From patchwork Thu Mar 11 23:25:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stijn Tintel X-Patchwork-Id: 1451601 X-Patchwork-Delegate: stijn@linux-ipv6.be Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=rQEsUNa9; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8 header.b=Lwu+0d0Q; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DxQ9312TQz9sSC for ; Fri, 12 Mar 2021 10:27:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=JXUiAdpTkYzlSsWeNZ+4yilQ6zJLzs6oMFoe9+7CaA4=; b=rQEsUNa9cOzZ/Na9kD6ORZjOL MO/HSjwfQxoA7TShQMP6hXDtc3t1AxRxzoQ+Lj96/NC1t//SJeIpJlmjim62P5qytHSEXYlgyZt1A gX8l2Y6vauep6pQrrotS7LNQKQAsj+RIuOOq1hAVMz8DQOV7T8/M5fAv2odjpgZVgOnwortwLoZQ/ rbL+CxyXi3DxeTjBOXe2G1Qly4+CelJBWNrVF/+1HrjBnWBLQUPjUIyoxcq7yuT3Bw/Qk1VSrm3sd zyXThhT1QO4VrZzCegcH3oZgXAwPKVQgF1oUs+q5+yEQcq2GxzoNTw3X/hY+A2ZN0bx79q9KYZQEy 0hKpZVKPg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKUgo-00ADZP-Rd; Thu, 11 Mar 2021 23:25:58 +0000 Received: from mail.tintel.eu ([51.83.127.189]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKUgc-00ADXY-To for openwrt-devel@lists.openwrt.org; Thu, 11 Mar 2021 23:25:49 +0000 Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 934E749AF2CB; Fri, 12 Mar 2021 00:25:46 +0100 (CET) Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id ynGuurlizlRN; Fri, 12 Mar 2021 00:25:46 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id EA48E49AF2CD; Fri, 12 Mar 2021 00:25:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu EA48E49AF2CD DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be; s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1615505146; bh=0gCm1PWiAm3HUcm2lTLyqpviGMMXMiZAJtpToeEsi1M=; h=From:To:Date:Message-Id:MIME-Version; b=Lwu+0d0QiTKnPIxgiPu0jaLzeJH9d14H4WlP9Lt2CSVmlGlL10gRfb790EmM/aIKa qLxx5hD6Hwsl5llrxNQenOzkLJiKBWnQ9RufaTAulBMT2LXRlvIuthr4u1V2/BBbpA t2L+Ko/nuCllrW/ffDhdAuxCKjBRlLHcfx+0PDr8= X-Virus-Scanned: amavisd-new at mail.tintel.eu Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id 5W49ytAhX5RU; Fri, 12 Mar 2021 00:25:45 +0100 (CET) Received: from taz.sof.bg.adlevio.net (taz.sof.bg.adlevio.net [IPv6:2001:67c:21bc:20:52bf:b29c:6e1e:7c70]) by mail.tintel.eu (Postfix) with SMTP id 83CDE49AF2CB; Fri, 12 Mar 2021 00:25:45 +0100 (CET) Received: (nullmailer pid 338701 invoked by uid 1000); Thu, 11 Mar 2021 23:25:28 -0000 From: Stijn Tintel To: openwrt-devel@lists.openwrt.org Cc: John Crispin , Paul Wassi , =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 1/4] libcap: import from packages feed Date: Fri, 12 Mar 2021 01:25:25 +0200 Message-Id: <20210311232528.338648-2-stijn@linux-ipv6.be> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210311232528.338648-1-stijn@linux-ipv6.be> References: <20210311232528.338648-1-stijn@linux-ipv6.be> MIME-Version: 1.0 X-Rspamd-Queue-Id: 83CDE49AF2CB X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:200533, ipnet:2001:67c:21bc::/48, country:BG]; IP_WHITELIST(0.00)[2001:67c:21bc:20:52bf:b29c:6e1e:7c70] X-Rspamd-Server: skulls X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_232547_440502_A5FACA59 X-CRM114-Status: GOOD ( 12.54 ) X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Having libcap in OpenWrt base allows us to enable libcap support in other packages in base. In lldpd, this would allow the monitor process to drop its privileges instead of running as root, improving security. It will also allow us to drop our patch to disable libcap. Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Having libcap in OpenWrt base allows us to enable libcap support in other packages in base. In lldpd, this would allow the monitor process to drop its privileges instead of running as root, improving security. It will also allow us to drop our patch to disable libcap. Signed-off-by: Stijn Tintel --- package/libs/libcap/Makefile | 116 ++++++++++++++++++ .../libcap/patches/300-disable-tests.patch | 10 ++ 2 files changed, 126 insertions(+) create mode 100644 package/libs/libcap/Makefile create mode 100644 package/libs/libcap/patches/300-disable-tests.patch diff --git a/package/libs/libcap/Makefile b/package/libs/libcap/Makefile new file mode 100644 index 0000000000..0206bd9d1d --- /dev/null +++ b/package/libs/libcap/Makefile @@ -0,0 +1,116 @@ +# +# Copyright (C) 2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libcap +PKG_VERSION:=2.43 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=@KERNEL/linux/libs/security/linux-privs/libcap2 +PKG_HASH:=512a0e5fc4c1e06d472a20da26aa96a9b9bf2a26b23f094f77f1b8da56cc427f + +PKG_MAINTAINER:=Paul Wassi +PKG_LICENSE:=GPL-2.0-only +PKG_LICENSE_FILES:=License + +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk + +define Package/libcap/Default + TITLE:=Linux capabilities library + SECTION:=libs + CATEGORY:=Libraries + URL:=https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/ +endef + +define Package/libcap/description/Default + Linux capabilities +endef + +define Package/libcap + $(call Package/libcap/Default) + TITLE += library +endef + +define Package/libcap-bin + $(call Package/libcap/Default) + TITLE += binaries + DEPENDS += libcap +endef + +define Package/libcap-bin/description + $(call Package/libcap/description/Default) + . + This package contains the libcap utilities. +endef + +define Package/libcap-bin/config + if PACKAGE_libcap-bin + config PACKAGE_libcap-bin-capsh-shell + string "capsh shell" + help + Set the capsh shell. + default "/bin/sh" + endif +endef + +MAKE_FLAGS += \ + BUILD_CC="$(CC)" \ + BUILD_CFLAGS="$(FPIC) -I$(PKG_BUILD_DIR)/libcap/include" \ + CFLAGS="$(TARGET_CFLAGS)" \ + LD="$(TARGET_CC) -Wl,-x -shared" \ + LDFLAGS="$(TARGET_LDFLAGS)" \ + INDENT="| true" \ + GOLANG="no" \ + PAM_CAP="no" \ + RAISE_SETFCAP="no" \ + DYNAMIC="yes" \ + lib="lib" + +ifneq ($(CONFIG_PACKAGE_libcap-bin-capsh-shell),) +TARGET_CFLAGS += -DSHELL='\"$(CONFIG_PACKAGE_libcap-bin-capsh-shell)\"' +endif + +TARGET_CFLAGS += $(if $(CONFIG_USE_MUSL),-Dpthread_yield=sched_yield) + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/sys + $(CP) $(PKG_INSTALL_DIR)/usr/include/sys/*.h $(1)/usr/include/sys/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/lib/libcap.{so*,a} $(1)/usr/lib/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/lib/libpsx.a $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/lib/pkgconfig/libcap.pc $(1)/usr/lib/pkgconfig/ + $(SED) 's,exec_prefix=,exec_prefix=/usr,g' $(1)/usr/lib/pkgconfig/libcap.pc + $(SED) 's,/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libcap.pc + $(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libcap.pc + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/lib/pkgconfig/libpsx.pc $(1)/usr/lib/pkgconfig/ + $(SED) 's,exec_prefix=,exec_prefix=/usr,g' $(1)/usr/lib/pkgconfig/libpsx.pc + $(SED) 's,/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libpsx.pc + $(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libpsx.pc +endef + +define Package/libcap/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/lib/libcap.so* $(1)/usr/lib/ +endef + +define Package/libcap-bin/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/sbin/capsh $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/getcap $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/getpcaps $(1)/usr/sbin/ + $(CP) $(PKG_INSTALL_DIR)/sbin/setcap $(1)/usr/sbin/ +endef + +$(eval $(call BuildPackage,libcap)) +$(eval $(call BuildPackage,libcap-bin)) diff --git a/package/libs/libcap/patches/300-disable-tests.patch b/package/libs/libcap/patches/300-disable-tests.patch new file mode 100644 index 0000000000..c1779e28ec --- /dev/null +++ b/package/libs/libcap/patches/300-disable-tests.patch @@ -0,0 +1,10 @@ +--- a/Makefile ++++ b/Makefile +@@ -17,7 +17,6 @@ ifeq ($(GOLANG),yes) + $(MAKE) -C go $@ + rm -f cap/go.sum + endif +- $(MAKE) -C tests $@ + $(MAKE) -C progs $@ + $(MAKE) -C doc $@ + $(MAKE) -C kdebug $@ From patchwork Thu Mar 11 23:25:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stijn Tintel X-Patchwork-Id: 1451602 X-Patchwork-Delegate: stijn@linux-ipv6.be Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=AOBzVu9x; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8 header.b=V+G+uTc0; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DxQ9309Hhz9sR4 for ; Fri, 12 Mar 2021 10:27:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=qWSKQpzbWn8DSr/96xhDuYqNjPQ1hff9CTK5Nc/AUC4=; b=AOBzVu9xchbIBYWOQvh3Z6fcv QuU1F8eAMcleibbP4gpW108tTazX5h0atLHMj0km7qsKnHCR8D9+7EqQeoQL6VUiBVIUlwCXyRvV3 Sn+x6m6M4d+7cBRxWIe0rTPyKPNt85HJYpUdVBu4H3nWmjGa23/epc8SmKtxTLokqQE/Of2o2dMoq tAzl8TgIcOhw/m3JxjduqymfsXipnpYh36SLHOKMDQu30QOlBIzdNNSkDRgrbrI2tMmyY4MzvEYp2 BOJJm1nCqNKQ2IrKHoQqiwJNASZslhKJ+XzR1Y0CvuwBeUhtnvhgl7EVqVg7brB2OVs+fKrcM3e7O MBj2Jb7uA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKUh8-00ADcs-Fe; Thu, 11 Mar 2021 23:26:18 +0000 Received: from mail.tintel.eu ([51.83.127.189]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKUgl-00ADZA-Kt for openwrt-devel@lists.openwrt.org; Thu, 11 Mar 2021 23:25:57 +0000 Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 4FE2449AF2CD; Fri, 12 Mar 2021 00:25:55 +0100 (CET) Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id U9vK84uJBbmB; Fri, 12 Mar 2021 00:25:55 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id E5E2049AF2CE; Fri, 12 Mar 2021 00:25:54 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu E5E2049AF2CE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be; s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1615505154; bh=B3xTLkiWrvVJFyb//FbigQzC2gnpVj1lpUZHerVQ8Xc=; h=From:To:Date:Message-Id:MIME-Version; b=V+G+uTc0KByRiSQMDvyp4hR7tuDnOmjtghyJPg0Lx/U+Q8nmf0GI5MrnqFZ59aAyM yKAoYGRQn7A9CjTHPXxt7NdSk2qCuuzsDAFIsPcvVQ9p16kUIxle3I+56chba4SBEj EUOo7rNq5bIiWi6EfuDNnzGPUE1ED7armu0P+MnA= X-Virus-Scanned: amavisd-new at mail.tintel.eu Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id SAIf6rKcW_ZS; Fri, 12 Mar 2021 00:25:54 +0100 (CET) Received: from taz.sof.bg.adlevio.net (taz.sof.bg.adlevio.net [IPv6:2001:67c:21bc:20:52bf:b29c:6e1e:7c70]) by mail.tintel.eu (Postfix) with SMTP id 8F42F49AF2CD; Fri, 12 Mar 2021 00:25:54 +0100 (CET) Received: (nullmailer pid 338703 invoked by uid 1000); Thu, 11 Mar 2021 23:25:28 -0000 From: Stijn Tintel To: openwrt-devel@lists.openwrt.org Cc: John Crispin , Paul Wassi , =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 2/4] libcap: drop invalid copyright header Date: Fri, 12 Mar 2021 01:25:26 +0200 Message-Id: <20210311232528.338648-3-stijn@linux-ipv6.be> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210311232528.338648-1-stijn@linux-ipv6.be> References: <20210311232528.338648-1-stijn@linux-ipv6.be> MIME-Version: 1.0 X-Rspamd-Queue-Id: 8F42F49AF2CD X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:200533, ipnet:2001:67c:21bc::/48, country:BG]; IP_WHITELIST(0.00)[2001:67c:21bc:20:52bf:b29c:6e1e:7c70] X-Rspamd-Server: skulls X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_232555_873738_245993B4 X-CRM114-Status: UNSURE ( 6.90 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Stijn Tintel --- package/libs/libcap/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/package/libs/libcap/Makefile b/package/libs/libcap/Makefile index 0206bd9d1d..29ff75c5cd 100644 --- a/package/libs/libcap/Makefile +++ b/package/libs/libcap/Makefile @@ -1,6 +1,4 @@ # -# [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Signed-off-by: Stijn Tintel --- package/libs/libcap/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/package/libs/libcap/Makefile b/package/libs/libcap/Makefile index 0206bd9d1d..29ff75c5cd 100644 --- a/package/libs/libcap/Makefile +++ b/package/libs/libcap/Makefile @@ -1,6 +1,4 @@ # -# Copyright (C) 2011 OpenWrt.org -# # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. # From patchwork Thu Mar 11 23:25:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stijn Tintel X-Patchwork-Id: 1451605 X-Patchwork-Delegate: stijn@linux-ipv6.be Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=qF/G/60T; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8 header.b=rPwOEQPG; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DxQ9Y102lz9sR4 for ; Fri, 12 Mar 2021 10:28:17 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ICiZp60/AR4ISborxuLQUSGZPY813iHf4u2zcyxWmA4=; b=qF/G/60TokEA6jXD/bVw+rHD0 PqD1OhN9oIU7GmRBAzFDFO02EKtXlNZB2IoMiF1D7cF5ga9D9uRn1YIUIkxfsQIsLbo7QJP89tM7+ ZeOiFhiz7seQ0U2IPxAF84WzElS+r7i0RVzG3tCl6HetJh/mmBeBw8tmWJ0ccpxFeHMtWjY7lIh9F 398ZvdrCYHvEWxD8+bOz+2scGJ5W6ex/4pYZXuf/txBy4Ajt5MoawIGhQUPTBBCC3xkcYVG7tkWjg az0aX8vEvWOBeH8wQM1ueBR91zdkGWzb+6uv11ScL5+sjJwOjGVXFLNTOvhPLNyNQM4M2ZB06gu2R D1E8iOjKQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKUhV-00ADhj-RS; Thu, 11 Mar 2021 23:26:42 +0000 Received: from mail.tintel.eu ([51.83.127.189]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKUgu-00ADah-CP for openwrt-devel@lists.openwrt.org; Thu, 11 Mar 2021 23:26:09 +0000 Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id F2D9849AF2CF; Fri, 12 Mar 2021 00:26:03 +0100 (CET) Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id 9cNaJfIQIOb6; Fri, 12 Mar 2021 00:26:03 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 9485049AF2D6; Fri, 12 Mar 2021 00:26:03 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu 9485049AF2D6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be; s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1615505163; bh=qT3W1iNmWz5llF9r8UypM3T6Ef66i4K3O3BXeVuqH7k=; h=From:To:Date:Message-Id:MIME-Version; b=rPwOEQPGGOuV8R4bPpnaZ4yEVpl6mAiobMHZ5ffWARCQfpe555Tqte9rwpPB9P+1I 02nQ5CSzyQSlntX1tAcDilMPwLgALalAdyXNrgJ0ts/ZLKcA7ePDYtVhWJBoMxAnVP aQNzmOSrLDqEwg2yXIo9gmsYVAiXyWaysiQE4fsM= X-Virus-Scanned: amavisd-new at mail.tintel.eu Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id PgQbnZEOjYaT; Fri, 12 Mar 2021 00:26:03 +0100 (CET) Received: from taz.sof.bg.adlevio.net (taz.sof.bg.adlevio.net [IPv6:2001:67c:21bc:20:52bf:b29c:6e1e:7c70]) by mail.tintel.eu (Postfix) with SMTP id 3B11F49AF2CF; Fri, 12 Mar 2021 00:26:03 +0100 (CET) Received: (nullmailer pid 338705 invoked by uid 1000); Thu, 11 Mar 2021 23:25:28 -0000 From: Stijn Tintel To: openwrt-devel@lists.openwrt.org Cc: John Crispin , Paul Wassi , =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 3/4] libcap: bump to 2.48 Date: Fri, 12 Mar 2021 01:25:27 +0200 Message-Id: <20210311232528.338648-4-stijn@linux-ipv6.be> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210311232528.338648-1-stijn@linux-ipv6.be> References: <20210311232528.338648-1-stijn@linux-ipv6.be> MIME-Version: 1.0 X-Rspamd-Queue-Id: 3B11F49AF2CF X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:200533, ipnet:2001:67c:21bc::/48, country:BG]; IP_WHITELIST(0.00)[2001:67c:21bc:20:52bf:b29c:6e1e:7c70] X-Rspamd-Server: skulls X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_232607_350874_2328D07A X-CRM114-Status: UNSURE ( 6.84 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Stijn Tintel --- package/libs/libcap/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/libcap/Makefile b/package/libs/libcap/Makefile index 29ff75c5cd..b8e45a52c7 100644 --- a/package/libs/libcap/Makefile +++ b/package/libs/libcap/Makefile @@ -6,12 +6,12 @@ inc [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Signed-off-by: Stijn Tintel --- package/libs/libcap/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/libcap/Makefile b/package/libs/libcap/Makefile index 29ff75c5cd..b8e45a52c7 100644 --- a/package/libs/libcap/Makefile +++ b/package/libs/libcap/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libcap -PKG_VERSION:=2.43 +PKG_VERSION:=2.48 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/linux/libs/security/linux-privs/libcap2 -PKG_HASH:=512a0e5fc4c1e06d472a20da26aa96a9b9bf2a26b23f094f77f1b8da56cc427f +PKG_HASH:=4de9590ee09a87c282d558737ffb5b6175ccbfd26d580add10df44d0f047f6c2 PKG_MAINTAINER:=Paul Wassi PKG_LICENSE:=GPL-2.0-only From patchwork Thu Mar 11 23:25:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stijn Tintel X-Patchwork-Id: 1451606 X-Patchwork-Delegate: stijn@linux-ipv6.be Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=nXEiiXOB; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux-ipv6.be header.i=@linux-ipv6.be header.a=rsa-sha256 header.s=502B7754-045F-11E5-BBC5-64595FD46BE8 header.b=hP/Y5GwH; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DxQ9d2xGHz9sR4 for ; Fri, 12 Mar 2021 10:28:21 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=oNfdbMQNoUFO0acXTxJguL6KsZIVIjCmObtZbo2i3UM=; b=nXEiiXOBeggUXXe87Z4UMH5R1 w8ZPa2K0wPKGnlYQp2kWGGWV8qqWCNYEQ1UJD6sGzW3UBtUfe9UgA1aJtN0Mb4k3Q9D3uFiGLLc8C 4uK1kydsV7kqMp59dIGS8xOiVs64SuYDczJUeLPJVss/3cfk8zcB2MfUEneVVvnE49rANHr/6SBpS zFzdEIuvUIGBVcfq1dCBk5/6O2pGFbIePZGTs3yOgCgnTvPnWB/KeUTBbyUEHpcFUj/X0v7BORgpx gHcc0nAQ/k8dMyEc1dJcxOgdmnm+G01a1LW1MsS2OMe4+ghs5u0/tHAT0+qV82xXMfsBje/jBHDii 7/6qzT1/w==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKUhf-00ADjf-9v; Thu, 11 Mar 2021 23:26:51 +0000 Received: from mail.tintel.eu ([51.83.127.189]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKUgy-00ADb7-6r for openwrt-devel@lists.openwrt.org; Thu, 11 Mar 2021 23:26:12 +0000 Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 1232949AF2D4; Fri, 12 Mar 2021 00:26:08 +0100 (CET) Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id zRo7n4cjPY41; Fri, 12 Mar 2021 00:26:07 +0100 (CET) Received: from localhost (localhost [IPv6:::1]) by mail.tintel.eu (Postfix) with ESMTP id 9494349AF2D6; Fri, 12 Mar 2021 00:26:07 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tintel.eu 9494349AF2D6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-ipv6.be; s=502B7754-045F-11E5-BBC5-64595FD46BE8; t=1615505167; bh=PkKuBwhMYIvoQ2PLiOeBck8ZXVzcU3OkMv+Fv/pB/7U=; h=From:To:Date:Message-Id:MIME-Version; b=hP/Y5GwHT8LDJpKcdsGzltuA+CJNSB1LQrAP+1FcZZGbc8/krgsqgkpoRRk9pg9zT 4iSDVzR7gwtpo8YvsM+QnHL9SadtyHinfiJVYdTL2ZGfZlnQIZUddrgX8eQHv3I1TL qYsAnfk/0sPT0CpqV7pMHCtzgfj1B41hGmTe8umY= X-Virus-Scanned: amavisd-new at mail.tintel.eu Received: from mail.tintel.eu ([IPv6:::1]) by localhost (mail.tintel.eu [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id k0b8IjANst7O; Fri, 12 Mar 2021 00:26:07 +0100 (CET) Received: from taz.sof.bg.adlevio.net (taz.sof.bg.adlevio.net [IPv6:2001:67c:21bc:20:52bf:b29c:6e1e:7c70]) by mail.tintel.eu (Postfix) with SMTP id 3649D49AF2D4; Fri, 12 Mar 2021 00:26:07 +0100 (CET) Received: (nullmailer pid 338707 invoked by uid 1000); Thu, 11 Mar 2021 23:25:28 -0000 From: Stijn Tintel To: openwrt-devel@lists.openwrt.org Cc: John Crispin , Paul Wassi , =?utf-8?q?Petr_=C5=A0tetiar?= Subject: [PATCH 4/4] lldpd: add libcap dependency Date: Fri, 12 Mar 2021 01:25:28 +0200 Message-Id: <20210311232528.338648-5-stijn@linux-ipv6.be> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210311232528.338648-1-stijn@linux-ipv6.be> References: <20210311232528.338648-1-stijn@linux-ipv6.be> MIME-Version: 1.0 X-Rspamd-Queue-Id: 3649D49AF2D4 X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:200533, ipnet:2001:67c:21bc::/48, country:BG]; IP_WHITELIST(0.00)[2001:67c:21bc:20:52bf:b29c:6e1e:7c70] X-Rspamd-Server: skulls X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_232608_430975_508B8399 X-CRM114-Status: UNSURE ( 9.30 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Now that libcap is in OpenWrt base, we can drop our custom patch to disable libcap support and have lldpd depend on it instead. This will allow the monitor process to drop its privileges instead of ru [...] Content analysis details: (0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Now that libcap is in OpenWrt base, we can drop our custom patch to disable libcap support and have lldpd depend on it instead. This will allow the monitor process to drop its privileges instead of running as root, improving security. Signed-off-by: Stijn Tintel --- package/network/services/lldpd/Makefile | 4 ++-- .../lldpd/patches/001-disable_libcap.patch | 17 ----------------- 2 files changed, 2 insertions(+), 19 deletions(-) delete mode 100644 package/network/services/lldpd/patches/001-disable_libcap.patch diff --git a/package/network/services/lldpd/Makefile b/package/network/services/lldpd/Makefile index 74d6791091..1329abe874 100644 --- a/package/network/services/lldpd/Makefile +++ b/package/network/services/lldpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lldpd PKG_VERSION:=1.0.7 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://media.luffy.cx/files/lldpd @@ -30,7 +30,7 @@ define Package/lldpd SUBMENU:=Routing and Redirection TITLE:=Link Layer Discovery Protocol daemon URL:=https://vincentbernat.github.io/lldpd/ - DEPENDS:=+libevent2 +USE_GLIBC:libbsd +LLDPD_WITH_JSON:libjson-c +LLDPD_WITH_SNMP:libnetsnmp + DEPENDS:=+libcap +libevent2 +USE_GLIBC:libbsd +LLDPD_WITH_JSON:libjson-c +LLDPD_WITH_SNMP:libnetsnmp USERID:=lldp=121:lldp=129 MENU:=1 endef diff --git a/package/network/services/lldpd/patches/001-disable_libcap.patch b/package/network/services/lldpd/patches/001-disable_libcap.patch deleted file mode 100644 index 96cf00a653..0000000000 --- a/package/network/services/lldpd/patches/001-disable_libcap.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -246,7 +246,13 @@ PKG_CHECK_MODULES([check], [check >= 0.9 - - # Third-party libraries - lldp_CHECK_LIBEVENT --lldp_CHECK_LIBCAP -+ -+#libcap is not a core package so disable this capability -+#lldp_CHECK_LIBCAP -+libcap_LIBS= -+libcap_CFLAGS= -+AC_SUBST([libcap_LIBS]) -+AC_SUBST([libcap_CFLAGS]) - - # Compatibility with pkg.m4 < 0.27 - m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR],