NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/iputils: use capabilities if possible

Browse Source 
If support for extended attributes is enabled, then we can use them to
store capabilities. If not, we keep using the setuid bit.

arping does not get a capability, as it can be used for arp poisoning.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[yann.morin.1998@free.fr:
  - resort to using q full-fledged conditional block
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Petr Vorel 2019-08-01 18:22:33 +02:00 committed by Peter Korsgaard
parent d413204a32
commit 9440f3554b
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
package/iputils/iputils.mk
View File

@ -79,11 +79,23 @@ IPUTILS_POST_INSTALL_TARGET_HOOKS += IPUTILS_CREATE_PING6_SYMLINK
# handle permissions ourselves
IPUTILS_CONF_OPTS += -DNO_SETCAP_OR_SUID=true
ifeq ($(BR2_ROOTFS_DEVICE_TABLE_SUPPORTS_EXTENDED_ATTRIBUTES),y)
define IPUTILS_PERMISSIONS
/usr/sbin/arping f 755 0 0 - - - - -
/usr/bin/clockdiff f 755 0 0 - - - - -
|xattr cap_net_raw+p
/bin/ping f 755 0 0 - - - - -
|xattr cap_net_raw+p
/usr/bin/traceroute6 f 755 0 0 - - - - -
|xattr cap_net_raw+p
endef
else
define IPUTILS_PERMISSIONS
/usr/sbin/arping f 755 0 0 - - - - -
/usr/bin/clockdiff f 4755 0 0 - - - - -
/bin/ping f 4755 0 0 - - - - -
/usr/bin/traceroute6 f 4755 0 0 - - - - -
endef
endif
$(eval $(meson-package))