diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb461765..37f44f07ac46 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -103,7 +111,17 @@ in ProtectKernelTunables = false; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; diff --git a/pkgs/tools/networking/ppp/default.nix b/pkgs/tools/networking/ppp/default.nix index 36d156a3994b..708932ac1c9d 100644 --- a/pkgs/tools/networking/ppp/default.nix +++ b/pkgs/tools/networking/ppp/default.nix @@ -1,45 +1,37 @@ -{ lib, stdenv, fetchurl, fetchpatch, fetchFromGitHub, substituteAll, libpcap, openssl }: +{ lib +, stdenv +, fetchFromGitHub +, substituteAll +, libpcap +, openssl +}: stdenv.mkDerivation rec { - version = "2.4.8"; + version = "2.4.9"; pname = "ppp"; src = fetchFromGitHub { - owner = "paulusmack"; - repo = "ppp"; - rev = "ppp-${version}"; - sha256 = "1i88m79h6g3fzsb4yw3k8bq1grsx3hsyawm7id2vcaab0gfqzjjv"; + owner = "ppp-project"; + repo = pname; + rev = "${pname}-${version}"; + sha256 = "sha256-8+nbqRNfKPLDx+wmuKSkv+BSeG72hKJI4dNqypqeEK4="; }; - patches = - [ - ( substituteAll { - src = ./nix-purity.patch; - inherit libpcap; - glibc = stdenv.cc.libc.dev or stdenv.cc.libc; - openssl = openssl.dev; - }) - # Without nonpriv.patch, pppd --version doesn't work when not run as - # root. - ./nonpriv.patch - (fetchpatch { - name = "CVE-2015-3310.patch"; - url = "https://github.com/paulusmack/ppp/commit/858976b1fc3107f1261aae337831959b511b83c2.patch"; - sha256 = "0wirmcis67xjwllqhz9lsz1b7dcvl8shvz78lxgybc70j2sv7ih4"; - }) - (fetchurl { - url = "https://www.nikhef.nl/~janjust/ppp/ppp-2.4.7-eaptls-mppe-1.102.patch"; - sha256 = "04war8l5szql53l36043hvzgfwqp3v76kj8brbz7wlf7vs2mlkia"; - }) - (fetchpatch { - name = "CVE-2020-8597.patch"; - url = "https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426.patch"; - sha256 = "129wnhwxmzvr3y9gzxv82jnb5y8m4yg8vkpa0xl2rwkl8anbzgkh"; - }) - ./musl-fix-headers.patch - ]; + patches = [ + (substituteAll { + src = ./nix-purity.patch; + glibc = stdenv.cc.libc.dev or stdenv.cc.libc; + openssl_dev = openssl.dev; + openssl_out = openssl.out; + }) + # Without nonpriv.patch, pppd --version doesn't work when not run as root. + ./nonpriv.patch + ]; - buildInputs = [ libpcap openssl ]; + buildInputs = [ + libpcap + openssl + ]; postPatch = '' # strip is not found when cross compiling with seemingly no way to point @@ -66,9 +58,14 @@ stdenv.mkDerivation rec { ''; meta = with lib; { - homepage = "https://ppp.samba.org/"; - description = "Point-to-point implementation for Linux and Solaris"; - license = with licenses; [ bsdOriginal publicDomain gpl2 lgpl2 ]; + homepage = "https://ppp.samba.org"; + description = "Point-to-point implementation to provide Internet connections over serial lines"; + license = with licenses; [ + bsdOriginal + publicDomain + gpl2 + lgpl2 + ]; platforms = platforms.linux; maintainers = [ ]; }; diff --git a/pkgs/tools/networking/ppp/musl-fix-headers.patch b/pkgs/tools/networking/ppp/musl-fix-headers.patch deleted file mode 100644 index d6252a52675b..000000000000 --- a/pkgs/tools/networking/ppp/musl-fix-headers.patch +++ /dev/null @@ -1,137 +0,0 @@ -diff --git a/include/net/ppp_defs.h b/include/net/ppp_defs.h -index b06eda5..dafa36c 100644 ---- a/include/net/ppp_defs.h -+++ b/include/net/ppp_defs.h -@@ -38,6 +38,8 @@ - #ifndef _PPP_DEFS_H_ - #define _PPP_DEFS_H_ - -+#include -+ - /* - * The basic PPP frame. - */ -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a74c914..7acd2cf 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -126,7 +126,7 @@ LIBS += -lcrypt - endif - - ifdef USE_LIBUTIL --CFLAGS += -DHAVE_LOGWTMP=1 -+#CFLAGS += -DHAVE_LOGWTMP=1 - LIBS += -lutil - endif - -diff --git a/pppd/magic.h b/pppd/magic.h -index c81213b..305aece 100644 ---- a/pppd/magic.h -+++ b/pppd/magic.h -@@ -42,6 +42,8 @@ - * $Id: magic.h,v 1.5 2003/06/11 23:56:26 paulus Exp $ - */ - -+#include -+ - void magic_init (void); /* Initialize the magic number generator */ - u_int32_t magic (void); /* Returns the next magic number */ - -diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c -index 91e9a57..9c0fac3 100644 ---- a/pppd/plugins/rp-pppoe/if.c -+++ b/pppd/plugins/rp-pppoe/if.c -@@ -30,10 +30,6 @@ static char const RCSID[] = - #include - #endif - --#ifdef HAVE_NET_ETHERNET_H --#include --#endif -- - #ifdef HAVE_ASM_TYPES_H - #include - #endif -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index a8c2bb4..ca34d79 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -46,7 +46,6 @@ static char const RCSID[] = - #include - #include - #include --#include - #include - #include - #include -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 3d3bf4e..b5f82d3 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -27,10 +27,6 @@ - #include - #endif - --#ifdef HAVE_NET_ETHERNET_H --#include --#endif -- - #ifdef HAVE_ASM_TYPES_H - #include - #endif -@@ -55,6 +51,8 @@ void die(int status) - exit(status); - } - -+#define error(x...) fprintf(stderr, x) -+ - /* Initialize frame types to RFC 2516 values. Some broken peers apparently - use different frame types... sigh... */ - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index c4aaa6e..70aef85 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -88,18 +88,6 @@ typedef unsigned long UINT32_t; - #include - #endif - --#ifdef HAVE_NETINET_IF_ETHER_H --#include -- --#ifdef HAVE_SYS_SOCKET_H --#include --#endif --#ifndef HAVE_SYS_DLPI_H --#include --#endif --#endif -- -- - /* Ethernet frame types according to RFC 2516 */ - #define ETH_PPPOE_DISCOVERY 0x8863 - #define ETH_PPPOE_SESSION 0x8864 -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 6d71530..86d224e 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -102,19 +102,11 @@ - #define MAX_ADDR_LEN 7 - #endif - --#if !defined(__GLIBC__) || __GLIBC__ >= 2 - #include /* glibc 2 conflicts with linux/types.h */ - #include - #include - #include - #include --#else --#include --#include --#include --#include --#include --#endif - #include - #include - diff --git a/pkgs/tools/networking/ppp/nix-purity.patch b/pkgs/tools/networking/ppp/nix-purity.patch index 975ea9db6096..c3363e0ccb64 100644 --- a/pkgs/tools/networking/ppp/nix-purity.patch +++ b/pkgs/tools/networking/ppp/nix-purity.patch @@ -1,31 +1,33 @@ diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 9664f70..d07e01e 100644 +index 22837c5..6f6fff5 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -125,7 +125,7 @@ CFLAGS += -DHAS_SHADOW +@@ -111,8 +111,8 @@ endif + + # EAP SRP-SHA1 + ifdef USE_SRP +-CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include +-LIBS += -lsrp -L/usr/local/ssl/lib ++CFLAGS += -DUSE_SRP -DOPENSSL -I@openssl_dev@/include/openssl ++LIBS += -lsrp -L@openssl_out@/lib + NEEDCRYPTOLIB = y + TARGETS += srp-entry + EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry +@@ -143,7 +143,7 @@ CFLAGS += -DHAS_SHADOW #LIBS += -lshadow $(LIBS) endif --ifneq ($(wildcard $(shell $(CC) --print-sysroot)/usr/include/crypt.h),) +-ifeq ($(shell echo '\#include ' | $(CC) -E - >/dev/null 2>&1 && echo yes),yes) +ifneq ($(wildcard @glibc@/include/crypt.h),) CFLAGS += -DHAVE_CRYPT_H=1 - LIBS += -lcrypt + LIBS += -lcrypt endif -@@ -137,7 +137,7 @@ endif +@@ -155,7 +155,7 @@ endif ifdef NEEDDES ifndef USE_CRYPT -CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl -+CFLAGS += -I@openssl@/include/openssl - LIBS += -lcrypto ++CFLAGS += -I@openssl_dev@/include/openssl + NEEDCRYPTOLIB = y else CFLAGS += -DUSE_CRYPT=1 -@@ -188,7 +188,7 @@ LIBS += -ldl - endif - - ifdef FILTER --ifneq ($(wildcard /usr/include/pcap-bpf.h),) -+ifneq ($(wildcard @libpcap@/include/pcap-bpf.h),) - LIBS += -lpcap - CFLAGS += -DPPP_FILTER - endif