Add blocklist support to libwrap which enables all programs using libwrap

to block access from hosts we deny. (libwrap support from Greg A. Woods)
2021-03-07 15:09:12 +00:00 · 2021-03-07 15:09:12 +00:00 · d54a6e0c5d
parent ee87d87fd0
commit d54a6e0c5d
11 changed files with 65 additions and 32 deletions
--- a/lib/Makefile
+++ b/lib/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.286 2020/10/29 20:11:17 nia Exp $
+#	$NetBSD: Makefile,v 1.287 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	5.25.1.1 (Berkeley) 5/7/91

 .include <bsd.own.mk>
@ -27,7 +27,7 @@ SUBDIR+=	libarch \
 		libossaudio libpci libposix libprop libpthread \
 		libpuffs libresolv librmt librpcsvc librt \
 		libtelnet libterminfo \
-		libusbhid libutil libwrap liby libz
+		libusbhid libutil liby libz

 .if !defined(BSD_MK_COMPAT_FILE)
 SUBDIR+=	libkern
@ -178,6 +178,8 @@ SUBDIR+=	../external/mit/libuv/lib
 #==================== 2nd library dependency barrier ====================
 SUBDIR+=	.WAIT

+SUBDIR+=	libwrap
+
 .if (${MKGCC} != "no" && ${MKCXX} != "no" && ${MKLIBSTDCXX} != "no")
 .for sanitizer in asan lsan ubsan
 .if exists(../external/gpl3/${EXTERNAL_GCC_SUBDIR}/lib/lib${sanitizer})
--- a/lib/libwrap/Makefile
+++ b/lib/libwrap/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.11 2019/01/11 20:37:30 christos Exp $
+#	$NetBSD: Makefile,v 1.12 2021/03/07 15:09:12 christos Exp $

 USE_FORT?= yes	# network server

@ -14,6 +14,9 @@ MLINKS+=hosts_access.3 hosts_ctl.3
 MLINKS+=hosts_access.3 request_init.3
 MLINKS+=hosts_access.3 request_set.3

+#LDADD+=-lblocklist
+PADD+=${LIBBLOCKLIST}
+
 INCS= tcpd.h
 INCSDIR=/usr/include

--- a/lib/libwrap/hosts_access.c
+++ b/lib/libwrap/hosts_access.c
@ -1,4 +1,4 @@
-/*	$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $	*/
+/*	$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $	*/

 /*
  * This module implements a simple access control language that is based on
@ -24,7 +24,7 @@
 #if 0
 static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
 #else
-__RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
+__RCSID("$NetBSD: hosts_access.c,v 1.23 2021/03/07 15:09:12 christos Exp $");
 #endif
 #endif

@ -37,6 +37,7 @@ __RCSID("$NetBSD: hosts_access.c,v 1.22 2020/03/30 08:34:38 ryo Exp $");
 #endif
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <blocklist.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
@ -103,6 +104,24 @@ static int masked_match6(char *, char *, char *);

 #define	BUFLEN 2048

+static void
+pfilter_notify(struct request_info *request, int b)
+{
+    static struct blocklist *blstate;
+
+    if (blstate == NULL) {
+	blstate = blocklist_open();
+    }
+    if (request->client->sin != NULL) {
+	    blocklist_sa_r(blstate, b, request->fd != -1 ? request->fd : 3,
+		request->client->sin, request->client->sin->sa_len,
+		request->daemon ? request->daemon : getprogname());
+    } else {
+	    blocklist_r(blstate, b, (request->fd != -1) ? request->fd : 3,
+		request->daemon ? request->daemon : getprogname());
+    }
+}
+
 /* hosts_access - host access control facility */

 int
@ -128,12 +147,21 @@ hosts_access(struct request_info *request)
    if (resident <= 0)
 	resident++;
    verdict = setjmp(tcpd_buf);
-    if (verdict != 0)
+    if (verdict != 0) {
+	if (verdict != AC_PERMIT)
+	    pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
+	/* XXX pfilter_notify(0)??? */
 	return (verdict == AC_PERMIT);
-    if (table_match(hosts_allow_table, request))
+    }
+    if (table_match(hosts_allow_table, request)) {
+	/* XXX pfilter_notify(0)??? */
 	return (YES);
-    if (table_match(hosts_deny_table, request))
+    }
+    if (table_match(hosts_deny_table, request)) {
+	pfilter_notify(request, BLOCKLIST_AUTH_FAIL);
 	return (NO);
+    }
+    /* XXX pfilter_notify(0)??? */
    return (YES);
 }

--- a/tests/fs/nfs/nfsservice/Makefile
+++ b/tests/fs/nfs/nfsservice/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.15 2020/03/01 18:08:14 christos Exp $
+#	$NetBSD: Makefile,v 1.16 2021/03/07 15:09:12 christos Exp $
 #

 NOMAN=	1
@ -45,8 +45,8 @@ CPPFLAGS+=	-I${LIBRPCDIR} -DPORTMAP -DLIBWRAP -DRPCBIND_RUMP
 # CPPFLAGS+=	-DRPCBIND_DEBUG
 # CPPFLAGS+=	-DSVC_RUN_DEBUG

-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}

 SANITIZER_RENAME_SYMBOL+=	__getmntinfo13

--- a/usr.sbin/inetd/Makefile
+++ b/usr.sbin/inetd/Makefile
@ -1,5 +1,5 @@
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
-#	$NetBSD: Makefile,v 1.23 2009/10/22 22:50:35 tsarna Exp $
+#	$NetBSD: Makefile,v 1.24 2021/03/07 15:09:12 christos Exp $

 .include <bsd.own.mk>

@ -13,8 +13,8 @@ MLINKS=	inetd.8 inetd.conf.5
 CPPFLAGS+=-DLIBWRAP
 # Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
 #CPPFLAGS+=-DLIBWRAP_INTERNAL
-LDADD+= -lwrap -lutil
-DPADD+= ${LIBWRAP} ${LIBUTIL}
+LDADD+= -lwrap -lblocklist -lutil
+DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}

 .if (${USE_INET6} != "no")
 CPPFLAGS+=-DINET6
--- a/usr.sbin/lpr/lpd/Makefile
+++ b/usr.sbin/lpr/lpd/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.18 2005/01/10 02:58:59 lukem Exp $
+#	$NetBSD: Makefile,v 1.19 2021/03/07 15:09:12 christos Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93

 .include <bsd.own.mk>
@ -8,8 +8,8 @@ MAN=	lpd.8
 SRCS=	lpd.c printjob.c recvjob.c lpdchar.c key.c modes.c ttcompat.c rcmd.c

 CPPFLAGS+=-DLIBWRAP
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST}

 .if (${USE_INET6} != "no")
 CPPFLAGS.rcmd.c=	-DINET6
--- a/usr.sbin/syslogd/Makefile
+++ b/usr.sbin/syslogd/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.30 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.31 2021/03/07 15:09:12 christos Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
 .include <bsd.own.mk>

@ -25,8 +25,8 @@ CPPFLAGS+=-DLIBWRAP
 .if ${HAVE_OPENSSL} < 11
 CPPFLAGS+=-DOPENSSL_API_COMPAT=0x10100000L
 .endif
-LDADD+=	-lwrap
-DPADD+=	${LIBWRAP}
+LDADD+=	-lwrap -lblocklist 
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} 

 LDADD+=	-lssl -lcrypto

--- a/usr.sbin/tcpdchk/Makefile
+++ b/usr.sbin/tcpdchk/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.13 2009/04/22 15:23:08 lukem Exp $
+#	$NetBSD: Makefile,v 1.14 2021/03/07 15:09:12 christos Exp $

 WARNS?=	1	# XXX: many issues in lib/libwrap to address first

@ -7,8 +7,8 @@ WARNS?=	1	# XXX: many issues in lib/libwrap to address first
 PROG=	tcpdchk
 SRCS=	tcpdchk.c fakelog.c inetcf.c scaffold.c percent_m.c
 MAN=	tcpdchk.8
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist 
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST} 

 CPPFLAGS+= -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED

--- a/usr.sbin/tcpdmatch/Makefile
+++ b/usr.sbin/tcpdmatch/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.12 2009/04/22 15:23:09 lukem Exp $
+#	$NetBSD: Makefile,v 1.13 2021/03/07 15:09:13 christos Exp $
 #

 WARNS?=	1	# XXX: many issues in lib/libwrap to address first
@ -11,8 +11,8 @@ MAN=	tcpdmatch.8
 TCPDCHK=${NETBSDSRCDIR}/usr.sbin/tcpdchk
 .PATH: ${TCPDCHK}
 CPPFLAGS+= -I${TCPDCHK} -I${NETBSDSRCDIR}/lib/libwrap -DSYS_ERRLIST_DEFINED
-LDADD=	-lwrap
-DPADD=	${LIBWRAP}
+LDADD=	-lwrap -lblocklist
+DPADD=	${LIBWRAP} ${LIBBLOCKLIST}

 .include "${NETBSDSRCDIR}/lib/libwrap/Makefile.cflags"

--- a/usr.sbin/ypserv/ypserv/Makefile
+++ b/usr.sbin/ypserv/ypserv/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.20 2019/10/13 07:28:22 mrg Exp $
+#	$NetBSD: Makefile,v 1.21 2021/03/07 15:09:13 christos Exp $

 .include <bsd.own.mk>

@ -12,8 +12,8 @@ LIBCDIR=${NETBSDSRCDIR}/lib/libc
 CPPFLAGS+=-DOPTIMIZE_DB -DLIBWRAP -I. -I${LIBCDIR}/include
 YHEADER=1

-LDADD+=	-lwrap -lutil
-DPADD+=	${LIBWRAP} ${LIBUTIL}
+LDADD+=	-lwrap -lblocklist -lutil
+DPADD+=	${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}

 CPPFLAGS.gethnamaddr.c=	-UYP -D_LIBC
 CPPFLAGS.getnetnamadr.c=-UYP -D_LIBC
--- a/usr.sbin/ypserv/ypserv/ypserv.c
+++ b/usr.sbin/ypserv/ypserv/ypserv.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $	*/
+/*	$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $	*/

 /*
 * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@ -28,7 +28,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ypserv.c,v 1.26 2012/03/15 02:02:24 joerg Exp $");
+__RCSID("$NetBSD: ypserv.c,v 1.27 2021/03/07 15:09:13 christos Exp $");
 #endif

 #include <sys/types.h>
@ -141,7 +141,7 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
 #ifdef LIBWRAP
 	caller = svc_getrpccaller(transp)->buf;
 	(void)request_init(&req, RQ_DAEMON, getprogname(), RQ_CLIENT_SIN,
-	    caller, NULL);
+	    caller, RQ_FILE, transp->xp_fd, NULL);
 	sock_methods(&req);

 	/*