CVS commit: src

Sun, 07 Mar 2021 07:09:23 -0800 

Module Name:    src
Committed By:   christos
Date:           Sun Mar  7 15:09:13 UTC 2021

Modified Files:
        src/lib: Makefile
        src/lib/libwrap: Makefile hosts_access.c
        src/tests/fs/nfs/nfsservice: Makefile
        src/usr.sbin/inetd: Makefile
        src/usr.sbin/lpr/lpd: Makefile
        src/usr.sbin/syslogd: Makefile
        src/usr.sbin/tcpdchk: Makefile
        src/usr.sbin/tcpdmatch: Makefile
        src/usr.sbin/ypserv/ypserv: Makefile ypserv.c

Log Message:
Add blocklist support to libwrap which enables all programs using libwrap
to block access from hosts we deny. (libwrap support from Greg A. Woods)


To generate a diff of this commit:
cvs rdiff -u -r1.286 -r1.287 src/lib/Makefile
cvs rdiff -u -r1.11 -r1.12 src/lib/libwrap/Makefile
cvs rdiff -u -r1.22 -r1.23 src/lib/libwrap/hosts_access.c
cvs rdiff -u -r1.15 -r1.16 src/tests/fs/nfs/nfsservice/Makefile
cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/inetd/Makefile
cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/lpr/lpd/Makefile
cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/syslogd/Makefile
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/tcpdchk/Makefile
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/tcpdmatch/Makefile
cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/ypserv/ypserv/Makefile
cvs rdiff -u -r1.26 -r1.27 src/usr.sbin/ypserv/ypserv/ypserv.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/lib/Makefile
diff -u src/lib/Makefile:1.286 src/lib/Makefile:1.287
--- src/lib/Makefile:1.286	Thu Oct 29 16:11:17 2020
+++ src/lib/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.286 2020/10/29 20:11:17 nia Exp $
+#	$NetBSD: Makefile,v 1.287 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	5.25.1.1 (Berkeley) 5/7/91
 
 .include <bsd.own.mk>
@@ -27,7 +27,7 @@ SUBDIR+=	libarch \
 		libossaudio libpci libposix libprop libpthread \
 		libpuffs libresolv librmt librpcsvc librt \
 		libtelnet libterminfo \
-		libusbhid libutil libwrap liby libz
+		libusbhid libutil liby libz
 
 .if !defined(BSD_MK_COMPAT_FILE)
 SUBDIR+=	libkern
@@ -178,6 +178,8 @@ SUBDIR+=	../external/mit/libuv/lib
 #==================== 2nd library dependency barrier ====================
 SUBDIR+=	.WAIT
 
+SUBDIR+=	libwrap
+
 .if (${MKGCC} != "no" && ${MKCXX} != "no" && ${MKLIBSTDCXX} != "no")
 .for sanitizer in asan lsan ubsan
 .if exists(../external/gpl3/${EXTERNAL_GCC_SUBDIR}/lib/lib${sanitizer})

Index: src/lib/libwrap/Makefile
diff -u src/lib/libwrap/Makefile:1.11 src/lib/libwrap/Makefile:1.12
--- src/lib/libwrap/Makefile:1.11	Fri Jan 11 15:37:30 2019
+++ src/lib/libwrap/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.11 2019/01/11 20:37:30 christos Exp $
+#	$NetBSD: Makefile,v 1.12 2021/03/07 15:09:12 christos Exp $
 
 USE_FORT?= yes	# network server
 
@@ -14,6 +14,9 @@ MLINKS+=hosts_access.3 hosts_ctl.3
 MLINKS+=hosts_access.3 request_init.3
 MLINKS+=hosts_access.3 request_set.3
 
+#LDADD+=-lblocklist
+PADD+=${LIBBLOCKLIST}
+
 INCS= tcpd.h
 INCSDIR=/usr/include
 

Index: src/lib/libwrap/hosts_access.c
diff -u src/lib/libwrap/hosts_access.c:1.22 src/lib/libwrap/hosts_access.c:1.23
--- src/lib/libwrap/hosts_access.c:1.22	Mon Mar 30 04:34:38 2020
+++ src/lib/libwrap/hosts_access.c	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $	*/
+/*	$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $	*/
 
  /*
   * This module implements a simple access control language that is based on
@@ -24,7 +24,7 @@
 #if 0
 static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
 #else
-__RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
+__RCSID("$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $");
 #endif
 #endif
 
@@ -37,6 +37,7 @@ __RCSID("$NetBSD: hosts_access.c,v 1.22 
 #endif
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <blocklist.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
@@ -103,6 +104,24 @@ static int masked_match6(char *, char *,
 
 #define	BUFLEN 2048
 
+static void
+pfilter_notify(struct request_info *request, int b)
+{
+    static struct blocklist *blstate;
+
+    if (blstate == NULL) {
+	blstate = blocklist_open();
+    }
+    if (request->client->sin != NULL) {
+	    blocklist_sa_r(blstate, b, request->fd != -1 ? request->fd : 3,
+		request->client->sin, request->client->sin->sa_len,
+		request->daemon ? request->daemon : getprogname());
+    } else {
+	    blocklist_r(blstate, b, (request->fd != -1) ? request->fd : 3,
+		request->daemon ? request->daemon : getprogname());
+    }
+}
+
 /* hosts_access - host access control facility */
 
 int
@@ -128,12 +147,21 @@ hosts_access(struct request_info *reques
     if (resident <= 0)
 	resident++;
     verdict = setjmp(tcpd_buf);
-    if (verdict != 0)
+    if (verdict != 0) {
+	if (verdict != AC_PERMIT)
+	    pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
+	/* XXX pfilter_notify(0)??? */
 	return (verdict == AC_PERMIT);
-    if (table_match(hosts_allow_table, request))
+    }
+    if (table_match(hosts_allow_table, request)) {
+	/* XXX pfilter_notify(0)??? */
 	return (YES);
-    if (table_match(hosts_deny_table, request))
+    }
+    if (table_match(hosts_deny_table, request)) {
+	pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
 	return (NO);
+    }
+    /* XXX pfilter_notify(0)??? */
     return (YES);
 }
 

Index: src/tests/fs/nfs/nfsservice/Makefile
diff -u src/tests/fs/nfs/nfsservice/Makefile:1.15 src/tests/fs/nfs/nfsservice/Makefile:1.16
--- src/tests/fs/nfs/nfsservice/Makefile:1.15	Sun Mar  1 13:08:14 2020
+++ src/tests/fs/nfs/nfsservice/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.15 2020/03/01 18:08:14 christos Exp $
+#	$NetBSD: Makefile,v 1.16 2021/03/07 15:09:12 christos Exp $
 #
 
 NOMAN=	1
@@ -45,8 +45,8 @@ CPPFLAGS+=	-I${LIBRPCDIR} -DPORTMAP -DLI
 # CPPFLAGS+=	-DRPCBIND_DEBUG
 # CPPFLAGS+=	-DSVC_RUN_DEBUG
 
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 SANITIZER_RENAME_SYMBOL+=	__getmntinfo13
 

Index: src/usr.sbin/inetd/Makefile
diff -u src/usr.sbin/inetd/Makefile:1.23 src/usr.sbin/inetd/Makefile:1.24
--- src/usr.sbin/inetd/Makefile:1.23	Thu Oct 22 18:50:35 2009
+++ src/usr.sbin/inetd/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,5 +1,5 @@
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$NetBSD: Makefile,v 1.23 2009/10/22 22:50:35 tsarna Exp $
+#	$NetBSD: Makefile,v 1.24 2021/03/07 15:09:12 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -13,8 +13,8 @@ MLINKS=	inetd.8 inetd.conf.5
 CPPFLAGS+=-DLIBWRAP
 # Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
 #CPPFLAGS+=-DLIBWRAP_INTERNAL
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6

Index: src/usr.sbin/lpr/lpd/Makefile
diff -u src/usr.sbin/lpr/lpd/Makefile:1.18 src/usr.sbin/lpr/lpd/Makefile:1.19
--- src/usr.sbin/lpr/lpd/Makefile:1.18	Sun Jan  9 21:58:59 2005
+++ src/usr.sbin/lpr/lpd/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.18 2005/01/10 02:58:59 lukem Exp $
+#	$NetBSD: Makefile,v 1.19 2021/03/07 15:09:12 christos Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
 
 .include <bsd.own.mk>
@@ -8,8 +8,8 @@ MAN=	lpd.8
 SRCS=	lpd.c printjob.c recvjob.c lpdchar.c key.c modes.c ttcompat.c rcmd.c
 
 CPPFLAGS+=-DLIBWRAP
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST}
 
 .if (${USE_INET6} != "no")
 CPPFLAGS.rcmd.c=	-DINET6

Index: src/usr.sbin/syslogd/Makefile
diff -u src/usr.sbin/syslogd/Makefile:1.30 src/usr.sbin/syslogd/Makefile:1.31
--- src/usr.sbin/syslogd/Makefile:1.30	Sun Oct 13 03:28:22 2019
+++ src/usr.sbin/syslogd/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.30 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.31 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
 .include <bsd.own.mk>
 
@@ -25,8 +25,8 @@ CPPFLAGS+=-DLIBWRAP
 .if ${HAVE_OPENSSL} < 11
 CPPFLAGS+=-DOPENSSL_API_COMPAT=0x10100000L
 .endif
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist 
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} 
 
 LDADD+=	-lssl -lcrypto
 

Index: src/usr.sbin/tcpdchk/Makefile
diff -u src/usr.sbin/tcpdchk/Makefile:1.13 src/usr.sbin/tcpdchk/Makefile:1.14
--- src/usr.sbin/tcpdchk/Makefile:1.13	Wed Apr 22 11:23:08 2009
+++ src/usr.sbin/tcpdchk/Makefile	Sun Mar  7 10:09:12 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.13 2009/04/22 15:23:08 lukem Exp $
+#	$NetBSD: Makefile,v 1.14 2021/03/07 15:09:12 christos Exp $
 
 WARNS?=	1	# XXX: many issues in lib/libwrap to address first
 
@@ -7,8 +7,8 @@ WARNS?=	1	# XXX: many issues in lib/libw
 PROG=	tcpdchk
 SRCS=	tcpdchk.c fakelog.c inetcf.c scaffold.c percent_m.c
 MAN=	tcpdchk.8
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist 
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST} 
 
 CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
 

Index: src/usr.sbin/tcpdmatch/Makefile
diff -u src/usr.sbin/tcpdmatch/Makefile:1.12 src/usr.sbin/tcpdmatch/Makefile:1.13
--- src/usr.sbin/tcpdmatch/Makefile:1.12	Wed Apr 22 11:23:09 2009
+++ src/usr.sbin/tcpdmatch/Makefile	Sun Mar  7 10:09:13 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.12 2009/04/22 15:23:09 lukem Exp $
+#	$NetBSD: Makefile,v 1.13 2021/03/07 15:09:13 christos Exp $
 #
 
 WARNS?=	1	# XXX: many issues in lib/libwrap to address first
@@ -11,8 +11,8 @@ MAN=	tcpdmatch.8
 TCPDCHK=${NETBSDSRCDIR}/usr.sbin/tcpdchk
 .PATH: ${TCPDCHK}
 CPPFLAGS+= -I${TCPDCHK} -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST}
 
 .include "${NETBSDSRCDIR}/lib/libwrap/Makefile.cflags"
 

Index: src/usr.sbin/ypserv/ypserv/Makefile
diff -u src/usr.sbin/ypserv/ypserv/Makefile:1.20 src/usr.sbin/ypserv/ypserv/Makefile:1.21
--- src/usr.sbin/ypserv/ypserv/Makefile:1.20	Sun Oct 13 03:28:22 2019
+++ src/usr.sbin/ypserv/ypserv/Makefile	Sun Mar  7 10:09:13 2021
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.20 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.21 2021/03/07 15:09:13 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -12,8 +12,8 @@ LIBCDIR=${NETBSDSRCDIR}/lib/libc
 CPPFLAGS+=-DOPTIMIZE_DB -DLIBWRAP -I. -I${LIBCDIR}/include
 YHEADER=1
 
-LDADD+=	-lwrap -lutil
-DPADD+=	${LIBWRAP} ${LIBUTIL}
+LDADD+=	-lwrap -lblocklist -lutil
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}
 
 CPPFLAGS.gethnamaddr.c=	-UYP -D_LIBC
 CPPFLAGS.getnetnamadr.c=-UYP -D_LIBC

Index: src/usr.sbin/ypserv/ypserv/ypserv.c
diff -u src/usr.sbin/ypserv/ypserv/ypserv.c:1.26 src/usr.sbin/ypserv/ypserv/ypserv.c:1.27
--- src/usr.sbin/ypserv/ypserv/ypserv.c:1.26	Wed Mar 14 22:02:24 2012
+++ src/usr.sbin/ypserv/ypserv/ypserv.c	Sun Mar  7 10:09:13 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $	*/
+/*	$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $	*/
 
 /*
  * Copyright (c) 1994 Mats O Jansson <m...@stacken.kth.se>
@@ -28,7 +28,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $");
+__RCSID("$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $");
 #endif
 
 #include <sys/types.h>
@@ -141,7 +141,7 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT 
 #ifdef LIBWRAP
 	caller = svc_getrpccaller(transp)->buf;
 	(void)request_init(&req, RQ_DAEMON, getprogname(), RQ_CLIENT_SIN,
-	    caller, NULL);
+	    caller, RQ_FILE, transp->xp_fd, NULL);
 	sock_methods(&req);
 
 	/*

Reply via email to