diff options
author | Sami Kerola <kerolasa@iki.fi> | 2018-10-18 20:40:05 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-18 20:40:05 +0100 |
commit | 5d45667da08064a3e4afd6fa9d7d4439ea6b2c8f (patch) | |
tree | 6a290b2ebc10f684765562468b3d09a2f8fad7e8 | |
parent | bf0530d807f46659dd899ec02870bf5006c12313 (diff) | |
parent | 9ee32729d9d64258042af7270b72cfd38ce51ea4 (diff) | |
download | iputils-5d45667da08064a3e4afd6fa9d7d4439ea6b2c8f.tar.gz |
Merge pull request #151 from kerolasa/more-build-sys-fixes
More build sys fixes
-rw-r--r-- | meson.build | 36 | ||||
-rw-r--r-- | systemd/rarpd.service.in | 2 | ||||
-rw-r--r-- | systemd/rdisc.service.in | 27 |
3 files changed, 59 insertions, 6 deletions
diff --git a/meson.build b/meson.build index 142ebe9..7cb56be 100644 --- a/meson.build +++ b/meson.build @@ -171,17 +171,18 @@ config_h = configure_file( output : 'config.h', configuration : conf) +setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false) +if cap_dep.found() and setcap.found() + perm_type = 'caps' +else + perm_type = 'setuid' +endif + ############################################################ if build_ping == true executable('ping', ['ping.c', 'ping_common.c', 'ping6_common.c', git_version_h], dependencies : [m_dep, cap_dep, idn_dep, crypto_dep, resolv_dep], install: true) - setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required : false) - if cap_dep.found() and setcap.found() - perm_type = 'caps' - else - perm_type = 'setuid' - endif meson.add_install_script('build-aux/setcap-setuid.sh', join_paths(get_option('prefix'), get_option('bindir')), 'ping', @@ -206,17 +207,40 @@ if build_clockdiff == true executable('clockdiff', ['clockdiff.c', git_version_h], dependencies : [cap_dep], install: true) + meson.add_install_script('build-aux/setcap-setuid.sh', + join_paths(get_option('prefix'), get_option('bindir')), + 'clockdiff', + perm_type, + setcap.path() + ) endif if build_rinfod == true executable('rdisc', ['rdisc.c', git_version_h], + install_dir: 'sbin', install: true) + if systemd.found() + subs = configuration_data() + subs.set('sbindir', join_paths(get_option('prefix'), get_option('sbindir'))) + unit_file = configure_file( + input: 'systemd/rdisc.service.in', + output: 'rdisc@.service', + configuration: subs + ) + install_data(unit_file, install_dir: systemdunitdir) + endif endif if build_arping == true executable('arping', ['arping.c', git_version_h], dependencies : [rt_dep, cap_dep, idn_dep], install: true) + meson.add_install_script('build-aux/setcap-setuid.sh', + join_paths(get_option('prefix'), get_option('bindir')), + 'arping', + perm_type, + setcap.path() + ) endif if build_tftpd == true diff --git a/systemd/rarpd.service.in b/systemd/rarpd.service.in index d161785..e600c10 100644 --- a/systemd/rarpd.service.in +++ b/systemd/rarpd.service.in @@ -8,6 +8,8 @@ After=network.target EnvironmentFile=-/etc/sysconfig/rarpd ExecStart=@sbindir@/rarpd -d $OPTIONS %i +AmbientCapabilities=CAP_NET_RAW +DynamicUser=yes PrivateTmp=yes PrivateDevices=yes PrivateUsers=yes diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in new file mode 100644 index 0000000..4e2a1ec --- /dev/null +++ b/systemd/rdisc.service.in @@ -0,0 +1,27 @@ +[Unit] +Description=Network Router Discovery Daemon +Documentation=man:rdisc(8) +Requires=network.target +After=network.target + +[Service] +EnvironmentFile=-/etc/sysconfig/rdisc +ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS + +AmbientCapabilities=CAP_NET_RAW +PrivateTmp=yes +PrivateUsers=yes +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +LockPersonality=yes +NoNewPrivileges=yes + +[Install] +WantedBy=multi-user.target |