net/ngrep: Add Capcisum sandboxing support

- Add OPTION and patches for Capsicum support
- Update MAINTAINER
- Add LICENSE (BSD4CLAUSE) and LICENSE_FILE
- Use OPTIONS helpers
- Sort USES/USE section
- Sort OPTIONS_DEFAULT

PR:		195910 (with changes)
Submitted by:	logan at elandsys com
Submitted by:	feld
Approved by:	maintainer (edwin)

net/ngrep/Makefile

@@ -3,46 +3,46 @@
 
 PORTNAME=	ngrep
 PORTVERSION=	1.45
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net security
 MASTER_SITES=	SF
 
-MAINTAINER=	edwin@mavetju.org
+MAINTAINER=	logan@elandsys.com
 COMMENT=	Network grep
 
-WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
+LICENSE=	BSD4CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE.txt
+
 USES=		gmake tar:bzip2
+
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--disable-pcap-restart
+
 MAKE_JOBS_UNSAFE=	yes
 
-OPTIONS_DEFINE=	PCRE PORTS_PCAP IPV6 DOCS
-OPTIONS_DEFAULT=	PCRE IPV6
+OPTIONS_DEFINE=		CAPSICUM DOCS IPV6 PCRE PORTS_PCAP
+OPTIONS_DEFAULT=	CAPSICUM IPV6 PCRE
+
 PCRE_DESC=		Use PCRE instead of GNU regex
 PORTS_PCAP_DESC=	Use ports PCAP instead of system PCAP
+CAPSICUM_DESC=		Build with capsicum if kernel supports it
 
 PLIST_FILES=	bin/ngrep man/man8/ngrep.8.gz
 
 PORTDOCS=	CHANGES.txt CREDITS.txt INSTALL.txt LICENSE.txt \
 		README.txt REGEX.txt
 
+CAPSICUM_CONFIGURE_ON=	--enable-capsicum
+
+IPV6_CONFIGURE_ENABLE=	ipv6
+PCRE_CONFIGURE_ENABLE=	pcre
+
+PORTS_PCAP_CONFIGURE_ON=	--with-pcap-includes=${LOCALBASE}/include
+PORTS_PCAP_CONFIGURE_OFF=	--with-pcap-includes=/usr/include
+PORTS_PCAP_BUILD_DEPENDS=	${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap
+
 .include <bsd.port.options.mk>
 
-.if ${PORT_OPTIONS:MPCRE}
-CONFIGURE_ARGS+=	--enable-pcre
-.endif
-
-.if ${PORT_OPTIONS:MPORTS_PCAP}
-CONFIGURE_ARGS+=	--with-pcap-includes=${LOCALBASE}/include
-BUILD_DEPENDS+=		${LOCALBASE}/lib/libpcap.a:${PORTSDIR}/net/libpcap
-.else
-CONFIGURE_ARGS+=	--with-pcap-includes=/usr/include
-.endif
-
-.if ${PORT_OPTIONS:MIPV6}
-CONFIGURE_ARGS+=	--enable-ipv6
-.endif
-
 post-patch:
 .if ${PORT_OPTIONS:MPORTS_PCAP}
 	@${REINPLACE_CMD} -e "s|-lpcap|${LOCALBASE}/lib/libpcap.a|g" \

net/ngrep/files/patch-Configure.in

@@ -0,0 +1,45 @@
+--- configure.in.orig	2006-11-15 07:43:56.000000000 +0400
++++ configure.in	2014-12-12 00:01:00.000000000 +0400
+@@ -110,6 +110,34 @@ else
+    USE_IPv6="0"
+ fi
+ 
++AC_ARG_ENABLE(capsicum,
++[  --enable-capsicum           enable capsicum support],
++[
++  use_capsicum="$enableval"
++],
++[ 
++  use_capsicum="no"
++])  
++
++#
++# Check whether various functions are available.  If any are, set
++# ac_lbl_capsicum_function_seen to yes; if any are not, set
++# ac_lbl_capsicum_function_not_seen to yes.
++#
++# All of them must be available in order to enable capsicum sandboxing.
++#
++if test $use_capsicum = yes && test $use_capsicum != no ; then
++	AC_CHECK_FUNCS(cap_enter cap_rights_limit cap_ioctls_limit openat,
++	    ac_lbl_capsicum_function_seen=yes,
++	    ac_lbl_capsicum_function_not_seen=yes)
++fi
++AC_MSG_CHECKING([whether to sandbox using capsicum])
++if test "x$ac_lbl_capsicum_function_seen" = "xyes" -a "x$ac_lbl_capsicum_function_not_seen" != "xyes"; then
++	HAVE_CAPSICUM="1"
++	AC_MSG_RESULT(yes)
++else
++	AC_MSG_RESULT(no)
++fi
+ 
+ dnl
+ dnl Configure the regular expression library.
+@@ -390,6 +418,7 @@ AC_DEFINE_UNQUOTED(USE_PCAP_RESTART,    
+ 
+ AC_DEFINE_UNQUOTED(USE_PCRE,                  $USE_PCRE,                  [whether to use PCRE (default GNU Regex)])
+ AC_DEFINE_UNQUOTED(USE_IPv6,                  $USE_IPv6,                  [whether to use IPv6 (default off)])
++AC_DEFINE_UNQUOTED(HAVE_CAPSICUM,	      $HAVE_CAPSICUM,		  [whether to use capsicum])
+ 
+ AC_DEFINE_UNQUOTED(USE_DROPPRIVS,             $USE_DROPPRIVS,             [whether to use privileges dropping (default yes)])
+ AC_DEFINE_UNQUOTED(DROPPRIVS_USER,           "$DROPPRIVS_USER",           [pseudo-user for running ngrep (default "nobody")])

net/ngrep/files/patch-ngrep.c

@@ -0,0 +1,69 @@
+--- ngrep.c.orig	2006-11-28 17:38:43.000000000 +0400
++++ ngrep.c	2014-12-12 11:14:13.000000000 +0400
+@@ -97,6 +97,10 @@
+ #include "regex-0.12/regex.h"
+ #endif
+ 
++#ifdef HAVE_CAPSICUM
++#include <sys/capability.h>
++#endif /* HAVE CAPSICUM */
++
+ #include "ngrep.h"
+ 
+ 
+@@ -186,6 +190,10 @@ uint32_t ws_row, ws_col = 80, ws_col_for
+ int main(int argc, char **argv) {
+     int32_t c;
+ 
++#ifdef HAVE_CAPSICUM
++    cap_rights_t rights;
++#endif /* HAVE_CAPSICUM */
++
+     signal(SIGINT,   clean_exit);
+     signal(SIGABRT,  clean_exit);
+ 
+@@ -416,6 +424,23 @@ int main(int argc, char **argv) {
+         clean_exit(-1);
+     }
+ 
++#ifdef HAVE_CAPSICUM
++    cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
++    if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
++        errno != ENOSYS) {
++        fprintf(stderr, "unable to limit pcap descriptor");
++        clean_exit(-1);  
++        }
++
++    static const unsigned long cmds[] = { BIOCGSTATS };
++    if (cap_ioctls_limit(pcap_fileno(pd), cmds,
++        sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
++	fprintf(stderr, "unable to limit ioctls on pcap descriptor");
++        clean_exit(-1);
++	}
++
++#endif /* HAVE CAPSICUM */
++
+     if (match_data) {
+         if (bin_match) {
+             uint32_t i = 0, n;
+@@ -603,6 +628,20 @@ int main(int argc, char **argv) {
+     drop_privs();
+ #endif
+ 
++#ifdef HAVE_CAPSICUM
++    cap_rights_init(&rights);
++
++   if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS) {
++       fprintf(stderr, "can't limit stdin");
++       clean_exit(-1);
++   }
++
++   if (cap_enter() < 0 && errno != ENOSYS) {
++       fprintf(stderr, "Can't enter capability mode");
++       clean_exit(-1);
++    }
++#endif /* HAVE_CAPSICUM */
++
+     while (pcap_loop(pd, 0, (pcap_handler)process, 0));
+ 
+     clean_exit(0);