kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Backport an Illumos patch to fix the minimum privilege model, fixes quagga

Browse source 
on SunOS. Add SMF manifest and method.
Bump PKGREVISION.
This commit is contained in:
fhajny 2015-01-25 22:14:05 +00:00
parent 005d159be6
commit 52fc776b98
5 changed files with 667 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
net/quagga/Makefile
View file

@ -1,7 +1,8 @@
# $NetBSD: Makefile,v 1.48 2014/12/02 20:22:14 gdt Exp $
# $NetBSD: Makefile,v 1.49 2015/01/25 22:14:05 fhajny Exp $
#
DISTNAME= quagga-0.99.23.1
PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/
@ -42,6 +43,14 @@ CONF_FILES_PERMS+= ${PREFIX}/share/examples/quagga/log_syslog.conf \
.include "options.mk"
.if ${INIT_SYSTEM} == "smf"
BUILD_DIRS= . solaris
SMF_INSTANCES= bgp ospf ospf6 rip ripng zebra
SMF_METHODS= quagga
SMF_METHOD_SRC.quagga= ${WRKSRC}/solaris/quagga.init
FILES_SUBST+= PKG_SMF_METHOD_DIR=${PKG_SMF_METHOD_DIR}
.endif
PLIST_CAT+= ${PKGDIR}/PLIST
LIBS+= ${LDFLAGS}

4
net/quagga/distinfo
View file

@ -1,7 +1,9 @@
$NetBSD: distinfo,v 1.20 2014/12/02 20:22:14 gdt Exp $
$NetBSD: distinfo,v 1.21 2015/01/25 22:14:05 fhajny Exp $
SHA1 (quagga-0.99.23.1.tar.gz) = 0501f527383cfa548a800de9816cf1423f6b2336
RMD160 (quagga-0.99.23.1.tar.gz) = 6102fdf118cf31de8155dfcaffee91207ff56164
Size (quagga-0.99.23.1.tar.gz) = 2526612 bytes
SHA1 (patch-configure) = a58a698ba9b8a174c3623a9cd4b52518e410c0df
SHA1 (patch-lib_privs.c) = d86ec56c9f57f38af6cce5285fb95759efc7c8e9
SHA1 (patch-solaris_quagga.init.in) = 85c63089ecc0852f737f3be347d0ad90093d844f
SHA1 (patch-zebra-kernel_socket.c) = d9a2f3a301d4ac8392c246a2661859657a6dca5e

454
net/quagga/files/smf/manifest.xml Normal file
View file

@ -0,0 +1,454 @@
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='SUNWquagga-daemons:quagga'>
<service name='@SMF_PREFIX@/quagga' type='service' version='1'>
<instance name='zebra' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='net' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/network/initial' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga zebra' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60'></exec_method>
<!-- if we define these properties at the service level, each
instance inherits them, and it can override with
desired values.
-->
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/zebra' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- zebra should not contribute to ipv4/ipv6 routing state -->
<propval name='protocol' type='astring' value='zebra' />
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<stability value='Evolving' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons
Property names are equivalent to the long
option name, consult Quagga documentation -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
<!-- Options specific to zebra -->
<propval name='batch' type='boolean' value='false' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: zebra, RIB, kernel intermediary and misc daemon</loctext>
</common_name>
<documentation>
<manpage title='zebra' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<instance name='rip' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='ipv4-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv4-forwarding' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<!-- ensure that restart of zebra is propogated to daemon -->
<dependency name='zebra' grouping='optional_all' restart_on='restart' type='service'>
<service_fmri value='svc:/@SMF_PREFIX@/quagga:zebra' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga ripd' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60'></exec_method>
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/ripd' />
<propval name='legacy-daemon' type='astring' value='/usr/sfw/sbin/ripdstart' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<propval name='protocol' type='astring' value='ipv4' />
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
<!-- Options specific to ripd -->
<propval name='retain' type='boolean' value='false' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: ripd, RIPv1/2 IPv4 routing protocol daemon.</loctext>
</common_name>
<documentation>
<manpage title='ripd' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<instance name='ripng' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='ipv6-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv6-forwarding' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<!-- ensure that restart of zebra is propogated to daemon -->
<dependency name='zebra' grouping='optional_all' restart_on='restart' type='service'>
<service_fmri value='svc:/@SMF_PREFIX@/quagga:zebra' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga ripngd' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60'></exec_method>
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/ripngd' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<propval name='protocol' type='astring' value='ipv6' />
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
<!-- Options specific to ripngd -->
<propval name='retain' type='boolean' value='false' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: ripngd, RIPng IPv6 routing protocol daemon.</loctext>
</common_name>
<documentation>
<manpage title='ripngd' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<instance name='ospf' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='ipv4-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv4-forwarding' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<!-- ensure that restart of zebra is propogated to daemon -->
<dependency name='zebra' grouping='optional_all' restart_on='restart' type='service'>
<service_fmri value='svc:/@SMF_PREFIX@/quagga:zebra' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga ospfd' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<!-- ospfd can take a long time to shutdown, due to graceful
shutdown
-->
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='600'></exec_method>
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/ospfd' />
<propval name='legacy-daemon' type='astring' value='/usr/sfw/sbin/ospfdstart' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<propval name='protocol' type='astring' value='ipv4' />
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: ospfd, OSPFv2 IPv4 routing protocol daemon.</loctext>
</common_name>
<documentation>
<manpage title='ospfd' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<instance name='ospf6' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='ipv6-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv6-forwarding' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<!-- ensure that restart of zebra is propogated to daemon -->
<dependency name='zebra' grouping='optional_all' restart_on='restart' type='service'>
<service_fmri value='svc:/@SMF_PREFIX@/quagga:zebra' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga ospf6d' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60'></exec_method>
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/ospf6d' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<propval name='protocol' type='astring' value='ipv6' />
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: ospf6d, OSPFv3 IPv6 routing protocol daemon.</loctext>
</common_name>
<documentation>
<manpage title='ospf6d' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<instance name='bgp' enabled='false'>
<dependency name='fs' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/usr:default' />
</dependency>
<dependency name='ipv6-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv6-forwarding' />
</dependency>
<dependency name='ipv4-forwarding' grouping='optional_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/ipv4-forwarding' />
</dependency>
<!-- do not not run unless routing-setup has run -->
<dependency name='network_routing_setup' grouping='require_all' restart_on='refresh' type='service'>
<service_fmri value='svc:/network/routing-setup' />
</dependency>
<!-- ensure that restart of zebra is propogated to daemon -->
<dependency name='zebra' grouping='optional_all' restart_on='restart' type='service'>
<service_fmri value='svc:/@SMF_PREFIX@/quagga:zebra' />
</dependency>
<exec_method type='method' name='start' exec='@PREFIX@/@PKG_SMF_METHOD_DIR@/quagga bgpd' timeout_seconds='60'>
<method_context>
<method_credential user='root' group='root' />
</method_context>
</exec_method>
<exec_method type='method' name='stop' exec=':kill' timeout_seconds='60'></exec_method>
<property_group name='startd' type='framework'>
<!-- sub-process core dumps shouldn't restart session -->
<propval name='ignore_error' type='astring' value='core,signal' />
</property_group>
<!-- Properties in this group are used by routeadm (1M) -->
<property_group name='routeadm' type='application'>
<stability value='Unstable' />
<!-- Identifies service as a routing service -->
<propval name='daemon' type='astring' value='@PREFIX@/sbin/bgpd' />
<propval name='legacy-daemon' type='astring' value='/usr/sfw/sbin/bgpdstart' />
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<property name='protocol' type='astring'>
<astring_list>
<value_node value='ipv4' />
<value_node value='ipv6' />
</astring_list>
</property>
</property_group>
<!-- Properties in this group are modifiable via routeadm (1M) -->
<property_group name='routing' type='application'>
<propval name='value_authorization' type='astring' value='solaris.smf.value.routing' />
<!-- Options common to Quagga daemons. -->
<!-- The config file to use, if not the default -->
<propval name='config_file' type='astring' value='' />
<!-- The vty_port to listen on if not the default.
0 to disable -->
<propval name='vty_port' type='integer' value='0' />
<!-- The address to bind the VTY interface to, if not any. -->
<propval name='vty_address' type='astring' value='' />
<!-- The user to switch to after startup, if not the default -->
<propval name='user' type='astring' value='' />
<!-- The group to switch to, if not the default.
If user is specified, this defaults to a group with
same name as user -->
<propval name='group' type='astring' value='' />
<!-- The pidfile to use, if not the default of
/var/run/zebra -->
<propval name='pid_file' type='astring' value='' />
<!-- Options specific to bgpd -->
<propval name='retain' type='boolean' value='false' />
<propval name='no_kernel' type='boolean' value='false' />
<propval name='bgp_port' type='astring' value='' />
<!--
If enable_zebra is false, it will not be switched
on by the start method.
-->
<propval name='enable_zebra' type='boolean' value='true' />
</property_group>
<property_group name='general' type='framework'>
<!-- to start stop routing services -->
<propval name='action_authorization' type='astring' value='solaris.smf.manage.routing' />
<propval name='value_authorization' type='astring' value='solaris.smf.manage.routing' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>Quagga: bgpd, BGP routing protocol daemon.</loctext>
</common_name>
<documentation>
<manpage title='bgpd' section='1M' manpath='@PREFIX@/man' />
<doc_link name='quagga.net' uri='http://www.quagga.net/' />
</documentation>
</template>
</instance>
<stability value='Unstable' />
</service>
</service_bundle>

162
net/quagga/patches/patch-lib_privs.c Normal file
View file

@ -0,0 +1,162 @@
$NetBSD: patch-lib_privs.c,v 1.1 2015/01/25 22:14:05 fhajny Exp $
Fix minimum privileges setup, makes Quagga work on SunOS.
https://github.com/illumos/illumos-userland/blob/master/components/quagga/patches/75-privs-basicprivset.patch
--- lib/privs.c.orig 2014-08-25 16:56:53.000000000 +0000
+++ lib/privs.c
@@ -2,7 +2,7 @@
* Zebra privileges.
*
* Copyright (C) 2003 Paul Jakma.
- * Copyright (C) 2005 Sun Microsystems, Inc.
+ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
*
* This file is part of GNU Zebra.
*
@@ -348,6 +348,26 @@ zprivs_caps_terminate (void)
* - http://blogs.sun.com/roller/page/gbrunett?entry=privilege_enabling_set_id_programs1
*/
+static pset_t *
+zprivs_caps_minimal ()
+{
+ pset_t *minimal;
+
+ if ((minimal = priv_str_to_set("basic", ",", NULL)) == NULL)
+ {
+ fprintf (stderr, "%s: couldn't get basic set!\n", __func__);
+ exit (1);
+ }
+
+ /* create a minimal privilege set from the basic set */
+ (void) priv_delset(minimal, PRIV_PROC_EXEC);
+ (void) priv_delset(minimal, PRIV_PROC_INFO);
+ (void) priv_delset(minimal, PRIV_PROC_SESSION);
+ (void) priv_delset(minimal, PRIV_FILE_LINK_ANY);
+
+ return minimal;
+}
+
/* convert zebras privileges to system capabilities */
static pset_t *
zcaps2sys (zebra_capabilities_t *zcaps, int num)
@@ -376,26 +396,34 @@ zcaps2sys (zebra_capabilities_t *zcaps,
int
zprivs_change_caps (zebra_privs_ops_t op)
{
+ pset_t *privset;
/* should be no possibility of being called without valid caps */
assert (zprivs_state.syscaps_p);
if (!zprivs_state.syscaps_p)
{
+ fprintf (stderr, "%s: Eek, missing privileged caps!", __func__);
+ exit (1);
+ }
+
+ assert (zprivs_state.caps);
+ if (!zprivs_state.caps)
+ {
fprintf (stderr, "%s: Eek, missing caps!", __func__);
exit (1);
}
-
- /* to raise: copy original permitted into our working effective set
- * to lower: just clear the working effective set
+
+ /* to raise: copy original permitted as our working effective set
+ * to lower: copy regular effective set stored in zprivs_state.caps
*/
if (op == ZPRIVS_RAISE)
- priv_copyset (zprivs_state.syscaps_p, zprivs_state.caps);
+ privset = zprivs_state.syscaps_p;
else if (op == ZPRIVS_LOWER)
- priv_emptyset (zprivs_state.caps);
+ privset = zprivs_state.caps;
else
return -1;
- if (setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps) != 0)
+ if (setppriv (PRIV_SET, PRIV_EFFECTIVE, privset) != 0)
return -1;
return 0;
@@ -423,15 +451,15 @@ zprivs_state_caps (void)
}
else
{
- if (priv_isemptyset (effective) == B_TRUE)
+ if (priv_isequalset (effective, zprivs_state.syscaps_p))
+ result = ZPRIVS_RAISED;
+ else if (priv_isequalset (effective, zprivs_state.caps))
result = ZPRIVS_LOWERED;
else
- result = ZPRIVS_RAISED;
+ result = ZPRIVS_UNKNOWN;
}
- if (effective)
- priv_freeset (effective);
-
+ priv_freeset (effective);
return result;
}
@@ -439,7 +467,7 @@ static void
zprivs_caps_init (struct zebra_privs_t *zprivs)
{
pset_t *basic;
- pset_t *empty;
+ pset_t *minimal;
/* the specified sets */
zprivs_state.syscaps_p = zcaps2sys (zprivs->caps_p, zprivs->cap_num_p);
@@ -467,14 +495,6 @@ zprivs_caps_init (struct zebra_privs_t *
priv_union (basic, zprivs_state.syscaps_p);
priv_freeset (basic);
- /* we need an empty set for 'effective', potentially for inheritable too */
- if ( (empty = priv_allocset()) == NULL)
- {
- fprintf (stderr, "%s: couldn't get empty set!\n", __func__);
- exit (1);
- }
- priv_emptyset (empty);
-
/* Hey kernel, we know about privileges!
* this isn't strictly required, use of setppriv should have same effect
*/
@@ -517,16 +537,19 @@ zprivs_caps_init (struct zebra_privs_t *
exit (1);
}
- /* now clear the effective set and we're ready to go */
- if (setppriv (PRIV_SET, PRIV_EFFECTIVE, empty))
+ /* we need a minimal basic set for 'effective', potentially for inheritable too */
+ minimal = zprivs_caps_minimal();
+
+ /* now set the effective set with a subset of basic privileges */
+ if (setppriv (PRIV_SET, PRIV_EFFECTIVE, minimal))
{
fprintf (stderr, "%s: error setting effective set!, %s\n", __func__,
safe_strerror (errno) );
exit (1);
}
- /* we'll use this as our working-storage privset */
- zprivs_state.caps = empty;
+ /* we'll use the minimal set as our working-storage privset */
+ zprivs_state.caps = minimal;
/* set methods for the caller to use */
zprivs->change = zprivs_change_caps;
@@ -538,8 +561,7 @@ zprivs_caps_terminate (void)
{
assert (zprivs_state.caps);
- /* clear all capabilities */
- priv_emptyset (zprivs_state.caps);
+ /* clear all capabilities by using working-storage privset */
setppriv (PRIV_SET, PRIV_EFFECTIVE, zprivs_state.caps);
setppriv (PRIV_SET, PRIV_PERMITTED, zprivs_state.caps);
setppriv (PRIV_SET, PRIV_INHERITABLE, zprivs_state.caps);

38
net/quagga/patches/patch-solaris_quagga.init.in Normal file
View file

@ -0,0 +1,38 @@
$NetBSD: patch-solaris_quagga.init.in,v 1.1 2015/01/25 22:14:05 fhajny Exp $
Fix SMF method based on the manifest we provide.
--- solaris/quagga.init.in.orig 2014-08-25 16:56:53.000000000 +0000
+++ solaris/quagga.init.in
@@ -156,16 +156,16 @@ routeadm_zebra_enable () {
enable_zebra=`/usr/bin/svcprop -p \
routing/enable_zebra $SMF_FMRI 2> /dev/null`
if [ "$enable_zebra" != "false" ]; then
- zenabled=`/usr/bin/svcprop -p general/enabled zebra:quagga`
- zenabledt=`/usr/bin/svcprop -p general_ovr/enabled zebra:quagga`
+ zenabled=`/usr/bin/svcprop -p general/enabled quagga:zebra`
+ zenabledt=`/usr/bin/svcprop -p general_ovr/enabled quagga:zebra`
if [ "$zenabled" = "true" -o "$zenabledt" = "true" ]; then
- /usr/sbin/svcadm disable zebra:quagga
- /usr/sbin/svcadm enable -st zebra:quagga
+ /usr/sbin/svcadm disable quagga:zebra
+ /usr/sbin/svcadm enable -st quagga:zebra
else
- /usr/sbin/svcadm enable -st zebra:quagga
+ /usr/sbin/svcadm enable -st quagga:zebra
fi
if [ "$?" != "0" ]; then
- echo "Could not enable zebra:quagga"
+ echo "Could not enable quagga:zebra"
exit $SMF_EXIT_ERR_FATAL
fi
fi
@@ -255,7 +255,8 @@ else
fi
fi
-upgrade_config "$DAEMON"
+# Do not try to upgrade, keep pkgsrc separate
+# upgrade_config "$DAEMON"
if [ ! -f "@sysconfdir@/${DAEMON}.conf" ] ; then
echo "Could not find config file, @sysconfdir@/${DAEMON}.conf"