diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2014-01-24 10:17:01 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2014-01-24 10:17:01 +0000 |
| commit | eeccca281ddf09a5e6c514c7151915384d141a84 (patch) | |
| tree | bf8d52b768ca434d63802fcf0c67578e5377f1a0 | |
| parent | 4e6dc966c123cbbe50acc9353eac554e4ebec4fa (diff) | |
| download | aports-eeccca281ddf09a5e6c514c7151915384d141a84.tar.bz2 aports-eeccca281ddf09a5e6c514c7151915384d141a84.tar.xz | |
main/ipfw-grsec: new aport
| -rw-r--r-- | main/ipfw-grsec/APKBUILD | 76 | ||||
| -rw-r--r-- | main/ipfw-grsec/ipfw-cgroup.patch | 34 | ||||
| -rw-r--r-- | main/ipfw-grsec/ipfw-kmod-dereffix.patch | 22 | ||||
| -rw-r--r-- | main/ipfw-grsec/ipfw-strict-uidgid.patch | 40 |
4 files changed, 172 insertions, 0 deletions
diff --git a/main/ipfw-grsec/APKBUILD b/main/ipfw-grsec/APKBUILD new file mode 100644 index 000000000..9606a730f --- /dev/null +++ b/main/ipfw-grsec/APKBUILD @@ -0,0 +1,76 @@ +# Contributor: William Pitcock <nenolod@dereferenced.org> +# Maintainer: William Pitcock <nenolod@dereferenced.org> +_flavor=${FLAVOR:-grsec} +_kpkg=linux-$_flavor +_realname=ipfw +_name=$_realname-$_flavor + +_kver=3.12.8 +_kpkgrel=0 + +_realver=20130607 +_mypkgrel=0 + +# source the kernel version +if [ -f ../linux-$_flavor/APKBUILD ]; then + . ../linux-$_flavor/APKBUILD + [ "$_kver" != "$pkgver" ] && die "$_name: Please update _kver to $pkgver" + [ "$_kpkgrel" != "$pkgrel" ] && die "$_name: Please update _kpkgrel to $pkgrel" +fi + +_kernelver=$_kver-r$_kpkgrel +_abi_release=${_kver}-${_kpkgrel}-${_flavor} + +pkgname=$_name +pkgver=$_kver +pkgrel=$(($_kpkgrel + $_mypkgrel)) +pkgdesc="BSD ipfw firewall and dummynet suite (linux-grsec modules)" +url="http://info.iet.unipi.it/~luigi/dummynet/" +arch="all" +license="BSD" +depends="linux-${_flavor}=${_kernelver}" +makedepends="linux-${_flavor}-dev=${_kernelver} iptables-dev pkgconfig" +install= +install_if="linux-$_flavor=$_kernelver $_realname" +source="http://info.iet.unipi.it/~luigi/doc/${_realver}-${_realname}3.tgz + ipfw-kmod-dereffix.patch + ipfw-cgroup.patch + ipfw-strict-uidgid.patch" +subpackages="" + +_builddir="$srcdir/ipfw3-2012" +prepare() { + local i + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + make kipfw KSRC=/usr/src/linux-headers-${_abi_release} V=1 +} + +package() { + cd "$_builddir/kipfw-mod" + mkdir -p "$pkgdir/lib/modules/${_abi_release}/misc/" + for module in `find . -type f -name '*.ko'`; do + install -D -m644 $module "$pkgdir/lib/modules/${_abi_release}/misc/" + done +} + +md5sums="004e65e6d545a89c4dcc3e741e287444 20130607-ipfw3.tgz +c4f9a8065d448da3901b3d8219dd98ca ipfw-kmod-dereffix.patch +f0d782e9869b26aae8a919645a48fc88 ipfw-cgroup.patch +5a7390c6dcdb49b576c2a74071d7e3dd ipfw-strict-uidgid.patch" +sha256sums="7dc80437b137e629f8ef3a7889b24ffbd1c27274e9cce15fd1f3b2c8620c6d64 20130607-ipfw3.tgz +84967fe411d8c35343c39b321aaddc830ef955ab2e27f78de1cf99c496b2cbfa ipfw-kmod-dereffix.patch +7538104b3ae3ea175c06b3d021877f1961688e9f6a897a80f75e864c21c162d1 ipfw-cgroup.patch +4d96448496b6fecc0ca13aedb19f08b28769a66c82d301c8f57dced117e537b7 ipfw-strict-uidgid.patch" +sha512sums="6c4c2c7d4795094b9ff72212394e7dee44e5f9e09e97021b5ac9c3fad6de5a32b1d608ae9572da17f62cb37d076d89ab26859c61255d03d6bce22ca527f2c8ec 20130607-ipfw3.tgz +e445c17ebc01feea5ce473819c386c7e07507889365a8790d8a8e8f41bbea70b06fc7e0a7e98d558b9653abe1c175706684a5222f0003f5350902c6927df9b72 ipfw-kmod-dereffix.patch +c1841f7a47ef840a8fde575e84ea47d71b7f80dbb0606f4a53f6c58bfcd157b26db003f1ecf2ff61c0138f81f8e56835c0866ed6ca31188a0bad6790a78edae8 ipfw-cgroup.patch +a9c89d5c2310d5d4e76747a191767dc2acef8d149377d5f943d4969137a68d42feae8c9e9aef4fe688221f933762a61b444f96d68f6db0b31efbd845c3d591c3 ipfw-strict-uidgid.patch" diff --git a/main/ipfw-grsec/ipfw-cgroup.patch b/main/ipfw-grsec/ipfw-cgroup.patch new file mode 100644 index 000000000..23942e7a2 --- /dev/null +++ b/main/ipfw-grsec/ipfw-cgroup.patch @@ -0,0 +1,34 @@ +--- ipfw3-2012.orig/glue.h ++++ ipfw3-2012/glue.h +@@ -377,13 +377,29 @@ + #define flow_daddr fl.nl_u.ip4_u + #endif + +-#endif /* __linux__ */ +- + /* + * Do not load prio_heap.h header because of conflicting names + * with our heap functions defined in include/netinet/ipfw/dn_heap.h + */ + #define _LINUX_PRIO_HEAP_H ++ ++/* Do however declare the structure... */ ++/** ++ * struct ptr_heap - simple static-sized priority heap ++ * @ptrs - pointer to data area ++ * @max - max number of elements that can be stored in @ptrs ++ * @size - current number of valid elements in @ptrs (in the range 0..@size-1 ++ * @gt: comparison operator, which should implement "greater than" ++ */ ++struct ptr_heap { ++ void **ptrs; ++ int max; ++ int size; ++ int (*gt)(void *, void *); ++}; ++ ++#endif /* __linux__ */ ++ + /* + * The following define prevent the ipv6.h header to be loaded. + * Starting from the 2.6.38 kernel the ipv6.h file, which is included diff --git a/main/ipfw-grsec/ipfw-kmod-dereffix.patch b/main/ipfw-grsec/ipfw-kmod-dereffix.patch new file mode 100644 index 000000000..168fc70e1 --- /dev/null +++ b/main/ipfw-grsec/ipfw-kmod-dereffix.patch @@ -0,0 +1,22 @@ +--- ipfw3-2012.orig/sys/netinet/ipfw/ip_dummynet.c ++++ ipfw3-2012/sys/netinet/ipfw/ip_dummynet.c +@@ -635,7 +635,7 @@ + fs->sched->fp->free_fsk(fs); + fs->sched = NULL; + if (flags & DN_DELETE_FS) { +- bzero(fs, sizeof(fs)); /* safety */ ++ bzero(fs, sizeof(*fs)); /* safety */ + free(fs, M_DUMMYNET); + dn_cfg.fsk_count--; + } else { +--- ipfw3-2012.orig/kipfw/ipfw2_mod.c ++++ ipfw3-2012/kipfw/ipfw2_mod.c +@@ -218,7 +218,7 @@ + struct thread t; + int ret = EINVAL; + +- memset(s, 0, sizeof(s)); ++ memset(s, 0, sizeof(*s)); + s->sopt_name = cmd; + s->sopt_dir = dir; + s->sopt_valsize = len; diff --git a/main/ipfw-grsec/ipfw-strict-uidgid.patch b/main/ipfw-grsec/ipfw-strict-uidgid.patch new file mode 100644 index 000000000..cf4376b95 --- /dev/null +++ b/main/ipfw-grsec/ipfw-strict-uidgid.patch @@ -0,0 +1,40 @@ +--- ipfw3-2012.orig/glue.h ++++ ipfw3-2012/glue.h +@@ -102,6 +102,24 @@ + #include <linux/in.h> /* struct in_addr */ + #include <linux/in6.h> /* struct in6_addr */ + #include <linux/icmp.h> ++ ++#ifdef CONFIG_UIDGID_STRICT_TYPE_CHECKS ++#include <linux/uidgid.h> ++ ++#define KUID_TO_SUID(x) (__kuid_val(x)) ++#define KGID_TO_SGID(x) (__kgid_val(x)) ++#define SUID_TO_KUID(x) (KUIDT_INIT(x)) ++#define SGID_TO_KGID(x) (KGIDT_INIT(x)) ++ ++#else ++ ++#define KUID_TO_SUID(x) (x) ++#define KGID_TO_SGID(x) (x) ++#define SUID_TO_KUID(x) (x) ++#define SGID_TO_KGID(x) (x) ++ ++#endif ++ + /* + * LIST_HEAD in queue.h conflict with linux/list.h + * some previous linux include need list.h definition +--- ipfw3-2012.orig/kipfw/ipfw2_mod.c ++++ ipfw3-2012/kipfw/ipfw2_mod.c +@@ -737,8 +737,8 @@ + if ((1<<st) & GOOD_STATES) { + read_lock_bh(&sk->sk_callback_lock); + if (sk->sk_socket && sk->sk_socket->file) { +- u->uid = sk->sk_socket->file->_CURR_UID; +- u->gid = sk->sk_socket->file->_CURR_GID; ++ u->uid = KUID_TO_SUID(sk->sk_socket->file->_CURR_UID); ++ u->gid = KGID_TO_SGID(sk->sk_socket->file->_CURR_GID); + } + read_unlock_bh(&sk->sk_callback_lock); + } else { |