Merge pull request #130853 from mweinelt/pppd

This commit is contained in:
Martin Weinelt 2021-07-22 20:00:00 +02:00 committed by GitHub
commit 70774da509
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 74 additions and 194 deletions

View file

@ -82,13 +82,21 @@ in
LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
NIX_REDIRECTS = "/var/run=/run/pppd";
};
serviceConfig = {
serviceConfig = let
capabilities = [
"CAP_BPF"
"CAP_SYS_TTY_CONFIG"
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
in
{
ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
Restart = "always";
RestartSec = 5;
AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
@ -103,7 +111,17 @@ in
ProtectKernelTunables = false;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX";
RestrictAddressFamilies = [
"AF_ATMPVC"
"AF_ATMSVC"
"AF_INET"
"AF_INET6"
"AF_IPX"
"AF_NETLINK"
"AF_PACKET"
"AF_PPPOX"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;

View file

@ -1,45 +1,37 @@
{ lib, stdenv, fetchurl, fetchpatch, fetchFromGitHub, substituteAll, libpcap, openssl }:
{ lib
, stdenv
, fetchFromGitHub
, substituteAll
, libpcap
, openssl
}:
stdenv.mkDerivation rec {
version = "2.4.8";
version = "2.4.9";
pname = "ppp";
src = fetchFromGitHub {
owner = "paulusmack";
repo = "ppp";
rev = "ppp-${version}";
sha256 = "1i88m79h6g3fzsb4yw3k8bq1grsx3hsyawm7id2vcaab0gfqzjjv";
owner = "ppp-project";
repo = pname;
rev = "${pname}-${version}";
sha256 = "sha256-8+nbqRNfKPLDx+wmuKSkv+BSeG72hKJI4dNqypqeEK4=";
};
patches =
[
( substituteAll {
src = ./nix-purity.patch;
inherit libpcap;
glibc = stdenv.cc.libc.dev or stdenv.cc.libc;
openssl = openssl.dev;
})
# Without nonpriv.patch, pppd --version doesn't work when not run as
# root.
./nonpriv.patch
(fetchpatch {
name = "CVE-2015-3310.patch";
url = "https://github.com/paulusmack/ppp/commit/858976b1fc3107f1261aae337831959b511b83c2.patch";
sha256 = "0wirmcis67xjwllqhz9lsz1b7dcvl8shvz78lxgybc70j2sv7ih4";
})
(fetchurl {
url = "https://www.nikhef.nl/~janjust/ppp/ppp-2.4.7-eaptls-mppe-1.102.patch";
sha256 = "04war8l5szql53l36043hvzgfwqp3v76kj8brbz7wlf7vs2mlkia";
})
(fetchpatch {
name = "CVE-2020-8597.patch";
url = "https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426.patch";
sha256 = "129wnhwxmzvr3y9gzxv82jnb5y8m4yg8vkpa0xl2rwkl8anbzgkh";
})
./musl-fix-headers.patch
];
patches = [
(substituteAll {
src = ./nix-purity.patch;
glibc = stdenv.cc.libc.dev or stdenv.cc.libc;
openssl_dev = openssl.dev;
openssl_out = openssl.out;
})
# Without nonpriv.patch, pppd --version doesn't work when not run as root.
./nonpriv.patch
];
buildInputs = [ libpcap openssl ];
buildInputs = [
libpcap
openssl
];
postPatch = ''
# strip is not found when cross compiling with seemingly no way to point
@ -66,9 +58,14 @@ stdenv.mkDerivation rec {
'';
meta = with lib; {
homepage = "https://ppp.samba.org/";
description = "Point-to-point implementation for Linux and Solaris";
license = with licenses; [ bsdOriginal publicDomain gpl2 lgpl2 ];
homepage = "https://ppp.samba.org";
description = "Point-to-point implementation to provide Internet connections over serial lines";
license = with licenses; [
bsdOriginal
publicDomain
gpl2
lgpl2
];
platforms = platforms.linux;
maintainers = [ ];
};

View file

@ -1,137 +0,0 @@
diff --git a/include/net/ppp_defs.h b/include/net/ppp_defs.h
index b06eda5..dafa36c 100644
--- a/include/net/ppp_defs.h
+++ b/include/net/ppp_defs.h
@@ -38,6 +38,8 @@
#ifndef _PPP_DEFS_H_
#define _PPP_DEFS_H_
+#include <sys/time.h>
+
/*
* The basic PPP frame.
*/
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index a74c914..7acd2cf 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -126,7 +126,7 @@ LIBS += -lcrypt
endif
ifdef USE_LIBUTIL
-CFLAGS += -DHAVE_LOGWTMP=1
+#CFLAGS += -DHAVE_LOGWTMP=1
LIBS += -lutil
endif
diff --git a/pppd/magic.h b/pppd/magic.h
index c81213b..305aece 100644
--- a/pppd/magic.h
+++ b/pppd/magic.h
@@ -42,6 +42,8 @@
* $Id: magic.h,v 1.5 2003/06/11 23:56:26 paulus Exp $
*/
+#include <sys/cdefs.h>
+
void magic_init (void); /* Initialize the magic number generator */
u_int32_t magic (void); /* Returns the next magic number */
diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c
index 91e9a57..9c0fac3 100644
--- a/pppd/plugins/rp-pppoe/if.c
+++ b/pppd/plugins/rp-pppoe/if.c
@@ -30,10 +30,6 @@ static char const RCSID[] =
#include <linux/if_packet.h>
#endif
-#ifdef HAVE_NET_ETHERNET_H
-#include <net/ethernet.h>
-#endif
-
#ifdef HAVE_ASM_TYPES_H
#include <asm/types.h>
#endif
diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
index a8c2bb4..ca34d79 100644
--- a/pppd/plugins/rp-pppoe/plugin.c
+++ b/pppd/plugins/rp-pppoe/plugin.c
@@ -46,7 +46,6 @@ static char const RCSID[] =
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
-#include <net/ethernet.h>
#include <net/if_arp.h>
#include <linux/ppp_defs.h>
#include <linux/if_pppox.h>
diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
index 3d3bf4e..b5f82d3 100644
--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
@@ -27,10 +27,6 @@
#include <linux/if_packet.h>
#endif
-#ifdef HAVE_NET_ETHERNET_H
-#include <net/ethernet.h>
-#endif
-
#ifdef HAVE_ASM_TYPES_H
#include <asm/types.h>
#endif
@@ -55,6 +51,8 @@ void die(int status)
exit(status);
}
+#define error(x...) fprintf(stderr, x)
+
/* Initialize frame types to RFC 2516 values. Some broken peers apparently
use different frame types... sigh... */
diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
index c4aaa6e..70aef85 100644
--- a/pppd/plugins/rp-pppoe/pppoe.h
+++ b/pppd/plugins/rp-pppoe/pppoe.h
@@ -88,18 +88,6 @@ typedef unsigned long UINT32_t;
#include <linux/if_ether.h>
#endif
-#ifdef HAVE_NETINET_IF_ETHER_H
-#include <sys/types.h>
-
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifndef HAVE_SYS_DLPI_H
-#include <netinet/if_ether.h>
-#endif
-#endif
-
-
/* Ethernet frame types according to RFC 2516 */
#define ETH_PPPOE_DISCOVERY 0x8863
#define ETH_PPPOE_SESSION 0x8864
diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
index 6d71530..86d224e 100644
--- a/pppd/sys-linux.c
+++ b/pppd/sys-linux.c
@@ -102,19 +102,11 @@
#define MAX_ADDR_LEN 7
#endif
-#if !defined(__GLIBC__) || __GLIBC__ >= 2
#include <asm/types.h> /* glibc 2 conflicts with linux/types.h */
#include <net/if.h>
#include <net/if_arp.h>
#include <net/route.h>
#include <netinet/if_ether.h>
-#else
-#include <linux/types.h>
-#include <linux/if.h>
-#include <linux/if_arp.h>
-#include <linux/route.h>
-#include <linux/if_ether.h>
-#endif
#include <netinet/in.h>
#include <arpa/inet.h>

View file

@ -1,31 +1,33 @@
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index 9664f70..d07e01e 100644
index 22837c5..6f6fff5 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -125,7 +125,7 @@ CFLAGS += -DHAS_SHADOW
@@ -111,8 +111,8 @@ endif
# EAP SRP-SHA1
ifdef USE_SRP
-CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
-LIBS += -lsrp -L/usr/local/ssl/lib
+CFLAGS += -DUSE_SRP -DOPENSSL -I@openssl_dev@/include/openssl
+LIBS += -lsrp -L@openssl_out@/lib
NEEDCRYPTOLIB = y
TARGETS += srp-entry
EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
@@ -143,7 +143,7 @@ CFLAGS += -DHAS_SHADOW
#LIBS += -lshadow $(LIBS)
endif
-ifneq ($(wildcard $(shell $(CC) --print-sysroot)/usr/include/crypt.h),)
-ifeq ($(shell echo '\#include <crypt.h>' | $(CC) -E - >/dev/null 2>&1 && echo yes),yes)
+ifneq ($(wildcard @glibc@/include/crypt.h),)
CFLAGS += -DHAVE_CRYPT_H=1
LIBS += -lcrypt
LIBS += -lcrypt
endif
@@ -137,7 +137,7 @@ endif
@@ -155,7 +155,7 @@ endif
ifdef NEEDDES
ifndef USE_CRYPT
-CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
+CFLAGS += -I@openssl@/include/openssl
LIBS += -lcrypto
+CFLAGS += -I@openssl_dev@/include/openssl
NEEDCRYPTOLIB = y
else
CFLAGS += -DUSE_CRYPT=1
@@ -188,7 +188,7 @@ LIBS += -ldl
endif
ifdef FILTER
-ifneq ($(wildcard /usr/include/pcap-bpf.h),)
+ifneq ($(wildcard @libpcap@/include/pcap-bpf.h),)
LIBS += -lpcap
CFLAGS += -DPPP_FILTER
endif