LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

knot: disable libcap-ng 

Recently, there was added libcap-ng to OpenWrt packages feed,
which is optional for Knot DNS. It enables POSIX 1003.1e capabilities.
This can restrict root (by default it runs as root) permissions and
might harm and as there isn't systemd on OpenWrt it can interfere.

There is an added patch, which introduced an option to disable libcap-ng.
This will be part of the next release.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
lilik-openwrt-22.03
Josef Schlehofer 5 years ago
parent
ee9fe907e7
commit
41957d6967
No known key found for this signature in database GPG Key ID: B950216FE4329F4C
2 changed files with 41 additions and 1 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -1
      net/knot/Makefile
  2. +39
    -0
      net/knot/patches/03-configure-allow-to-manually-disable-POSIX-capabiliti.patch

+ 2
- 1
net/knot/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=knot PKG_NAME:=knot
PKG_VERSION:=2.9.3 PKG_VERSION:=2.9.3
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/ PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/
@ -149,6 +149,7 @@ export KNOT_VERSION_FORMAT=release
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
--enable-recvmmsg=no \ --enable-recvmmsg=no \
--enable-cap-ng=no \
--disable-fastparser \ --disable-fastparser \
--without-libidn \ --without-libidn \
--with-rundir=/var/run/knot \ --with-rundir=/var/run/knot \


+ 39
- 0
net/knot/patches/03-configure-allow-to-manually-disable-POSIX-capabiliti.patch View File

@ -0,0 +1,39 @@
From 442633ae37f8a4e1164a2db3ad6b55bc738ba0b2 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Fri, 22 May 2020 12:50:29 +0200
Subject: [PATCH] configure: allow to manually disable POSIX capabilities
---
configure.ac | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 47772799e..a08ca8532 100644
--- a/configure.ac
+++ b/configure.ac
@@ -554,7 +554,13 @@ AS_IF([test "$enable_utilities" = "yes"], [
])
]) # Knot DNS utilities dependencies
+AC_ARG_ENABLE([cap-ng],
+ AS_HELP_STRING([--enable-cap-ng=auto|no], [enable POSIX capabilities [default=auto]]),
+ [enable_cap_ng="$enableval"], [enable_cap_ng=auto])
+
AS_IF([test "$enable_daemon" = "yes"], [
+
+AS_IF([test "$enable_cap_ng" != "no"],[
PKG_CHECK_MODULES([cap_ng], [cap-ng], [enable_cap_ng=yes], [
enable_cap_ng=no
AC_CHECK_HEADER([cap-ng.h], [
@@ -570,7 +576,7 @@ AS_IF([test "$enable_daemon" = "yes"], [
], [
enable_cap_ng=no
cap_ng_LIBS=
-])
+])])
AS_IF([test "$enable_cap_ng" = yes],
[AC_DEFINE([ENABLE_CAP_NG], [1], [POSIX capabilities available])]
--
2.17.1

Write Preview
Loading…
Cancel
Save