diff options
| author | lidl <lidl@FreeBSD.org> | 2016-06-02 19:06:04 +0000 |
|---|---|---|
| committer | lidl <lidl@FreeBSD.org> | 2016-06-02 19:06:04 +0000 |
| commit | 6f31a383cc6d2459585d754d3d30f980487df06f (patch) | |
| tree | 45c1a8bc32e7b9d60122086211c8fa6df289de16 | |
| parent | 44920da28cde32f352e76a4220b068c8f623c60d (diff) | |
| download | FreeBSD-src-6f31a383cc6d2459585d754d3d30f980487df06f.zip FreeBSD-src-6f31a383cc6d2459585d754d3d30f980487df06f.tar.gz | |
Add basic blacklist build support
Reviewed by: rpaulo
Approved by: rpaulo
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5913
| -rw-r--r-- | etc/Makefile | 4 | ||||
| -rw-r--r-- | etc/blacklistd.conf | 17 | ||||
| -rw-r--r-- | etc/defaults/rc.conf | 2 | ||||
| -rwxr-xr-x | etc/periodic/security/520.pfdenied | 10 | ||||
| -rw-r--r-- | etc/rc.d/Makefile | 5 | ||||
| -rw-r--r-- | etc/rc.d/blacklistd | 45 | ||||
| -rw-r--r-- | lib/Makefile | 5 | ||||
| -rw-r--r-- | lib/libblacklist/Makefile | 30 | ||||
| -rw-r--r-- | libexec/Makefile | 5 | ||||
| -rw-r--r-- | libexec/blacklistd-helper/Makefile | 7 | ||||
| -rw-r--r-- | share/mk/bsd.libnames.mk | 1 | ||||
| -rw-r--r-- | share/mk/src.libnames.mk | 10 | ||||
| -rw-r--r-- | share/mk/src.opts.mk | 2 | ||||
| -rw-r--r-- | tools/build/mk/OptionalObsoleteFiles.inc | 20 | ||||
| -rw-r--r-- | usr.sbin/Makefile | 4 | ||||
| -rw-r--r-- | usr.sbin/blacklistctl/Makefile | 22 | ||||
| -rw-r--r-- | usr.sbin/blacklistd/Makefile | 22 |
17 files changed, 209 insertions, 2 deletions
diff --git a/etc/Makefile b/etc/Makefile index 94c4473..99d905a 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -86,6 +86,10 @@ BIN1+= apmd.conf BIN1+= auto_master .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +BIN1+= blacklistd.conf +.endif + .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif diff --git a/etc/blacklistd.conf b/etc/blacklistd.conf new file mode 100644 index 0000000..2b1cf87 --- /dev/null +++ b/etc/blacklistd.conf @@ -0,0 +1,17 @@ +# $FreeBSD$ +# +# Blacklist rule +# adr/mask:port type proto owner name nfail disable +[local] +ssh stream * * * 3 24h +ftp stream * * * 3 24h +smtp stream * * * 3 24h +submission stream * * * 3 24h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail disable +[remote] +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 80061d1..8a5c07e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to hastd, if you want a different one. hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # local caching resolver +blacklistd_enable="YES" # Run blacklistd daemon (YES/NO). +blacklistd_flags="" # Optional flags for blacklistd(8). # # kerberos. Do not run the admin daemons on slave servers diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index f2f9e8a..850c10d 100755 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -44,8 +44,14 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + touch ${TMP} + for _a in "" blacklistd + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index e5f15e7..2d195f1 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -17,6 +17,7 @@ FILES= DAEMON \ auditd \ auditdistd \ bgfsck \ + ${_blacklistd} \ ${_bluetooth} \ bridge \ ${_bthidd} \ @@ -168,6 +169,10 @@ FILES+= automountd FILES+= autounmountd .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd+= blacklistd +.endif + .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd diff --git a/etc/rc.d/blacklistd b/etc/rc.d/blacklistd new file mode 100644 index 0000000..8e79250 --- /dev/null +++ b/etc/rc.d/blacklistd @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# All rights reserved. +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: blacklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blacklistd" +desc="System blacklist daemon" +rcvar="blacklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blacklistd.conf" + +load_rc_config $name +run_rc_command "$1" diff --git a/lib/Makefile b/lib/Makefile index d01ecdc..dfed568 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -28,6 +28,7 @@ SUBDIR= ${SUBDIR_ORDERED} \ ${_libatm} \ libauditd \ libbegemot \ + ${_libblacklist} \ libblocksruntime \ ${_libbluetooth} \ ${_libbsnmp} \ @@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr} _libngatm= libngatm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_libblacklist= libblacklist +.endif + .if ${MK_BLUETOOTH} != "no" _libbluetooth= libbluetooth _libsdp= libsdp diff --git a/lib/libblacklist/Makefile b/lib/libblacklist/Makefile new file mode 100644 index 0000000..8187479 --- /dev/null +++ b/lib/libblacklist/Makefile @@ -0,0 +1,30 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include + +LIB= blacklist +SHLIB_MAJOR= 0 + +LIBADD+= pthread + +CFLAGS.clang+=-Wno-thread-safety-analysis + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \ + -DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN + +SRCS= bl.c blacklist.c +INCS= blacklist.h +MAN= libblacklist.3 + +MLINKS= libblacklist.3 blacklist_open.3 \ + libblacklist.3 blacklist_close.3 \ + libblacklist.3 blacklist.3 \ + libblacklist.3 blacklist_r.3 \ + libblacklist.3 blacklist_sa.3 \ + libblacklist.3 blacklist_sa_r.3 + +.include <bsd.lib.mk> diff --git a/libexec/Makefile b/libexec/Makefile index b60cc34..fdcc49a 100644 --- a/libexec/Makefile +++ b/libexec/Makefile @@ -5,6 +5,7 @@ SUBDIR= ${_atf} \ ${_atrun} \ + ${_blacklistd-helper} \ ${_comsat} \ ${_dma} \ getty \ @@ -33,6 +34,10 @@ SUBDIR= ${_atf} \ _atrun= atrun .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd-helper+= blacklistd-helper +.endif + .if ${MK_BOOTPD} != "no" SUBDIR+= bootpd .endif diff --git a/libexec/blacklistd-helper/Makefile b/libexec/blacklistd-helper/Makefile new file mode 100644 index 0000000..649c619 --- /dev/null +++ b/libexec/blacklistd-helper/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper + +.include <bsd.prog.mk> diff --git a/share/mk/bsd.libnames.mk b/share/mk/bsd.libnames.mk index 51984cd..e290624 100644 --- a/share/mk/bsd.libnames.mk +++ b/share/mk/bsd.libnames.mk @@ -22,6 +22,7 @@ LIBATM?= ${DESTDIR}${LIBDIR}/libatm.a LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a +LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk index 522a86c..30fab90 100644 --- a/share/mk/src.libnames.mk +++ b/share/mk/src.libnames.mk @@ -178,6 +178,12 @@ _LIBRARIES= \ zfs \ zpool \ +.if ${MK_BLACKLIST} != "no" +_LIBRARIES+= \ + blacklist \ + +.endif + .if ${MK_OFED} != "no" _LIBRARIES+= \ cxgb4 \ @@ -200,6 +206,9 @@ _LIBRARIES+= \ # 2nd+ order consumers. Auto-generating this would be better. _DP_80211= sbuf bsdxml _DP_archive= z bz2 lzma bsdxml +.if ${MK_BLACKLIST} != "no" +_DP_blacklist+= pthread +.endif .if ${MK_OPENSSL} != "no" _DP_archive+= crypto .else @@ -502,6 +511,7 @@ LIBWINDDIR= ${OBJTOP}/kerberos5/lib/libwind LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++ LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias +LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp LIBCASPERDIR= ${OBJTOP}/lib/libcasper/libcasper diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 27444d7..30fe118 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -56,6 +56,7 @@ __DEFAULT_YES_OPTIONS = \ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ + BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ @@ -374,6 +375,7 @@ MK_CLANG_FULL:= no # MK_* variable is set to "no". # .for var in \ + BLACKLIST \ BZIP2 \ GNU \ INET \ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index 25143ef..68ab86b 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -431,6 +431,26 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz OLD_FILES+=usr/share/man/man7/binutils.7.gz .endif +.if ${MK_BLACKLIST_SUPPORT} == no +OLD_FILES+=etc/rc.d/blacklistd +OLD_FILES+=usr/include/blacklist.h +OLD_FILES+=usr/lib/libblacklist.a +OLD_FILES+=usr/lib/libblacklist_p.a +OLD_FILES+=usr/lib/libblacklist.so +OLD_LIBS+=usr/lib/libblacklist.so.0 +OLD_FILES+=usr/libexec/blacklistd-helper +OLD_FILES+=usr/sbin/blacklistctl +OLD_FILES+=usr/sbin/blacklistd +OLD_FILES+=usr/share/man/man3/blacklist.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz +OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz +OLD_FILES+=usr/share/man/man8/blacklistd.8.gz +.endif + .if ${MK_BLUETOOTH} == no OLD_FILES+=etc/bluetooth/hcsecd.conf OLD_FILES+=etc/bluetooth/hosts diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index 8dfe327..8c80266 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+= auditreduce SUBDIR.${MK_AUDIT}+= praudit SUBDIR.${MK_AUTHPF}+= authpf SUBDIR.${MK_AUTOFS}+= autofs +.if ${MK_BLACKLIST_SUPPORT} != "no" +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistctl +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistd +.endif SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall diff --git a/usr.sbin/blacklistctl/Makefile b/usr.sbin/blacklistctl/Makefile new file mode 100644 index 0000000..fd63b85 --- /dev/null +++ b/usr.sbin/blacklistctl/Makefile @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistctl +SRCS= blacklistctl.c conf.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistctl.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include <bsd.prog.mk> diff --git a/usr.sbin/blacklistd/Makefile b/usr.sbin/blacklistd/Makefile new file mode 100644 index 0000000..f509b8a --- /dev/null +++ b/usr.sbin/blacklistd/Makefile @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistd +SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistd.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include <bsd.prog.mk> |
