pool/ebtables
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 930813 from security:netfilter

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/930813
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ebtables?expand=0&rev=48
This commit is contained in:
Dominique Leuenberger 2021-11-14 23:06:15 +00:00 committed by Git OBS Bridge
commit 58b0ba0cae
3 changed files with 92 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ebtables.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Thu Nov 11 08:36:14 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
- Add build dependency on libalternatives
- Run spec-cleaner
-------------------------------------------------------------------
Fri Oct 15 07:30:28 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* ebtables.service
-------------------------------------------------------------------
Fri Aug 20 18:06:09 UTC 2021 - Stefan Schubert <schubi@suse.de>
- Use libalternatives instead of update-alternatives.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 2 14:23:48 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org> Wed Sep 2 14:23:48 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

8
ebtables.service
View File

@ -2,6 +2,14 @@
Description=Ethernet Bridge Filtering tables Description=Ethernet Bridge Filtering tables
[Service] [Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
ProtectHostname=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=oneshot Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
ExecStart=@LIBEXECDIR@/ebtables-helper start ExecStart=@LIBEXECDIR@/ebtables-helper start

83
ebtables.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package ebtables # spec file for package ebtables
# #
# Copyright (c) 2020 SUSE LLC # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,11 +16,15 @@
# #
%if 0%{?suse_version} > 1500
%bcond_without libalternatives
%else
%bcond_with libalternatives
%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017 #Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir} %if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
Name: ebtables Name: ebtables
Version: 2.0.11 Version: 2.0.11
Release: 0 Release: 0
@ -29,8 +33,8 @@ License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
URL: http://ebtables.sf.net/ URL: http://ebtables.sf.net/
#Git-Clone: git://git.netfilter.org/ebtables #Git-Clone: git://git.netfilter.org/ebtables
Source0: http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz Source0: http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz
Source1: http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.gz.sig Source1: http://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.gz.sig
Source2: ebtables.keyring Source2: ebtables.keyring
Source3: ebtables.service Source3: ebtables.service
Source4: ebtables.systemd Source4: ebtables.systemd
@ -40,10 +44,14 @@ BuildRequires: systemd-rpm-macros
BuildRequires: xz BuildRequires: xz
Requires: netcfg >= 11.6 Requires: netcfg >= 11.6
Requires(pre): %fillup_prereq Requires(pre): %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build %{?systemd_ordering}
%if %{with libalternatives}
BuildRequires: alts
Requires: alts
%else
Requires(post): update-alternatives Requires(post): update-alternatives
Requires(postun):update-alternatives Requires(postun):update-alternatives
%{?systemd_ordering} %endif
%description %description
A firewalling tool to transparently filter network traffic passing a A firewalling tool to transparently filter network traffic passing a
@ -77,7 +85,7 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
# The way ebtables is built requires ASNEEDED=0 forever [bnc#567267] # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0
%configure %configure
make %{?_smp_mflags} %make_build
%install %install
# The way ebtables is built requires ASNEEDED=0 forever [bnc#567267] # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
@ -86,33 +94,63 @@ mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
%make_install %make_install
mkdir -p %{buildroot}%{_fillupdir} mkdir -p %{buildroot}%{_fillupdir}
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/ install -p %{_sourcedir}/ebtables.service %{buildroot}%{_unitdir}/
sed -i "s|@LIBEXECDIR@|%{_libexecdir}|g" %{buildroot}%{_unitdir}/*.service sed -i "s|@LIBEXECDIR@|%{_libexecdir}|g" %{buildroot}%{_unitdir}/*.service
chmod -x %{buildroot}%{_unitdir}/*.service chmod -x %{buildroot}%{_unitdir}/*.service
mkdir -p %{buildroot}%{_libexecdir} mkdir -p %{buildroot}%{_libexecdir}
install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper install -m0755 %{_sourcedir}/ebtables.systemd %{buildroot}%{_libexecdir}/%{name}-helper
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
rm -rfv %{buildroot}%{_initrddir} rm -rfv %{buildroot}%{_initddir}
# not used # not used
rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config" rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
for i in ebtables ebtables-restore ebtables-save; do for i in ebtables ebtables-restore ebtables-save; do
ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i" %if ! %{with libalternatives}
ln -fsv "%{_sysconfdir}/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
%else
ln -fsv %{_bindir}/alts "%{buildroot}/%{_sbindir}/$i"
%endif
done done
echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8" echo ".so ebtables-legacy.8" >"%{buildroot}/%{_mandir}/man8/ebtables.8"
# no headers to make use of it # no headers to make use of it
rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so" rm -f "%{buildroot}/%{_libdir}/libebtc.la" "%{buildroot}/%{_libdir}/libebtc.so"
%if %{with libalternatives}
mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables
cat > %{buildroot}%{_datadir}/libalternatives/ebtables/1.conf <<EOF
binary=%{_sbindir}/ebtables-legacy
group=ebtables, ebtables-restore, ebtables-save
EOF
mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-restore
cat > %{buildroot}%{_datadir}/libalternatives/ebtables-restore/1.conf <<EOF
binary=%{_sbindir}/ebtables-legacy-restore
group=ebtables, ebtables-restore, ebtables-save
EOF
mkdir -p %{buildroot}%{_datadir}/libalternatives/ebtables-save
cat > %{buildroot}%{_datadir}/libalternatives/ebtables-save/1.conf <<EOF
binary=%{_sbindir}/ebtables-legacy-save
group=ebtables, ebtables-restore, ebtables-save
EOF
%endif
%pre %pre
%if %{with libalternatives}
# removing old update-alternatives entries
if [ "$1" -gt 0 ] && [ -f %{_sbindir}/update-alternatives ] ; then
update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
fi
%endif
%service_add_pre %{name}.service %service_add_pre %{name}.service
%post %post
%if ! %{with libalternatives}
update-alternatives --force \ update-alternatives --force \
--install "%{_sbindir}/ebtables" ebtables "%{_sbindir}/ebtables-legacy" 1 \ --install "%{_sbindir}/ebtables" ebtables "%{_sbindir}/ebtables-legacy" 1 \
--slave "%{_sbindir}/ebtables-restore" ebtables-restore "%{_sbindir}/ebtables-legacy-restore" \ --slave "%{_sbindir}/ebtables-restore" ebtables-restore "%{_sbindir}/ebtables-legacy-restore" \
--slave "%{_sbindir}/ebtables-save" ebtables-save "%{_sbindir}/ebtables-legacy-save" --slave "%{_sbindir}/ebtables-save" ebtables-save "%{_sbindir}/ebtables-legacy-save"
%endif
%service_add_post %{name}.service %service_add_post %{name}.service
%fillup_only %fillup_only
@ -120,24 +158,35 @@ update-alternatives --force \
%service_del_preun %{name}.service %service_del_preun %{name}.service
%postun %postun
%if ! %{with libalternatives}
if test "$1" = 0; then if test "$1" = 0; then
update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy" update-alternatives --remove ebtables "%{_sbindir}/ebtables-legacy"
fi fi
%endif
%service_del_postun %{name}.service %service_del_postun %{name}.service
%post -n libebtc0 -p /sbin/ldconfig %post -n libebtc0 -p /sbin/ldconfig
%postun -n libebtc0 -p /sbin/ldconfig %postun -n libebtc0 -p /sbin/ldconfig
%files %files
%defattr(-,root,root)
%license COPYING %license COPYING
%doc ChangeLog %doc ChangeLog
%{_mandir}/man8/ebtables*.8* %{_mandir}/man8/ebtables*.8%{?ext_man}
%{_libexecdir}/%{name}-helper %{_libexecdir}/%{name}-helper
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%if ! %{with libalternatives}
%ghost %{_sysconfdir}/alternatives/ebtables %ghost %{_sysconfdir}/alternatives/ebtables
%ghost %{_sysconfdir}/alternatives/ebtables-restore %ghost %{_sysconfdir}/alternatives/ebtables-restore
%ghost %{_sysconfdir}/alternatives/ebtables-save %ghost %{_sysconfdir}/alternatives/ebtables-save
%else
%dir %{_datadir}/libalternatives
%dir %{_datadir}/libalternatives/ebtables
%dir %{_datadir}/libalternatives/ebtables-restore
%dir %{_datadir}/libalternatives/ebtables-save
%{_datadir}/libalternatives/ebtables/1.conf
%{_datadir}/libalternatives/ebtables-restore/1.conf
%{_datadir}/libalternatives/ebtables-save/1.conf
%endif
%ghost %{_fillupdir}/sysconfig.%{name}.filter %ghost %{_fillupdir}/sysconfig.%{name}.filter
%ghost %{_fillupdir}/sysconfig.%{name}.nat %ghost %{_fillupdir}/sysconfig.%{name}.nat
%ghost %{_fillupdir}/sysconfig.%{name}.broute %ghost %{_fillupdir}/sysconfig.%{name}.broute
@ -147,6 +196,6 @@ fi
%{_sbindir}/rcebtables %{_sbindir}/rcebtables
%files -n libebtc0 %files -n libebtc0
%_libdir/libebtc.so.0* %{_libdir}/libebtc.so.0*
%changelog %changelog