path: root/debian/patches/04_drop-capabilities.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_drop-capabilities.dpatch by  <fpeters@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Drop all capabilities but CAP_NET_RAW

@DPATCH@
diff -urNad wireshark-0.99.2~/configure.in wireshark-0.99.2/configure.in
--- wireshark-0.99.2~/configure.in	2006-07-18 21:59:41.000000000 +0200
+++ wireshark-0.99.2/configure.in	2006-07-18 21:59:46.000000000 +0200
@@ -831,6 +831,47 @@
 fi
 
 
+dnl libcap check
+AC_MSG_CHECKING(whether to use libcap to improve security)
+
+AC_ARG_WITH(cap,
+[  --with-cap[[=DIR]]       use libcap (located in directory DIR, if supplied) to improve security.  [[default=yes, if available]]],
+[
+	if test $withval = no
+	then
+		want_cap=no
+	elif test $withval = yes
+	then
+		want_cap=yes
+	else
+		want_cap=yes
+		cap_dir=$withval
+	fi
+],[
+	#
+	# Use libcap if it's present, otherwise don't.
+	#
+	want_cap=ifavailable
+	cap_dir=
+])
+if test "x$want_cap" = "xno" ; then
+        AC_MSG_RESULT(no)
+	cap_message="no (disabled by explicit request)"
+else
+        AC_MSG_RESULT(yes)
+        AC_CHECK_LIB(cap, cap_init, [
+		AC_DEFINE(HAVE_LIBCAP, 1, [
+			Define if libcap is available to restrict process capabilities
+		])
+		LIBS="$LIBS -lcap"
+		cap_message="yes"
+	], [
+		AC_MSG_WARN([libcap check failed])
+		cap_message="no (check failed)"
+	])
+fi
+
+
 dnl Check if wireshark should be installed setuid
 AC_ARG_ENABLE(setuid-install,
 [  --enable-setuid-install install wireshark as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
@@ -1448,3 +1489,4 @@
 echo "          Use IPv6 name resolution : $enable_ipv6"
 echo "     Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
 echo "                Use gnutls library : $tls_message"
+echo "                   Use cap library : $cap_message"
diff -urNad wireshark-0.99.2~/gtk/main.c wireshark-0.99.2/gtk/main.c
--- wireshark-0.99.2~/gtk/main.c	2006-07-17 21:56:45.000000000 +0200
+++ wireshark-0.99.2/gtk/main.c	2006-07-18 21:59:46.000000000 +0200
@@ -1718,6 +1718,9 @@
 {
     gchar *capture_msg;
 
+#ifdef HAVE_LIBCAP
+  dropexcesscapabilities();
+#endif
 
 	gtk_statusbar_pop(GTK_STATUSBAR(packets_bar), packets_ctx);
 
diff -urNad wireshark-0.99.2~/tshark.c wireshark-0.99.2/tshark.c
--- wireshark-0.99.2~/tshark.c	2006-07-17 22:00:06.000000000 +0200
+++ wireshark-0.99.2/tshark.c	2006-07-18 22:01:35.000000000 +0200
@@ -749,6 +749,10 @@
   capture_opts_init(&capture_opts, NULL /* cfile */);
 #endif
 
+#ifdef HAVE_LIBCAP
+  dropexcesscapabilities();
+#endif
+
   timestamp_set_type(TS_RELATIVE);
   timestamp_set_precision(TS_PREC_AUTO);
 
diff -urNad wireshark-0.99.2~/util.c wireshark-0.99.2/util.c
--- wireshark-0.99.2~/util.c	2006-07-17 22:00:05.000000000 +0200
+++ wireshark-0.99.2/util.c	2006-07-18 21:59:46.000000000 +0200
@@ -40,6 +40,10 @@
 #include <epan/address.h>
 #include <epan/addr_resolv.h>
 
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+
 #include "util.h"
 
 /*
@@ -180,3 +184,46 @@
 	}
 	return "";
 }
+
+
+#ifdef HAVE_LIBCAP
+void dropexcesscapabilities(void)
+{
+	cap_t cap_d;
+	cap_value_t cap_values[] = {
+		/* capabilities we need to keep */
+		CAP_NET_RAW,
+		CAP_DAC_READ_SEARCH
+	};
+	cap_flag_value_t current_cap;
+
+	cap_d = cap_get_proc();
+	if (!cap_d) {
+		g_warning("Could not get capabilities\n");
+		return;
+	}
+
+	cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, &current_cap);
+	cap_free(&cap_d);
+	if (current_cap == CAP_CLEAR) {
+		return;
+	}
+
+	cap_d = cap_init();
+	if (!cap_d) {
+		g_warning("Could not alloc cap struct\n");
+		return;
+	}
+
+	cap_clear(cap_d);
+	cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET);
+	cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
+
+	if (cap_set_proc(cap_d) != 0) {
+		g_warning("Could not set capabilities: %s\n", strerror(errno));
+		cap_free(&cap_d);
+		return;
+	}
+	cap_free(&cap_d);
+}
+#endif /* HAVE_LIBCAP */
diff -urNad wireshark-0.99.2~/util.h wireshark-0.99.2/util.h
--- wireshark-0.99.2~/util.h	2006-07-17 22:00:06.000000000 +0200
+++ wireshark-0.99.2/util.h	2006-07-18 22:01:52.000000000 +0200
@@ -53,6 +53,15 @@
 const char *get_conn_cfilter(void);
 
 
+#ifdef HAVE_LIBCAP
+/*
+ * Limit the potential impact of undiscovered security vulnerabilities by
+ * dropping all capabilities except the sniffer capability we need to do our
+ * job.
+ */
+void dropexcesscapabilities(void);
+#endif /* HAVE_LIBCAP */
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_drop-capabilities.dpatch by  <fpeters@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Drop all capabilities but CAP_NET_RAW

@DPATCH@
diff -urNad --exclude=CVS --exclude=.svn ./config.h.in /tmp/dpep-work.rT2mW8/ethereal-0.10.12/config.h.in
--- ./config.h.in	2005-07-31 12:50:13.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/config.h.in	2005-07-31 12:54:13.000000000 +0200
@@ -55,6 +55,9 @@
 /* Define if krb5.h defines KEYTYPE_ARCFOUR_56 */
 #undef HAVE_KEYTYPE_ARCFOUR_56
 
+/* Define if libcap is available to restrict process capabilities */
+#undef HAVE_LIBCAP
+
 /* Define to use libpcap library */
 #undef HAVE_LIBPCAP
 
diff -urNad --exclude=CVS --exclude=.svn ./configure.in /tmp/dpep-work.rT2mW8/ethereal-0.10.12/configure.in
--- ./configure.in	2005-07-31 12:50:26.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/configure.in	2005-07-31 12:54:13.000000000 +0200
@@ -737,6 +737,47 @@
 fi
 
 
+dnl libcap check
+AC_MSG_CHECKING(whether to use libcap to improve security)
+
+AC_ARG_WITH(cap,
+[  --with-cap[[=DIR]]       use libcap (located in directory DIR, if supplied) to improve security.  [[default=yes, if available]]],
+[
+	if test $withval = no
+	then
+		want_cap=no
+	elif test $withval = yes
+	then
+		want_cap=yes
+	else
+		want_cap=yes
+		cap_dir=$withval
+	fi
+],[
+	#
+	# Use libcap if it's present, otherwise don't.
+	#
+	want_cap=ifavailable
+	cap_dir=
+])
+if test "x$want_cap" = "xno" ; then
+        AC_MSG_RESULT(no)
+	cap_message="no (disabled by explicit request)"
+else
+        AC_MSG_RESULT(yes)
+        AC_CHECK_LIB(cap, cap_init, [
+		AC_DEFINE(HAVE_LIBCAP, 1, [
+			Define if libcap is available to restrict process capabilities
+		])
+		LIBS="$LIBS -lcap"
+		cap_message="yes"
+	], [
+		AC_MSG_WARN([libcap check failed])
+		cap_message="no (check failed)"
+	])
+fi
+
+
 dnl Check if wireshark should be installed setuid
 AC_ARG_ENABLE(setuid-install,
 [  --enable-setuid-install install ethereal as setuid. DANGEROUS!!! [default=no]],enable_setuid_install=$enableval,enable_setuid_install=no)
@@ -1322,3 +1363,4 @@
 echo "            Use SSL crypto library : $ssl_message"
 echo "          Use IPv6 name resolution : $enable_ipv6"
 echo "     Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
+echo "                   Use cap library : $cap_message"
diff -urNad --exclude=CVS --exclude=.svn ./gtk/main.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/gtk/main.c
--- ./gtk/main.c	2005-07-31 12:50:37.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/gtk/main.c	2005-07-31 12:54:13.000000000 +0200
@@ -1671,6 +1671,9 @@
   runtime_info_str = g_string_new("Running ");
   get_runtime_version_info(runtime_info_str);
 
+#ifdef HAVE_LIBCAP
+  dropexcesscapabilities();
+#endif
 
   /*** "pre-scan" the command line parameters, if we have "console only" parameters ***/
   /* (e.g. don't start GTK+, if we only have to show the command line help) */
diff -urNad --exclude=CVS --exclude=.svn ./tethereal.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/tethereal.c
--- ./tethereal.c	2005-07-31 12:49:37.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/tethereal.c	2005-07-31 12:54:13.000000000 +0200
@@ -663,6 +663,10 @@
   capture_opts_init(&capture_opts, NULL /* cfile */);
 #endif
 
+#ifdef HAVE_LIBCAP
+  dropexcesscapabilities();
+#endif
+
   set_timestamp_setting(TS_RELATIVE);
 
   /* Register all dissectors; we must do this before checking for the
diff -urNad --exclude=CVS --exclude=.svn ./util.c /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.c
--- ./util.c	2005-07-31 12:49:42.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.c	2005-07-31 12:56:35.000000000 +0200
@@ -69,6 +69,10 @@
 #include <windows.h>
 #endif
 
+#ifdef HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
+
 #include "util.h"
 
 /*
@@ -311,3 +315,46 @@
 	}
 	return "";
 }
+
+
+#ifdef HAVE_LIBCAP
+void dropexcesscapabilities(void)
+{
+	cap_t cap_d;
+	cap_value_t cap_values[] = {
+		/* capabilities we need to keep */
+		CAP_NET_RAW,
+		CAP_DAC_READ_SEARCH
+	};
+	cap_flag_value_t current_cap;
+
+	cap_d = cap_get_proc();
+	if (!cap_d) {
+		g_warning("Could not get capabilities\n");
+		return;
+	}
+
+	cap_get_flag(cap_d, CAP_NET_RAW, CAP_EFFECTIVE, &current_cap);
+	cap_free(&cap_d);
+	if (current_cap == CAP_CLEAR) {
+		return;
+	}
+
+	cap_d = cap_init();
+	if (!cap_d) {
+		g_warning("Could not alloc cap struct\n");
+		return;
+	}
+
+	cap_clear(cap_d);
+	cap_set_flag(cap_d, CAP_PERMITTED, 2, cap_values, CAP_SET);
+	cap_set_flag(cap_d, CAP_EFFECTIVE, 2, cap_values, CAP_SET);
+
+	if (cap_set_proc(cap_d) != 0) {
+		g_warning("Could not set capabilities: %s\n", strerror(errno));
+		cap_free(&cap_d);
+		return;
+	}
+	cap_free(&cap_d);
+}
+#endif /* HAVE_LIBCAP */
diff -urNad --exclude=CVS --exclude=.svn ./util.h /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.h
--- ./util.h	2005-07-31 12:49:42.000000000 +0200
+++ /tmp/dpep-work.rT2mW8/ethereal-0.10.12/util.h	2005-07-31 12:54:13.000000000 +0200
@@ -43,6 +43,15 @@
 /* Create a capture filter for the connection */
 char *get_conn_cfilter(void);
 
+#ifdef HAVE_LIBCAP
+/*
+ * Limit the potential impact of undiscovered security vulnerabilities by
+ * dropping all capabilities except the sniffer capability we need to do our
+ * job.
+ */
+void dropexcesscapabilities(void);
+#endif /* HAVE_LIBCAP */
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */