Implement pledge support for suricata.

from Emmanuel Roullit; OK gonzalo@

security/suricata/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.17 2019/04/05 12:24:00 bluhm Exp $
+# $OpenBSD: Makefile,v 1.18 2019/04/19 12:22:27 bluhm Exp $
 
 COMMENT =	high performance network IDS, IPS and security monitoring
 
 SURICATA_V =	4.1.3
 SUPDATE_V =	1.0.4
-REVISION =	3
+REVISION =	4
 
 DISTNAME =	suricata-${SURICATA_V}
 CATEGORIES =	security
@@ -20,6 +20,7 @@ PERMIT_PACKAGE_CDROM=	Yes
 
 MASTER_SITES =	https://www.openinfosecfoundation.org/download/
 
+# uses pledge()
 WANTLIB += c iconv jansson lz4 lzma magic net nspr4 nss3 nssutil3 pcap
 WANTLIB += pcre plc4 plds4 pthread smime3 ssl3 yaml-0 z
 

security/suricata/patches/patch-src_suricata_c

@@ -1,8 +1,9 @@
-$OpenBSD: patch-src_suricata_c,v 1.2 2019/03/26 13:46:24 bluhm Exp $
+$OpenBSD: patch-src_suricata_c,v 1.3 2019/04/19 12:22:27 bluhm Exp $
 
 https://github.com/OISF/suricata/commit/0ea3fa92a8955b065f052fb378aab253622f1a4e
 Use setresuid/gid() directly to change user and group.  Otherwise
 Suricata uses libcap-ng on Linux and runs as root elsewhere.
+https://github.com/OISF/suricata/commit/00917a0415629abbf675fd14d8752a0a27ab1ff5
 
 Index: src/suricata.c
 --- src/suricata.c.orig
@@ -65,11 +66,12 @@ Index: src/suricata.c
              suri->pid_filename = NULL;
              SCLogError(SC_ERR_PIDFILE_DAEMON,
                      "Unable to create PID file, concurrent run of"
-@@ -3027,6 +3044,7 @@ int main(int argc, char **argv)
+@@ -3027,6 +3044,8 @@ int main(int argc, char **argv)
  #endif
  #endif
  
 +    SCSetUserID(suricata.userid, suricata.groupid);
++    SCPledge();
      SuricataMainLoop(&suricata);
  
      /* Update the engine stage/status flag */

security/suricata/patches/patch-src_util-error_c

@@ -0,0 +1,15 @@
+$OpenBSD: patch-src_util-error_c,v 1.1 2019/04/19 12:22:27 bluhm Exp $
+
+https://github.com/OISF/suricata/commit/00917a0415629abbf675fd14d8752a0a27ab1ff5
+
+Index: src/util-error.c
+--- src/util-error.c.orig
++++ src/util-error.c
+@@ -198,6 +198,7 @@ const char * SCErrorToString(SCError err)
+         CASE_CODE (SC_ERR_CHANGING_CAPS_FAILED);
+         CASE_CODE (SC_ERR_LIBCAP_NG_REQUIRED);
+         CASE_CODE (SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG);
++        CASE_CODE (SC_ERR_PLEDGE_FAILED);
+         CASE_CODE (SC_WARN_FLOW_EMERGENCY);
+         CASE_CODE (SC_ERR_SVC);
+         CASE_CODE (SC_ERR_ERF_DAG_OPEN_FAILED);

security/suricata/patches/patch-src_util-error_h

@@ -0,0 +1,15 @@
+$OpenBSD: patch-src_util-error_h,v 1.1 2019/04/19 12:22:27 bluhm Exp $
+
+https://github.com/OISF/suricata/commit/00917a0415629abbf675fd14d8752a0a27ab1ff5
+
+Index: src/util-error.h
+--- src/util-error.h.orig
++++ src/util-error.h
+@@ -349,6 +349,7 @@ typedef enum {
+     SC_WARN_RUST_NOT_AVAILABLE,
+     SC_WARN_DEFAULT_WILL_CHANGE,
+     SC_WARN_EVE_MISSING_EVENTS,
++    SC_ERR_PLEDGE_FAILED,
+ 
+     SC_ERR_MAX,
+ } SCError;

security/suricata/patches/patch-src_util-logopenfile_c

@@ -1,6 +1,6 @@
-$OpenBSD: patch-src_util-logopenfile_c,v 1.1 2019/04/05 12:24:00 bluhm Exp $
+$OpenBSD: patch-src_util-logopenfile_c,v 1.2 2019/04/19 12:22:27 bluhm Exp $
 
-https://github.com/OISF/suricata/pull/3753/commits/26e3c07cc7fb5c480c6e776a6652f5de326e7dbb
+https://github.com/OISF/suricata/commit/4b4bb31c30339caa2c6020a7ec14bea848ba5a5d
 
 Index: src/util-logopenfile.c
 --- src/util-logopenfile.c.orig

security/suricata/patches/patch-src_util-privs_c

@@ -1,12 +1,13 @@
-$OpenBSD: patch-src_util-privs_c,v 1.1 2019/03/05 12:38:24 bluhm Exp $
+$OpenBSD: patch-src_util-privs_c,v 1.2 2019/04/19 12:22:27 bluhm Exp $
 
 Use setresuid/gid() directly to change user and group.  Otherwise 
 Suricata uses libcap-ng on Linux and runs as root elsewhere.
+https://github.com/OISF/suricata/commit/00917a0415629abbf675fd14d8752a0a27ab1ff5
 
 Index: src/util-privs.c
 --- src/util-privs.c.orig
 +++ src/util-privs.c
-@@ -235,4 +235,26 @@ int SCGetGroupID(const char *group_name, uint32_t *gid
+@@ -235,4 +235,41 @@ int SCGetGroupID(const char *group_name, uint32_t *gid
  
      return 0;
  }
@@ -31,5 +32,20 @@ Index: src/util-privs.c
 +
 +    return 0;
 +}
++
++#ifdef __OpenBSD__
++int SCPledge(void)
++{
++    int ret = pledge("stdio rpath wpath cpath fattr unix dns bpf", NULL);
++
++    if (ret != 0) {
++        SCLogError(SC_ERR_PLEDGE_FAILED, "unable to pledge,"
++                " check permissions!! ret=%i errno=%i", ret, errno);
++        exit(EXIT_FAILURE);
++    }
++
++    return 0;
++}
++#endif /* __OpenBSD__ */
 +
  #endif /* OS_WIN32 */

security/suricata/patches/patch-src_util-privs_h

@@ -1,16 +1,23 @@
-$OpenBSD: patch-src_util-privs_h,v 1.1 2019/03/05 12:38:24 bluhm Exp $
+$OpenBSD: patch-src_util-privs_h,v 1.2 2019/04/19 12:22:27 bluhm Exp $
 
 Use setresuid/gid() directly to change user and group.  Otherwise 
 Suricata uses libcap-ng on Linux and runs as root elsewhere.
+https://github.com/OISF/suricata/commit/00917a0415629abbf675fd14d8752a0a27ab1ff5
 
 Index: src/util-privs.h
 --- src/util-privs.h.orig
 +++ src/util-privs.h
-@@ -93,6 +93,7 @@ void SCDropMainThreadCaps(uint32_t , uint32_t );
+@@ -93,6 +93,13 @@ void SCDropMainThreadCaps(uint32_t , uint32_t );
  
  int SCGetUserID(const char *, const char *, uint32_t *, uint32_t *);
  int SCGetGroupID(const char *, uint32_t *);
 +int SCSetUserID(const uint32_t uid, const uint32_t gid);
++
++#ifdef __OpenBSD__
++int SCPledge(void);
++#else /* __OpenBSD__ */
++#define SCPledge(...)
++#endif /* __OpenBSD__ */
  
  #endif	/* _UTIL_PRIVS_H */