Add basic blacklist build support

Reviewed by:	rpaulo
Approved by:	rpaulo
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5913
This commit is contained in:
Kurt Lidl 2016-06-02 19:06:04 +00:00
parent c247b3ca67
commit 95856e1457
17 changed files with 209 additions and 2 deletions

View File

@ -86,6 +86,10 @@ BIN1+= apmd.conf
BIN1+= auto_master
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
BIN1+= blacklistd.conf
.endif
.if ${MK_FREEBSD_UPDATE} != "no"
BIN1+= freebsd-update.conf
.endif

17
etc/blacklistd.conf Normal file
View File

@ -0,0 +1,17 @@
# $FreeBSD$
#
# Blacklist rule
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 3 24h
ftp stream * * * 3 24h
smtp stream * * * 3 24h
submission stream * * * 3 24h
#6161 stream tcp6 christos * 2 10m
* * * * * 3 60
# adr/mask:port type proto owner name nfail disable
[remote]
#129.168.0.0/16 * * * = * *
#6161 = = = =/24 = =
#* stream tcp * = = =

View File

@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to hastd, if you want a different one.
hastd_flags="" # Optional flags to hastd.
ctld_enable="NO" # CAM Target Layer / iSCSI target daemon.
local_unbound_enable="NO" # local caching resolver
blacklistd_enable="YES" # Run blacklistd daemon (YES/NO).
blacklistd_flags="" # Optional flags for blacklistd(8).
#
# kerberos. Do not run the admin daemons on slave servers

View File

@ -44,8 +44,14 @@ rc=0
if check_yesno_period security_status_pfdenied_enable
then
TMP=`mktemp -t security`
if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
touch ${TMP}
for _a in "" blacklistd
do
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
done
if [ -s ${TMP} ]; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
rc=$?
rm -f ${TMP}

View File

@ -17,6 +17,7 @@ FILES= DAEMON \
auditd \
auditdistd \
bgfsck \
${_blacklistd} \
${_bluetooth} \
bridge \
${_bthidd} \
@ -168,6 +169,10 @@ FILES+= automountd
FILES+= autounmountd
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
_blacklistd+= blacklistd
.endif
.if ${MK_BLUETOOTH} != "no"
_bluetooth= bluetooth
_bthidd= bthidd

45
etc/rc.d/blacklistd Normal file
View File

@ -0,0 +1,45 @@
#!/bin/sh
#
# Copyright (c) 2016 The FreeBSD Foundation
# All rights reserved.
#
# This software was developed by Kurt Lidl under sponsorship from the
# FreeBSD Foundation.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# PROVIDE: blacklistd
# REQUIRE: netif pf
. /etc/rc.subr
name="blacklistd"
desc="System blacklist daemon"
rcvar="blacklistd_enable"
command="/usr/sbin/${name}"
required_files="/etc/blacklistd.conf"
load_rc_config $name
run_rc_command "$1"

View File

@ -28,6 +28,7 @@ SUBDIR= ${SUBDIR_ORDERED} \
${_libatm} \
libauditd \
libbegemot \
${_libblacklist} \
libblocksruntime \
${_libbluetooth} \
${_libbsnmp} \
@ -161,6 +162,10 @@ SUBDIR_DEPEND_liblzma= ${_libthr}
_libngatm= libngatm
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
_libblacklist= libblacklist
.endif
.if ${MK_BLUETOOTH} != "no"
_libbluetooth= libbluetooth
_libsdp= libsdp

30
lib/libblacklist/Makefile Normal file
View File

@ -0,0 +1,30 @@
# $FreeBSD$
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include
LIB= blacklist
SHLIB_MAJOR= 0
LIBADD+= pthread
CFLAGS.clang+=-Wno-thread-safety-analysis
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
-D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \
-DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN
SRCS= bl.c blacklist.c
INCS= blacklist.h
MAN= libblacklist.3
MLINKS= libblacklist.3 blacklist_open.3 \
libblacklist.3 blacklist_close.3 \
libblacklist.3 blacklist.3 \
libblacklist.3 blacklist_r.3 \
libblacklist.3 blacklist_sa.3 \
libblacklist.3 blacklist_sa_r.3
.include <bsd.lib.mk>

View File

@ -5,6 +5,7 @@
SUBDIR= ${_atf} \
${_atrun} \
${_blacklistd-helper} \
${_comsat} \
${_dma} \
getty \
@ -33,6 +34,10 @@ SUBDIR= ${_atf} \
_atrun= atrun
.endif
.if ${MK_BLACKLIST_SUPPORT} != "no"
_blacklistd-helper+= blacklistd-helper
.endif
.if ${MK_BOOTPD} != "no"
SUBDIR+= bootpd
.endif

View File

@ -0,0 +1,7 @@
# $FreeBSD$
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper
.include <bsd.prog.mk>

View File

@ -22,6 +22,7 @@ LIBATM?= ${DESTDIR}${LIBDIR}/libatm.a
LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a
LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a
LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a
LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a
LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a
LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a
LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a

View File

@ -178,6 +178,12 @@ _LIBRARIES= \
zfs \
zpool \
.if ${MK_BLACKLIST} != "no"
_LIBRARIES+= \
blacklist \
.endif
.if ${MK_OFED} != "no"
_LIBRARIES+= \
cxgb4 \
@ -200,6 +206,9 @@ _LIBRARIES+= \
# 2nd+ order consumers. Auto-generating this would be better.
_DP_80211= sbuf bsdxml
_DP_archive= z bz2 lzma bsdxml
.if ${MK_BLACKLIST} != "no"
_DP_blacklist+= pthread
.endif
.if ${MK_OPENSSL} != "no"
_DP_archive+= crypto
.else
@ -502,6 +511,7 @@ LIBWINDDIR= ${OBJTOP}/kerberos5/lib/libwind
LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c
LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++
LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias
LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist
LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime
LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp
LIBCASPERDIR= ${OBJTOP}/lib/libcasper/libcasper

View File

@ -56,6 +56,7 @@ __DEFAULT_YES_OPTIONS = \
BHYVE \
BINUTILS \
BINUTILS_BOOTSTRAP \
BLACKLIST \
BLUETOOTH \
BOOT \
BOOTPARAMD \
@ -374,6 +375,7 @@ MK_CLANG_FULL:= no
# MK_* variable is set to "no".
#
.for var in \
BLACKLIST \
BZIP2 \
GNU \
INET \

View File

@ -431,6 +431,26 @@ OLD_FILES+=usr/share/man/man7/ldint.7.gz
OLD_FILES+=usr/share/man/man7/binutils.7.gz
.endif
.if ${MK_BLACKLIST_SUPPORT} == no
OLD_FILES+=etc/rc.d/blacklistd
OLD_FILES+=usr/include/blacklist.h
OLD_FILES+=usr/lib/libblacklist.a
OLD_FILES+=usr/lib/libblacklist_p.a
OLD_FILES+=usr/lib/libblacklist.so
OLD_LIBS+=usr/lib/libblacklist.so.0
OLD_FILES+=usr/libexec/blacklistd-helper
OLD_FILES+=usr/sbin/blacklistctl
OLD_FILES+=usr/sbin/blacklistd
OLD_FILES+=usr/share/man/man3/blacklist.3.gz
OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz
OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz
OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz
OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz
OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz
OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz
OLD_FILES+=usr/share/man/man8/blacklistd.8.gz
.endif
.if ${MK_BLUETOOTH} == no
OLD_FILES+=etc/bluetooth/hcsecd.conf
OLD_FILES+=etc/bluetooth/hosts

View File

@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+= auditreduce
SUBDIR.${MK_AUDIT}+= praudit
SUBDIR.${MK_AUTHPF}+= authpf
SUBDIR.${MK_AUTOFS}+= autofs
.if ${MK_BLACKLIST_SUPPORT} != "no"
SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistctl
SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistd
.endif
SUBDIR.${MK_BLUETOOTH}+= bluetooth
SUBDIR.${MK_BOOTPARAMD}+= bootparamd
SUBDIR.${MK_BSDINSTALL}+= bsdinstall

View File

@ -0,0 +1,22 @@
# $FreeBSD$
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
PROG= blacklistctl
SRCS= blacklistctl.c conf.c state.c support.c internal.c \
sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
MAN= blacklistctl.8
LDFLAGS+=-L${LIBBLACKLISTDIR}
LIBADD+= blacklist util
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
-DHAVE_STRUCT_SOCKADDR_SA_LEN
# CFLAGS+= -D_REENTRANT
.include <bsd.prog.mk>

View File

@ -0,0 +1,22 @@
# $FreeBSD$
BLACKLIST_DIR=${SRCTOP}/contrib/blacklist
.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port
PROG= blacklistd
SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \
sockaddr_snprintf.c pidfile.c strtoi.c popenve.c
MAN= blacklistd.8
LDFLAGS+=-L${LIBBLACKLISTDIR}
LIBADD+= blacklist util
CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \
-D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \
-DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \
-DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \
-DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \
-DHAVE_STRUCT_SOCKADDR_SA_LEN
# CFLAGS+= -D_REENTRANT
.include <bsd.prog.mk>