|
|
+ want_cap=yes
|
|
+ else
|
|
+ want_cap=yes
|
|
+ cap_dir=$withval
|
|
+ fi
|
|
+],[
|
|
+ #
|
|
+ # Use libcap if it's present, otherwise don't.
|
|
+ #
|
|
+ want_cap=ifavailable
|
|
+ cap_dir=
|
|
+])
|
|
+if test "x$want_cap" = "xno" ; then
|
|
+ AC_MSG_RESULT(no)
|
|
+ cap_message="no (disabled by explicit request)"
|
|
+else
|
|
+ AC_MSG_RESULT(yes)
|
|
+ AC_CHECK_LIB(cap, cap_init, [
|
|
+ AC_DEFINE(HAVE_LIBCAP, 1, [
|
|
+ Define if libcap is available to restrict process capabilities
|
|
+ ])
|
|
+ LIBS="$LIBS -lcap"
|
|
+ cap_message="yes"
|
|
+ ], [
|
|
+ AC_MSG_WARN([libcap check failed])
|
|
+ cap_message="no (check failed)"
|
|
+ ])
|
|
+fi
|
|
+
|
|
+
|
|
dnl Check if wireshark should be installed setuid
|
|
AC_ARG_ENABLE(setuid-install,
|
|
[ --enable-setuid-install install wireshark as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
|
|
@@ -1480,3 +1521,4 @@
|
|
echo " Use IPv6 name resolution : $enable_ipv6"
|
|
echo " Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
|
|
echo " Use gnutls library : $tls_message"
|
|
+echo " Use cap library : $cap_message"
|
|
diff -urNad wireshark-0.99.4/gtk/main.c /tmp/dpep.4XA51P/wireshark-0.99.4/gtk/main.c
|
|
--- wireshark-0.99.4/gtk/main.c 2006-11-01 10:28:14.113375310 +0100
|
|
+++ /tmp/dpep.4XA51P/wireshark-0.99.4/gtk/main.c 2006-11-01 10:29:11.095132827 +0100
|
|
@@ -1775,6 +1775,9 @@
|
|
{
|
|
gchar *capture_msg;
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
|
|
gtk_statusbar_pop(GTK_STATUSBAR(packets_bar), packets_ctx);
|
|
|
|
diff -urNad wireshark-0.99.4/tshark.c /tmp/dpep.4XA51P/wireshark-0.99.4/tshark.c
|
|
--- wireshark-0.99.4/tshark.c 2006-11-01 10:28:14.115375722 +0100
|
|
+++ /tmp/dpep.4XA51P/wireshark-0.99.4/tshark.c 2006-11-01 10:29:11.097133240 +0100
|
|
@@ -751,6 +751,10 @@
|
|
capture_opts_init(&capture_opts, NULL /* cfile */);
|
|
#endif
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+ dropexcesscapabilities();
|
|
+#endif
|
|
+
|
|
timestamp_set_type(TS_RELATIVE);
|
|
timestamp_set_precision(TS_PREC_AUTO);
|
|
|
|
diff -urNad wireshark-0.99.4/util.c /tmp/dpep.4XA51P/wireshark-0.99.4/util.c
|
|
--- wireshark-0.99.4/util.c 2006-11-01 10:28:14.116375929 +0100
|
|
+++ /tmp/dpep.4XA51P/wireshark-0.99.4/util.c 2006-11-01 10:29:11.098133446 +0100
|
|
@@ -40,6 +40,10 @@
|
|
#include <epan/address.h>
|
|
#include <epan/addr_resolv.h>
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+#include <sys/capability.h>
|
|
+#endif
|
|
+
|
|
#include "util.h"
|
|
|
|
/*
|
|
@@ -192,3 +196,46 @@
|
|
}
|
|
return "";
|
|
}
|
|
+
|
|
+
|
|
+#ifdef HAVE_LIBCAP
|
|
+void dropexcesscapabilities(void)
|
|
+{
|
|
+ cap_t cap_d;
|
|
+ cap_value_t cap_values[] = {
|
|
+ /* capabilities we need to keep */
|
|
+ CAP_NET_RAW,
|
|
+ CAP_DAC_READ_SEARCH
|
|
+ };
|
|
+ cap_flag_value_t current_cap;
|
|
+
|
|
+ cap_d = cap_get_proc();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not get capabilities\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, ¤t_cap);
|
|
+ cap_free(&cap_d);
|
|
+ if (current_cap == CAP_CLEAR) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_d = cap_init();
|
|
+ if (!cap_d) {
|
|
+ g_warning("Could not alloc cap struct\n");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ cap_clear(cap_d);
|
|
+ cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET);
|
|
+ cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
|
|
+
|
|
+ if (cap_set_proc(cap_d) != 0) {
|
|
+ g_warning("Could not set capabilities: %s\n", strerror(errno));
|
|
+ cap_free(&cap_d);
|
|
+ return;
|
|
+ }
|
|
+ cap_free(&cap_d);
|
|
+}
|
|
+#endif /* HAVE_LIBCAP */
|
|
diff -urNad wireshark-0.99.4/util.h /tmp/dpep.4XA51P/wireshark-0.99.4/util.h
|
|
--- wireshark-0.99.4/util.h 2006-11-01 10:28:14.116375929 +0100
|
|
+++ /tmp/dpep.4XA51P/wireshark-0.99.4/util.h 2006-11-01 10:29:11.098133446 +0100
|
|
@@ -53,6 +53,15 @@
|
|
const char *get_conn_cfilter(void);
|
|
|
|
|
|
+#ifdef HAVE_LIBCAP
|
|
+/*
|
|
+ * Limit the potential impact of undiscovered security vulnerabilities by
|
|
+ * dropping all capabilities except the sniffer capability we need to do our
|
|
+ * job.
|
|
+ */
|
|
+void dropexcesscapabilities(void);
|
|
+#endif /* HAVE_LIBCAP */
|
|
+
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif /* __cplusplus */
|