Add basic blacklist build support

Reviewed by: rpaulo Approved by: rpaulo Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5913
2016-06-02 19:06:04 +00:00 · 2016-06-02 19:06:04 +00:00 · 6f31a383cc
commit 6f31a383cc
parent 44920da28c
17 changed files with 209 additions and 2 deletions
--- a/etc/Makefile
+++ b/etc/Makefile
@ -86,6 +86,10 @@ BIN1+= apmd.conf
 BIN1+=	auto_master
 .endif

+.if ${MK_BLACKLIST_SUPPORT} != "no"
+BIN1+= blacklistd.conf
+.endif
+
 .if ${MK_FREEBSD_UPDATE} != "no"
 BIN1+= freebsd-update.conf
 .endif
--- a/etc/blacklistd.conf
+++ b/etc/blacklistd.conf
@ -0,0 +1,17 @@
+# $FreeBSD$
+#
+# Blacklist rule
+# adr/mask:port	type	proto	owner		name	nfail	disable
+[local]
+ssh		stream	*	*		*	3	24h
+ftp		stream	*	*		*	3	24h
+smtp		stream	*	*		*	3	24h
+submission	stream	*	*		*	3	24h
+#6161		stream	tcp6	christos	*	2	10m
+*		*	*	*		*	3	60
+
+# adr/mask:port	type	proto	owner		name	nfail	disable
+[remote]
+#129.168.0.0/16	*	*	*		=	*	*
+#6161		=	=	=		=/24	=	=
+#*		stream	tcp	*		=	=	=
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -270,6 +270,8 @@ hastd_program="/sbin/hastd"	# path to hastd, if you want a different one.
 hastd_flags=""			# Optional flags to hastd.
 ctld_enable="NO"		# CAM Target Layer / iSCSI target daemon.
 local_unbound_enable="NO"	# local caching resolver
+blacklistd_enable="YES" 	# Run blacklistd daemon (YES/NO).
+blacklistd_flags=""		# Optional flags for blacklistd(8).

 #
 # kerberos. Do not run the admin daemons on slave servers
--- a/etc/periodic/security/520.pfdenied
+++ b/etc/periodic/security/520.pfdenied
@ -44,8 +44,14 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
 	TMP=`mktemp -t security`
-	if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then
-	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
+	touch ${TMP}
+	for _a in "" blacklistd
+	do
+		pfctl -a ${_a} -sr -v -z 2>/dev/null | \
+		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
+	done
+	if [ -s ${TMP} ]; then
+		check_diff new_only pf ${TMP} "${host} pf denied packets:"
 	fi
 	rc=$?
 	rm -f ${TMP}
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@ -17,6 +17,7 @@ FILES=	DAEMON \
 	auditd \
 	auditdistd \
 	bgfsck \
+	${_blacklistd} \
 	${_bluetooth} \
 	bridge \
 	${_bthidd} \
@ -168,6 +169,10 @@ FILES+=		automountd
 FILES+=		autounmountd
 .endif

+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd+=	blacklistd
+.endif
+
 .if ${MK_BLUETOOTH} != "no"
 _bluetooth=	bluetooth
 _bthidd=	bthidd
--- a/etc/rc.d/blacklistd
+++ b/etc/rc.d/blacklistd
@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (c) 2016 The FreeBSD Foundation
+# All rights reserved.
+#
+# This software was developed by Kurt Lidl under sponsorship from the
+# FreeBSD Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# 
+# $FreeBSD$
+#
+
+# PROVIDE: blacklistd
+# REQUIRE: netif pf
+
+. /etc/rc.subr
+
+name="blacklistd"
+desc="System blacklist daemon"
+rcvar="blacklistd_enable"
+command="/usr/sbin/${name}"
+required_files="/etc/blacklistd.conf"
+
+load_rc_config $name
+run_rc_command "$1"
--- a/lib/Makefile
+++ b/lib/Makefile
@ -28,6 +28,7 @@ SUBDIR=	${SUBDIR_ORDERED} \
 	${_libatm} \
 	libauditd \
 	libbegemot \
+	${_libblacklist} \
 	libblocksruntime \
 	${_libbluetooth} \
 	${_libbsnmp} \
@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr}
 _libngatm=	libngatm
 .endif

+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_libblacklist=	libblacklist
+.endif
+
 .if ${MK_BLUETOOTH} != "no"
 _libbluetooth=	libbluetooth
 _libsdp=	libsdp
--- a/lib/libblacklist/Makefile
+++ b/lib/libblacklist/Makefile
@ -0,0 +1,30 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
+
+.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include
+
+LIB=	blacklist
+SHLIB_MAJOR= 0
+
+LIBADD+= pthread
+
+CFLAGS.clang+=-Wno-thread-safety-analysis
+
+CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
+	-D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
+	-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \
+	-DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN
+
+SRCS=	bl.c blacklist.c
+INCS=	blacklist.h
+MAN=	libblacklist.3
+
+MLINKS=	libblacklist.3 blacklist_open.3		\
+	libblacklist.3 blacklist_close.3	\
+	libblacklist.3 blacklist.3		\
+	libblacklist.3 blacklist_r.3		\
+	libblacklist.3 blacklist_sa.3		\
+	libblacklist.3 blacklist_sa_r.3
+
+.include <bsd.lib.mk>
--- a/libexec/Makefile
+++ b/libexec/Makefile
@ -5,6 +5,7 @@

 SUBDIR=	${_atf} \
 	${_atrun} \
+	${_blacklistd-helper} \
 	${_comsat} \
 	${_dma} \
 	getty \
@ -33,6 +34,10 @@ SUBDIR=	${_atf} \
 _atrun=		atrun
 .endif

+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd-helper+=	blacklistd-helper
+.endif
+
 .if ${MK_BOOTPD} != "no"
 SUBDIR+=	bootpd
 .endif
--- a/libexec/blacklistd-helper/Makefile
+++ b/libexec/blacklistd-helper/Makefile
@ -0,0 +1,7 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
+
+SCRIPTS=	${BLACKLIST_DIR}/libexec/blacklistd-helper
+
+.include <bsd.prog.mk>
--- a/share/mk/bsd.libnames.mk
+++ b/share/mk/bsd.libnames.mk
@ -22,6 +22,7 @@ LIBATM?=	${DESTDIR}${LIBDIR}/libatm.a
 LIBAUDITD?=	${DESTDIR}${LIBDIR}/libauditd.a
 LIBAVL?=	${DESTDIR}${LIBDIR}/libavl.a
 LIBBEGEMOT?=	${DESTDIR}${LIBDIR}/libbegemot.a
+LIBBLACKLIST?=	${DESTDIR}${LIBDIR}/libblacklist.a
 LIBBLUETOOTH?=	${DESTDIR}${LIBDIR}/libbluetooth.a
 LIBBSDXML?=	${DESTDIR}${LIBDIR}/libbsdxml.a
 LIBBSM?=	${DESTDIR}${LIBDIR}/libbsm.a
--- a/share/mk/src.libnames.mk
+++ b/share/mk/src.libnames.mk
@ -178,6 +178,12 @@ _LIBRARIES=	\
 		zfs \
 		zpool \

+.if ${MK_BLACKLIST} != "no"
+_LIBRARIES+= \
+		blacklist \
+
+.endif
+
 .if ${MK_OFED} != "no"
 _LIBRARIES+= \
 		cxgb4 \
@ -200,6 +206,9 @@ _LIBRARIES+= \
 # 2nd+ order consumers.  Auto-generating this would be better.
 _DP_80211=	sbuf bsdxml
 _DP_archive=	z bz2 lzma bsdxml
+.if ${MK_BLACKLIST} != "no"
+_DP_blacklist+=	pthread
+.endif
 .if ${MK_OPENSSL} != "no"
 _DP_archive+=	crypto
 .else
@ -502,6 +511,7 @@ LIBWINDDIR=	${OBJTOP}/kerberos5/lib/libwind
 LIBATF_CDIR=	${OBJTOP}/lib/atf/libatf-c
 LIBATF_CXXDIR=	${OBJTOP}/lib/atf/libatf-c++
 LIBALIASDIR=	${OBJTOP}/lib/libalias/libalias
+LIBBLACKLISTDIR=	${OBJTOP}/lib/libblacklist
 LIBBLOCKSRUNTIMEDIR=	${OBJTOP}/lib/libblocksruntime
 LIBBSNMPDIR=	${OBJTOP}/lib/libbsnmp/libbsnmp
 LIBCASPERDIR=	${OBJTOP}/lib/libcasper/libcasper
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@ -56,6 +56,7 @@ __DEFAULT_YES_OPTIONS = \
    BHYVE \
    BINUTILS \
    BINUTILS_BOOTSTRAP \
+    BLACKLIST \
    BLUETOOTH \
    BOOT \
    BOOTPARAMD \
@ -374,6 +375,7 @@ MK_CLANG_FULL:= no
 # MK_* variable is set to "no".
 #
 .for var in \
+    BLACKLIST \
    BZIP2 \
    GNU \
    INET \
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@ -431,6 +431,26 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz
 OLD_FILES+=usr/share/man/man7/binutils.7.gz
 .endif

+.if ${MK_BLACKLIST_SUPPORT} == no
+OLD_FILES+=etc/rc.d/blacklistd
+OLD_FILES+=usr/include/blacklist.h
+OLD_FILES+=usr/lib/libblacklist.a
+OLD_FILES+=usr/lib/libblacklist_p.a
+OLD_FILES+=usr/lib/libblacklist.so
+OLD_LIBS+=usr/lib/libblacklist.so.0
+OLD_FILES+=usr/libexec/blacklistd-helper
+OLD_FILES+=usr/sbin/blacklistctl
+OLD_FILES+=usr/sbin/blacklistd
+OLD_FILES+=usr/share/man/man3/blacklist.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz
+OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
+OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
+OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
+.endif
+
 .if ${MK_BLUETOOTH} == no
 OLD_FILES+=etc/bluetooth/hcsecd.conf
 OLD_FILES+=etc/bluetooth/hosts
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+=	auditreduce
 SUBDIR.${MK_AUDIT}+=	praudit
 SUBDIR.${MK_AUTHPF}+=	authpf
 SUBDIR.${MK_AUTOFS}+=	autofs
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+SUBDIR.${MK_BLACKLIST_SUPPORT}+=	blacklistctl
+SUBDIR.${MK_BLACKLIST_SUPPORT}+=	blacklistd
+.endif
 SUBDIR.${MK_BLUETOOTH}+=	bluetooth
 SUBDIR.${MK_BOOTPARAMD}+=	bootparamd
 SUBDIR.${MK_BSDINSTALL}+=	bsdinstall
--- a/usr.sbin/blacklistctl/Makefile
+++ b/usr.sbin/blacklistctl/Makefile
@ -0,0 +1,22 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
+.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
+
+PROG=	blacklistctl
+SRCS=	blacklistctl.c conf.c state.c support.c internal.c \
+	sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
+MAN=	blacklistctl.8
+
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+LIBADD+= blacklist util
+
+CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
+	-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
+	-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
+	-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
+	-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
+	-DHAVE_STRUCT_SOCKADDR_SA_LEN
+# CFLAGS+= -D_REENTRANT
+
+.include <bsd.prog.mk>
--- a/usr.sbin/blacklistd/Makefile
+++ b/usr.sbin/blacklistd/Makefile
@ -0,0 +1,22 @@
+# $FreeBSD$
+
+BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
+.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
+
+PROG=	blacklistd
+SRCS=	blacklistd.c conf.c run.c state.c support.c internal.c \
+	sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
+MAN=	blacklistd.8
+
+LDFLAGS+=-L${LIBBLACKLISTDIR}
+LIBADD+= blacklist util
+
+CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
+	-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
+	-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
+	-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
+	-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
+	-DHAVE_STRUCT_SOCKADDR_SA_LEN
+# CFLAGS+= -D_REENTRANT
+
+.include <bsd.prog.mk>