Initial import (#1268716)
This commit is contained in:
parent
3c7c213fe1
commit
2f8dfd1c5e
1
.gitignore
vendored
1
.gitignore
vendored
@ -0,0 +1 @@
|
||||
/cjdns-v17.3.tar.gz
|
40
cjdns.README_Fedora.md
Normal file
40
cjdns.README_Fedora.md
Normal file
@ -0,0 +1,40 @@
|
||||
# cjdns
|
||||
|
||||
[Upstream](README.md)
|
||||
|
||||
#### *Networking Reinvented*
|
||||
|
||||
Cjdns implements an encrypted IPv6 network using public-key cryptography for
|
||||
address allocation and a distributed hash table for routing. This provides
|
||||
near-zero-configuration networking, and prevents many of the security and
|
||||
scalability issues that plague existing networks.
|
||||
|
||||
## Startup
|
||||
|
||||
The key part of cjdns is the cjdroute background daemon. To start cjdroute:
|
||||
|
||||
systemctl start cjdns
|
||||
|
||||
This will generate `/etc/cjdroute.conf` pre-populated with random keys and
|
||||
passwords. At first startup, cjdroute looks for neighboring cjdns peers
|
||||
on all active network interfaces using a layer 2 (e.g. ethernet) protocol.
|
||||
This is exactly what you want if you are on a wifi mesh. If you only have a
|
||||
conventional "clearnet" ISP, see the [upstream](README.md) README for
|
||||
instructions on adding peers using the UDP protocol. (Search for "Find a
|
||||
friend".)
|
||||
|
||||
After adding peers to `/etc/cjdroute.conf`, restart cjdroute with:
|
||||
|
||||
systemctl restart cjdns
|
||||
|
||||
To have cjdroute start whenever you boot, use
|
||||
|
||||
systemctl enable cjdns
|
||||
|
||||
If you are on a laptop and suspend or hibernate it, cjdroute will take a few
|
||||
minutes to make coffee and figure out what just happened when it wakes up. You
|
||||
can speed this up dramatically with:
|
||||
|
||||
systemctl enable cjdns-resume
|
||||
|
||||
The resume service restarts cjdns when the system wakes up from sleep.
|
27
cjdns.cap3.patch
Normal file
27
cjdns.cap3.patch
Normal file
@ -0,0 +1,27 @@
|
||||
diff -up ./util/Setuid_linux.c.cap3 ./util/Setuid_linux.c
|
||||
--- ./util/Setuid_linux.c.cap3 2016-01-31 22:04:56.591743457 -0500
|
||||
+++ ./util/Setuid_linux.c 2016-01-31 22:05:42.699060985 -0500
|
||||
@@ -50,9 +50,9 @@ static inline int capGet(cap_user_header
|
||||
void Setuid_preSetuid(struct Allocator* alloc, struct Except* eh)
|
||||
{
|
||||
cap_user_header_t hdr = Allocator_calloc(alloc, sizeof(*hdr), 1);
|
||||
- cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 1);
|
||||
+ cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 2);
|
||||
|
||||
- hdr->version = _LINUX_CAPABILITY_VERSION;
|
||||
+ hdr->version = _LINUX_CAPABILITY_VERSION_3;
|
||||
hdr->pid = 0;
|
||||
if (capGet(hdr, data)) {
|
||||
Except_throw(eh, "Error getting capabilities: [errno:%d (%s)]", errno, strerror(errno));
|
||||
@@ -73,9 +73,9 @@ void Setuid_preSetuid(struct Allocator*
|
||||
void Setuid_postSetuid(struct Allocator* alloc, struct Except* eh)
|
||||
{
|
||||
cap_user_header_t hdr = Allocator_calloc(alloc, sizeof(*hdr), 1);
|
||||
- cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 1);
|
||||
+ cap_user_data_t data = Allocator_calloc(alloc, sizeof(*data), 2);
|
||||
|
||||
- hdr->version = _LINUX_CAPABILITY_VERSION;
|
||||
+ hdr->version = _LINUX_CAPABILITY_VERSION_3;
|
||||
hdr->pid = 0;
|
||||
if (capGet(hdr, data)) {
|
||||
Except_throw(eh, "Error getting capabilities (post-setuid): [errno:%d (%s)]",
|
57
cjdns.dyn.patch
Normal file
57
cjdns.dyn.patch
Normal file
@ -0,0 +1,57 @@
|
||||
diff -up ./node_build/make.js.dyn ./node_build/make.js
|
||||
--- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500
|
||||
+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500
|
||||
@@ -238,41 +238,9 @@ Builder.configure({
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
|
||||
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
|
||||
-
|
||||
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
|
||||
- if (exists) { return; }
|
||||
-
|
||||
- console.log("Build NaCl");
|
||||
- var cwd = process.cwd();
|
||||
- process.chdir(dependencyDir + '/cnacl/');
|
||||
-
|
||||
- var NaCl = require(process.cwd() + '/node_build/make.js');
|
||||
- NaCl.build(function (args, callback) {
|
||||
- if (builder.config.systemName !== 'win32') {
|
||||
- args.unshift('-fPIC');
|
||||
- }
|
||||
-
|
||||
- args.unshift(builder.config.optimizeLevel, '-fomit-frame-pointer');
|
||||
-
|
||||
- if (CFLAGS) {
|
||||
- [].push.apply(args, CFLAGS.split(' '));
|
||||
- }
|
||||
-
|
||||
- if (!builder.config.crossCompiling) {
|
||||
- if (NO_MARCH_FLAG.indexOf(process.arch) < -1) {
|
||||
- builder.config.cflags.push('-march=native');
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- builder.cc(args, callback);
|
||||
- },
|
||||
- builder.config,
|
||||
- waitFor(function () {
|
||||
- process.chdir(cwd);
|
||||
- }));
|
||||
- }));
|
||||
+ builder.config.libs.push('-lnacl');
|
||||
+ builder.config.libs.push('-lstdc++');
|
||||
+ builder.config.includeDirs.push('/usr/include/nacl/');
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
@@ -411,7 +379,7 @@ Builder.configure({
|
||||
builder.buildExecutable('crypto/random/randombytes.c');
|
||||
|
||||
builder.lintFiles(function (fileName, file, callback) {
|
||||
- if (/dependencies/.test(fileName)) {
|
||||
+ if (/(dependencies|\/usr\/include)/.test(fileName)) {
|
||||
callback('', false);
|
||||
return;
|
||||
}
|
41
cjdns.el6.patch
Normal file
41
cjdns.el6.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff -up ./contrib/selinux/cjdns.te.el6 ./contrib/selinux/cjdns.te
|
||||
--- ./contrib/selinux/cjdns.te.el6 2016-02-25 20:26:20.635992411 -0500
|
||||
+++ ./contrib/selinux/cjdns.te 2016-02-25 20:28:05.804135692 -0500
|
||||
@@ -5,9 +5,7 @@ require {
|
||||
type tun_tap_device_t;
|
||||
type node_t;
|
||||
type port_t;
|
||||
- type unreserved_port_t;
|
||||
type tmp_t;
|
||||
- type passwd_file_t;
|
||||
type net_conf_t;
|
||||
}
|
||||
|
||||
@@ -20,15 +18,12 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
||||
allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
||||
allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
||||
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
||||
-# translate username to uid
|
||||
-allow cjdns_t passwd_file_t:file { read getattr open };
|
||||
|
||||
# translate host names
|
||||
allow cjdns_t net_conf_t:file { read getattr open };
|
||||
# allow network access
|
||||
allow cjdns_t node_t:udp_socket node_bind;
|
||||
allow cjdns_t port_t:udp_socket name_bind;
|
||||
-allow cjdns_t unreserved_port_t:udp_socket name_bind;
|
||||
allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow cjdns_t self:packet_socket { bind create ioctl read write };
|
||||
allow cjdns_t self:tun_socket create;
|
||||
diff -up ./node_build/FindPython2.js.el6 ./node_build/FindPython2.js
|
||||
--- ./node_build/FindPython2.js.el6 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./node_build/FindPython2.js 2016-02-25 20:26:20.636992421 -0500
|
||||
@@ -21,7 +21,7 @@ var PYTHONS = ["python", "python2", "pyt
|
||||
var SCRIPT = [
|
||||
'import sys;',
|
||||
'print(sys.version_info);',
|
||||
- 'exit(sys.version_info[0] != 2 or sys.version_info[1] < 7);'
|
||||
+ 'exit(sys.version_info[0] != 2 or sys.version_info[1] < 6);'
|
||||
].join('\n');
|
||||
|
||||
var find = module.exports.find = function (tempFile, callback) {
|
21
cjdns.genconf.patch
Normal file
21
cjdns.genconf.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up ./client/cjdroute2.c.genconf ./client/cjdroute2.c
|
||||
--- ./client/cjdroute2.c.genconf 2016-01-19 15:19:10.084151612 -0500
|
||||
+++ ./client/cjdroute2.c 2016-01-19 15:21:18.035546520 -0500
|
||||
@@ -323,7 +323,7 @@ static int genconf(struct Random* rand,
|
||||
" // and ETHInterface will be unable to hot-add new interfaces\n"
|
||||
" // Use { \"setuser\": 0 } to disable.\n"
|
||||
" // Default: enabled with keepNetAdmin\n"
|
||||
- " { \"setuser\": \"nobody\", \"keepNetAdmin\": 1 },\n"
|
||||
+ " { \"setuser\": \"cjdns\", \"keepNetAdmin\": 1 },\n"
|
||||
"\n"
|
||||
" // Chroot changes the filesystem root directory which cjdns sees, blocking it\n"
|
||||
" // from accessing files outside of the chroot sandbox, if the user does not\n"
|
||||
@@ -335,7 +335,7 @@ static int genconf(struct Random* rand,
|
||||
}
|
||||
else {
|
||||
printf(" // Default: enabled (using \"/var/run\")\n"
|
||||
- " { \"chroot\": \"/var/run/\" },\n");
|
||||
+ " { \"chroot\": \"/var/empty/cjdns\" },\n");
|
||||
}
|
||||
printf("\n"
|
||||
" // Nofiles is a deprecated security feature which prevents cjdns from opening\n"
|
253
cjdns.man.patch
Normal file
253
cjdns.man.patch
Normal file
@ -0,0 +1,253 @@
|
||||
diff -up ./contrib/doc/cjdns-online.md.man ./contrib/doc/cjdns-online.md
|
||||
--- ./contrib/doc/cjdns-online.md.man 2016-03-08 18:57:49.297123587 -0500
|
||||
+++ ./contrib/doc/cjdns-online.md 2016-03-08 18:56:28.344871576 -0500
|
||||
@@ -0,0 +1,33 @@
|
||||
+cjdns-online(1) -- check whether cjdns tunnel devices are available
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`cjdns-online` [<options>...]
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+Cjdns-online waits for cjdns to make its tunnel device available so
|
||||
+that services that listen on the cjdns IP can start. If you have
|
||||
+configured services to listen on the cjdns IP, then you can use:
|
||||
+
|
||||
+ systemctl enable cjdns-wait-online
|
||||
+
|
||||
+to wait until this IP is available before starting network services.
|
||||
+This will increase your boot time somewhat, but is needed to launch
|
||||
+thttpd at boot, for example.
|
||||
+
|
||||
+##OPTIONS
|
||||
+
|
||||
+ * `-t`, `--timeout` <timeout_value>:
|
||||
+ time to wait in seconds, default 30
|
||||
+
|
||||
+ * `-x`, `--exit`:
|
||||
+ Exit immediately if cjdns is not online
|
||||
+
|
||||
+ * `-q`, `--quiet`:
|
||||
+ Don't print anything
|
||||
+
|
||||
+ * `-s`, `--wait-for-startup`:
|
||||
+ Wait for full startup instead of just tun dev. This is not implemented.
|
||||
+
|
||||
diff -up ./contrib/doc/cjdroute.md.man ./contrib/doc/cjdroute.md
|
||||
--- ./contrib/doc/cjdroute.md.man 2016-03-08 18:47:02.960143140 -0500
|
||||
+++ ./contrib/doc/cjdroute.md 2016-03-08 18:47:02.960143140 -0500
|
||||
@@ -0,0 +1,76 @@
|
||||
+cjdroute(1) -- Cjdns packet switch
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`/usr/sbin/cjdroute` [<options>...]
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+Cjdns implements an encrypted IPv6 network using public-key cryptography for
|
||||
+address allocation and a distributed hash table for routing. This provides
|
||||
+near-zero-configuration networking, and prevents many of the security and
|
||||
+scalability issues that plague existing networks.
|
||||
+
|
||||
+cjdroute runs in the background and either decrypts packets addressed to
|
||||
+this node, or sends them on to the next node in the route.
|
||||
+
|
||||
+##OPTIONS
|
||||
+
|
||||
+ * `--help`:
|
||||
+ Print usage summary.
|
||||
+
|
||||
+ * `--genconf` [--no-eth]:
|
||||
+ Generate a configuration file, write it to stdout.
|
||||
+ If --no-eth is specified then ethernet beaconing will be disabled.
|
||||
+
|
||||
+ * `--bench`:
|
||||
+ Run some cryptography performance benchmarks.
|
||||
+
|
||||
+ * `--version`:
|
||||
+ Print cjdroute version and the protocol version which this node speaks.
|
||||
+
|
||||
+ * `--cleanconf` < conf:
|
||||
+ Print a clean (valid json) version of the config.
|
||||
+
|
||||
+ * `--nobg`
|
||||
+ Never fork to the background no matter the config.
|
||||
+
|
||||
+##USAGE
|
||||
+
|
||||
+To get the router up and running:
|
||||
+
|
||||
+ * Step 1:
|
||||
+ Generate a new configuration file if one doesn't already exist.
|
||||
+
|
||||
+ cjdroute --genconf > /etc/cjdroute.conf
|
||||
+
|
||||
+ You can also simply:
|
||||
+
|
||||
+ systemctl start cjdns
|
||||
+
|
||||
+ which will tell cjdroute to generate a new config if needed.
|
||||
+
|
||||
+ * Step 2:
|
||||
+ Find somebody to connect to.
|
||||
+ Check out the IRC channel or http://hyperboria.net/
|
||||
+ for information about how to meet new people and make connect to them.
|
||||
+ Read more here: https://github.com/cjdelisle/cjdns/#2-find-a-friend
|
||||
+
|
||||
+ By default, cjdroute will find any cjdns nodes on your local LAN
|
||||
+ without any configuration.
|
||||
+
|
||||
+ * Step 3:
|
||||
+ Add that somebody's node to your cjdroute.conf file.
|
||||
+ https://github.com/cjdelisle/cjdns/#3-connect-your-node-to-your-friends-node
|
||||
+
|
||||
+ * Step 4:
|
||||
+ Fire it up!
|
||||
+
|
||||
+ systemctl start cjdns
|
||||
+
|
||||
+ Or if you had already started cjdns:
|
||||
+
|
||||
+ systemctl restart cjdns
|
||||
+
|
||||
+For more information about other functions and non-standard setups, see README.md
|
||||
diff -up ./contrib/doc/makekeys.md.man ./contrib/doc/makekeys.md
|
||||
--- ./contrib/doc/makekeys.md.man 2016-03-08 18:47:02.960143140 -0500
|
||||
+++ ./contrib/doc/makekeys.md 2016-03-08 18:47:02.960143140 -0500
|
||||
@@ -0,0 +1,18 @@
|
||||
+makekeys(1) -- write cjdns keys generated via libnacl to stdout
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`makekeys`
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+Generates cjdns private keys and writes them to stdout forever with
|
||||
+corresponding IP6 address and public key. Sample:
|
||||
+
|
||||
+ 9b5520e11b4e1aac4e54cf8382ca219b6942f75519dbe7cc71fc6c4bb636a2db fca1:43dc:9e20:68dc:df3f:6bf1:fbf9:37ab x70u0x6sfh0yuushlq7wvcdxj8rgb8lvss9t6f42zp60ftq71cm0.k
|
||||
+ 579db68cfdeaeda1ff7f365c73e620bedb0f68cb443a0cd7ef6bae16d0e1e12e fc68:b272:3aa3:cb4a:a686:dab0:7df5:2fb5 fmurp2qrb0yqmcjmbjtuhuxuf6v3rgmdn9hgsfh47k20h68y2lz0.k
|
||||
+
|
||||
+## SEE ALSO
|
||||
+
|
||||
+publictoip6(1)
|
||||
diff -up ./contrib/doc/privatetopublic.md.man ./contrib/doc/privatetopublic.md
|
||||
--- ./contrib/doc/privatetopublic.md.man 2016-03-08 18:47:02.961143168 -0500
|
||||
+++ ./contrib/doc/privatetopublic.md 2016-03-08 22:34:30.532757463 -0500
|
||||
@@ -0,0 +1,25 @@
|
||||
+privatetopublic(8) -- convert cjdns private keys to public keys and IP6
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`/usr/libexec/cjdns/privatetopublic`
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+As private keys are very sensitive, /usr/libexec/cjdns/privatetopublic reads
|
||||
+them from stdin. If your shell, terminal, or other program keeps history,
|
||||
+please avoid `echo 'key' | /usr/libexec/cjdns/privatetopublic`, or similar
|
||||
+constructs. A heredoc is suitable for use in scripts, and will avoid
|
||||
+unwanted revealing of the key in process lists, like so:
|
||||
+
|
||||
+ /usr/libexec/cjdns/privatetopublic <<EOF
|
||||
+ key
|
||||
+ EOF
|
||||
+
|
||||
+Key should be in hex form, maximum 64 characters. Extra characters will be
|
||||
+silently ignored.
|
||||
+
|
||||
+## SEE ALSO
|
||||
+
|
||||
+publictoip6(1)
|
||||
diff -up ./contrib/doc/publictoip6.md.man ./contrib/doc/publictoip6.md
|
||||
--- ./contrib/doc/publictoip6.md.man 2016-03-08 18:47:02.961143168 -0500
|
||||
+++ ./contrib/doc/publictoip6.md 2016-03-08 18:47:02.961143168 -0500
|
||||
@@ -0,0 +1,14 @@
|
||||
+publictoip6(1) -- write random bytes generated via libnacl to stdout
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`publictoip6` <public key>
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+Get a cjdns IPv6 address from a public key and write to stdout.
|
||||
+The key should be in Base32 and end in '.k'.
|
||||
+
|
||||
+## SEE ALSO
|
||||
+
|
||||
+randombytes(1)
|
||||
diff -up ./contrib/doc/randombytes.md.man ./contrib/doc/randombytes.md
|
||||
--- ./contrib/doc/randombytes.md.man 2016-03-08 18:47:02.961143168 -0500
|
||||
+++ ./contrib/doc/randombytes.md 2016-03-08 18:47:02.961143168 -0500
|
||||
@@ -0,0 +1,16 @@
|
||||
+randombytes(1) -- write random bytes generated via libnacl to stdout
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`randombytes`
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+Writes random bytes to stdout forever using the cryptographically secure
|
||||
+random generator in libnacl. In practice, the output is piped
|
||||
+to a program like dd(1) or base64(1).
|
||||
+
|
||||
+## SEE ALSO
|
||||
+
|
||||
+makekeys(1)
|
||||
diff -up ./contrib/doc/sybilsim.md.man ./contrib/doc/sybilsim.md
|
||||
--- ./contrib/doc/sybilsim.md.man 2016-03-08 18:47:02.962143196 -0500
|
||||
+++ ./contrib/doc/sybilsim.md 2016-03-08 18:47:02.962143196 -0500
|
||||
@@ -0,0 +1,43 @@
|
||||
+sybilsim(8) -- Cjdns packet switch
|
||||
+=============================================
|
||||
+
|
||||
+## SYNOPSIS
|
||||
+
|
||||
+`/usr/libexec/cjdns/sybilsim < config.json`
|
||||
+
|
||||
+## DESCRIPTION
|
||||
+
|
||||
+Sybilsim reads a list of nodes and peers from stdin and simulates the
|
||||
+corresponding mesh without any actual networking using the same code
|
||||
+as cjdroute. This is useful for testing and optimizing cjdroute.
|
||||
+Every node must have a valid cjdns private key. The makekeys(1) utility can be
|
||||
+useful for scripts that generate the config.
|
||||
+
|
||||
+##USAGE
|
||||
+
|
||||
+Example config:
|
||||
+
|
||||
+ {
|
||||
+ "nodes": {
|
||||
+ "alice": {
|
||||
+ "privateKey":
|
||||
+ "5e2295679394e5e1db67c238abbc10292ad9b127904394c52cc5fff39383e920",
|
||||
+ "peers": []
|
||||
+ },
|
||||
+ "bob": {
|
||||
+ "privateKey":
|
||||
+ "6569bf3f0d168faa6dfb2912f8ee5ee9b938319e97618fdf06caed73b1aad1cc",
|
||||
+ "peers": [ "alice" ]
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+Example use:
|
||||
+
|
||||
+ makekeys | head -20 >keys.txt
|
||||
+ node /usr/libexec/cjdns/tools/lib/makesim.js keys.txt |
|
||||
+ /usr/libexec/cjdns/sybilsim
|
||||
+
|
||||
+## SEE ALSO
|
||||
+
|
||||
+makekeys(1), cjdroute(1)
|
50
cjdns.nprocs.patch
Normal file
50
cjdns.nprocs.patch
Normal file
@ -0,0 +1,50 @@
|
||||
diff -up ./util/Security.c.nprocs ./util/Security.c
|
||||
--- ./util/Security.c.nprocs 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./util/Security.c 2016-02-22 20:30:06.153297256 -0500
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
+#include <grp.h>
|
||||
#include <string.h>
|
||||
#include <sys/mman.h>
|
||||
#include <stdio.h>
|
||||
@@ -66,12 +67,17 @@ void Security_setUser(int uid,
|
||||
{
|
||||
int gidErrno = 0;
|
||||
int uidErrno = 0;
|
||||
+ int setGroupErrno = 0;
|
||||
+ pid_t groups[1];
|
||||
if (keepNetAdmin) {
|
||||
Setuid_preSetuid(alloc, eh);
|
||||
}
|
||||
if (gid && setgid(gid)) {
|
||||
gidErrno = errno;
|
||||
}
|
||||
+ if (setgroups(0,groups)) {
|
||||
+ setGroupErrno = errno;
|
||||
+ }
|
||||
if (setuid(uid)) {
|
||||
// errno is global and could get overwritten by Setuid_postSetuid()
|
||||
uidErrno = errno;
|
||||
@@ -85,6 +91,9 @@ void Security_setUser(int uid,
|
||||
if (uid != (int) getuid()) {
|
||||
Except_throw(eh, "Failed to set UID but seemed to succeed");
|
||||
}
|
||||
+ if (setGroupErrno > 0) {
|
||||
+ Except_throw(eh, "Failed to setgroups [%s]", strerror(setGroupErrno));
|
||||
+ }
|
||||
if (gidErrno > 0) {
|
||||
Except_throw(eh, "Failed to set GID [%s]", strerror(gidErrno));
|
||||
}
|
||||
@@ -119,8 +128,8 @@ void Security_nofiles(struct Except* eh)
|
||||
|
||||
void Security_noforks(struct Except* eh)
|
||||
{
|
||||
- if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 0, 0 })) {
|
||||
- Except_throw(eh, "Failed to set fork limit to 0 [%s]", strerror(errno));
|
||||
+ if (setrlimit(RLIMIT_NPROC, &(struct rlimit){ 1, 1 })) {
|
||||
+ Except_throw(eh, "Failed to set process limit to 1 [%s]", strerror(errno));
|
||||
}
|
||||
}
|
||||
|
151
cjdns.sbin.patch
Normal file
151
cjdns.sbin.patch
Normal file
@ -0,0 +1,151 @@
|
||||
diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh
|
||||
--- ./contrib/systemd/cjdns-online.sh.sbin 2016-03-08 18:47:02.883140998 -0500
|
||||
+++ ./contrib/systemd/cjdns-online.sh 2016-03-10 17:16:45.909853618 -0500
|
||||
@@ -0,0 +1,75 @@
|
||||
+#!/bin/sh
|
||||
+# Check whether cjdns IPs are available
|
||||
+# Copyright (C) 2016 Stuart D. Gathman <stuart@gathman.org>
|
||||
+#
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+
|
||||
+cjdns_ips() {
|
||||
+ ip -6 -o addr | while read i dev fam ip rem; do
|
||||
+ case "$ip" in
|
||||
+ fc*:*/8) echo "${ip%/8}";;
|
||||
+ esac
|
||||
+ done
|
||||
+}
|
||||
+
|
||||
+die() {
|
||||
+ echo "$1" >&2
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+PROGRAM_NAME="/usr/bin/cjdns-online"
|
||||
+
|
||||
+ARGS=$(getopt -n $PROGRAM_NAME -o t:xqsh \
|
||||
+ --long timeout:,exit,quiet,wait-for-startup,help -- "$@")
|
||||
+
|
||||
+# Die if they fat finger arguments, this program may be run as root
|
||||
+[ $? = 0 ] || die "Error parsing arguments. Try $PROGRAM_NAME --help"
|
||||
+
|
||||
+help() {
|
||||
+ cat <<EOH
|
||||
+Usage: $PROGRAM_NAME [options]
|
||||
+ -t, --timeout <timeout_value> time to wait in seconds, default 30
|
||||
+ -x, --exit exit immediately if cjdns is not online
|
||||
+ -q, --quiet don't print anything
|
||||
+ -s, --wait-for-startup wait for full startup instead of just tun dev
|
||||
+EOH
|
||||
+ exit 2
|
||||
+}
|
||||
+
|
||||
+let timeout="30"
|
||||
+let nowait="0"
|
||||
+let quiet="0"
|
||||
+let startup="0"
|
||||
+
|
||||
+eval set -- "$ARGS"
|
||||
+while true; do
|
||||
+ case "$1" in
|
||||
+ -t|--timeout) let timeout="$2" || help; shift 2; continue;;
|
||||
+ -x|--exit) let nowait="1"; shift;;
|
||||
+ -q|--quiet) let quiet="1"; shift;;
|
||||
+ -s|--wait-for-startup) let startup="1"; shift;;
|
||||
+ --) shift; break;;
|
||||
+ *) help;;
|
||||
+ esac
|
||||
+done
|
||||
+
|
||||
+let started="$(date +%s)"
|
||||
+while test -z "$(cjdns_ips)"; do
|
||||
+ let elapsed="$(date +%s) - $started"
|
||||
+ [ $elapsed -gt $timeout ] && exit 1
|
||||
+ sleep 2
|
||||
+done
|
||||
+if [ "$quiet" -eq 0 ]; then
|
||||
+ cjdns_ips
|
||||
+fi
|
||||
diff -up ./contrib/systemd/cjdns-resume.service.sbin ./contrib/systemd/cjdns-resume.service
|
||||
--- ./contrib/systemd/cjdns-resume.service.sbin 2016-03-08 18:47:02.883140998 -0500
|
||||
+++ ./contrib/systemd/cjdns-resume.service 2016-03-08 18:47:02.883140998 -0500
|
||||
@@ -0,0 +1,10 @@
|
||||
+[Unit]
|
||||
+Description=Restart cjdns on resume from sleep
|
||||
+After=sleep.target
|
||||
+
|
||||
+[Service]
|
||||
+Type=oneshot
|
||||
+ExecStart=/usr/bin/systemctl restart cjdns
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=sleep.target
|
||||
diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service
|
||||
--- ./contrib/systemd/cjdns.service.sbin 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./contrib/systemd/cjdns.service 2016-03-08 18:47:02.884141026 -0500
|
||||
@@ -9,10 +9,10 @@ ProtectSystem=true
|
||||
SyslogIdentifier=cjdroute
|
||||
ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
|
||||
then umask 077; \
|
||||
- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \
|
||||
+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
|
||||
echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
|
||||
- fi"
|
||||
-ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf"
|
||||
+ fi; /usr/sbin/modprobe tun"
|
||||
+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service
|
||||
--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-03-08 18:47:02.885141054 -0500
|
||||
+++ ./contrib/systemd/cjdns-wait-online.service 2016-03-08 23:49:38.996469685 -0500
|
||||
@@ -0,0 +1,13 @@
|
||||
+[Unit]
|
||||
+Description=CJDNS Wait Online
|
||||
+Requisite=cjdns.service
|
||||
+After=cjdns.service
|
||||
+Wants=network.target
|
||||
+Before=network-online.target
|
||||
+
|
||||
+[Service]
|
||||
+Type=oneshot
|
||||
+ExecStart=/usr/bin/cjdns-online -s -q --timeout=30
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=multi-user.target
|
||||
diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf
|
||||
--- ./contrib/upstart/cjdns.conf.sbin 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./contrib/upstart/cjdns.conf 2016-03-08 18:47:02.885141054 -0500
|
||||
@@ -13,10 +13,13 @@ pre-start script
|
||||
if ! [ -s /etc/cjdroute.conf ]; then
|
||||
( # start a subshell to avoid side effects of umask later on
|
||||
umask 077 # to create the file with 600 permissions without races
|
||||
- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf
|
||||
+ # use cat because cjdroute can't write directly to /etc
|
||||
+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf
|
||||
) # exit subshell; umask no longer applies
|
||||
echo 'WARNING: A new cjdns cjdroute.conf file has been generated.'
|
||||
fi
|
||||
+ # preload tun driver, since we prevent module_request
|
||||
+ /sbin/modprobe tun
|
||||
|
||||
# If you need a non-standard setup, as described in
|
||||
# https://github.com/cjdelisle/cjdns#non-standard-setups,
|
||||
@@ -25,4 +28,4 @@ pre-start script
|
||||
# see http://upstart.ubuntu.com/cookbook/#setuid
|
||||
end script
|
||||
|
||||
-exec /usr/bin/cjdroute --nobg < /etc/cjdroute.conf
|
||||
+exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf
|
41
cjdns.selinux.patch
Normal file
41
cjdns.selinux.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
||||
--- ./contrib/selinux/cjdns.te.selinux 2015-11-02 17:59:41.000000000 -0500
|
||||
+++ ./contrib/selinux/cjdns.te 2015-11-03 00:10:49.098890187 -0500
|
||||
@@ -7,8 +7,8 @@ require {
|
||||
type port_t;
|
||||
type unreserved_port_t;
|
||||
type tmp_t;
|
||||
- type kernel_t;
|
||||
type passwd_file_t;
|
||||
+ type net_conf_t;
|
||||
}
|
||||
|
||||
type cjdns_t;
|
||||
@@ -18,12 +18,13 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
||||
#============= cjdns_t ==============
|
||||
# Let master process run further restricted subprocess
|
||||
allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
||||
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
|
||||
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
||||
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
||||
-allow cjdns_t kernel_t:system module_request;
|
||||
# translate username to uid
|
||||
allow cjdns_t passwd_file_t:file { read getattr open };
|
||||
|
||||
+# translate host names
|
||||
+allow cjdns_t net_conf_t:file { read getattr open };
|
||||
# allow network access
|
||||
allow cjdns_t node_t:udp_socket node_bind;
|
||||
allow cjdns_t port_t:udp_socket name_bind;
|
||||
@@ -31,10 +32,9 @@ allow cjdns_t unreserved_port_t:udp_sock
|
||||
allow cjdns_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
||||
allow cjdns_t self:packet_socket { bind create ioctl read write };
|
||||
allow cjdns_t self:tun_socket create;
|
||||
-allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write };
|
||||
+allow cjdns_t self:udp_socket { create setopt bind ioctl getattr read write connect };
|
||||
allow cjdns_t tun_tap_device_t:chr_file { read write open ioctl };
|
||||
|
||||
-
|
||||
# management API
|
||||
allow cjdns_t self:unix_stream_socket connectto;
|
||||
allow cjdns_t tmp_t:sock_file { write create unlink };
|
531
cjdns.spec
Normal file
531
cjdns.spec
Normal file
@ -0,0 +1,531 @@
|
||||
|
||||
# Fedora review: http://bugzilla.redhat.com/1268716
|
||||
|
||||
# Use the optimized libnacl embedded with cjdns
|
||||
%global use_embedded 0
|
||||
|
||||
%if 0%{?rhel} >= 5 && 0%{?rhel} < 7
|
||||
%global use_systemd 0
|
||||
%else
|
||||
%global use_systemd 1
|
||||
%endif
|
||||
|
||||
%if 0%{?rhel} == 6
|
||||
%global use_upstart 1
|
||||
%else
|
||||
%global use_upstart 0
|
||||
%endif
|
||||
|
||||
# FIXME: Needs dependencies and install www dir someplace reasonable.
|
||||
%global with_admin 0
|
||||
|
||||
# FIXME: python tools need to make cjdnsadmin a proper python package
|
||||
%global with_python 1
|
||||
|
||||
%{!?__restorecon: %global __restorecon /sbin/restorecon}
|
||||
|
||||
Name: cjdns
|
||||
# major version is cjdns protocol version:
|
||||
Version: 17.3
|
||||
Release: 10%{?dist}
|
||||
Summary: The privacy-friendly network without borders
|
||||
Group: System Environment/Base
|
||||
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
|
||||
# cnacl is unused except when use_embedded is true
|
||||
License: GPLv3 and MIT and BSD and ISC
|
||||
URL: http://hyperboria.net/
|
||||
Source0: https://github.com/cjdelisle/cjdns/archive/%{name}-v%{version}.tar.gz
|
||||
Source1: cjdns.README_Fedora.md
|
||||
# Add targeted selinux policy
|
||||
Patch0: cjdns.selinux.patch
|
||||
# Allow python2.6 for build. Python is not used during the build
|
||||
# process. The python tools allegedly depend on python2.7, but that can
|
||||
# be in Requires for the subpackage.
|
||||
Patch1: cjdns.el6.patch
|
||||
# Fix RLIMIT_NPROC - setuid() bug. In its low priv process, cjdroute calls
|
||||
#
|
||||
# setrlimit(RLIMIT_NPROC, &(struct rlimit){ 0, 0 })
|
||||
#
|
||||
# which on recent kernels prevents fork() or exec() after the following
|
||||
# setuid(). This is due to changes discussed here:
|
||||
#
|
||||
# https://lwn.net/Articles/451985/
|
||||
#
|
||||
# On the 2.6.32 kernel used by EL6, the above causes setuid() to fail.
|
||||
# This patch sets RLIMIT_NPROC to { 1, 1 } instead, which prevents
|
||||
# fork(), but not exec, and calls setgroups() before setuid().
|
||||
Patch2: cjdns.nprocs.patch
|
||||
# Change defaults generated by cjdroute --genconf
|
||||
Patch4: cjdns.genconf.patch
|
||||
# Patch contributed init scripts to put cjdroute in /usr/sbin and
|
||||
# add additional service options.
|
||||
Patch5: cjdns.sbin.patch
|
||||
# Patch make.js to use dynamic nacl library
|
||||
Patch6: cjdns.dyn.patch
|
||||
# Patch to use _LINUX_CAPABILITY_3
|
||||
Patch7: cjdns.cap3.patch
|
||||
# Patch some source files to ignore selected warnings that break gcc6 builds
|
||||
Patch8: cjdns.warnings.patch
|
||||
# Man pages
|
||||
Patch9: cjdns.man.patch
|
||||
|
||||
BuildRequires: nodejs, nodejs-ronn
|
||||
|
||||
# Automated package review hates explicit BR on make, but it *is* needed
|
||||
BuildRequires: make
|
||||
|
||||
%if !%{use_embedded}
|
||||
# x86_64 and ARM libnacl are not compiled with -fPIC before Fedora release 11.
|
||||
BuildRequires: nacl-devel >= 20110221-11
|
||||
%endif
|
||||
%if %{use_systemd}
|
||||
# systemd macros are not defined unless systemd is present
|
||||
BuildRequires: systemd
|
||||
Requires: systemd
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
%endif
|
||||
Requires(pre): shadow-utils
|
||||
Provides: bundled(libuv) = 0.11.4
|
||||
|
||||
%description
|
||||
Cjdns implements an encrypted IPv6 network using public-key cryptography for
|
||||
address allocation and a distributed hash table for routing. This provides
|
||||
near-zero-configuration networking, and prevents many of the security and
|
||||
scalability issues that plague existing networks.
|
||||
|
||||
%package selinux
|
||||
Summary: Targeted SELinux policy module for cjdns
|
||||
Group: System Environment/Base
|
||||
BuildRequires: policycoreutils, checkpolicy, selinux-policy-devel
|
||||
Requires: policycoreutils, selinux-policy-targeted
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildArch: noarch
|
||||
|
||||
%description selinux
|
||||
Targeted SELinux policy module for cjdns.
|
||||
|
||||
# FIXME: keep C tools separate?
|
||||
%package tools
|
||||
Summary: nodejs tools for cjdns
|
||||
Group: System Environment/Base
|
||||
Requires: nodejs, %{name} = %{version}-%{release}
|
||||
BuildArch: noarch
|
||||
|
||||
%description tools
|
||||
C language and nodejs tools for cjdns.
|
||||
|
||||
%package python
|
||||
Summary: Python tools for cjdns
|
||||
Group: System Environment/Base
|
||||
Requires: python, %{name} = %{version}-%{release}
|
||||
BuildArch: noarch
|
||||
|
||||
%description python
|
||||
Python tools for cjdns.
|
||||
|
||||
%package graph
|
||||
Summary: Python tools for cjdns
|
||||
Group: System Environment/Base
|
||||
Requires: %{name}-python = %{version}-%{release}, python-networkx
|
||||
BuildArch: noarch
|
||||
|
||||
%description graph
|
||||
Python graphing tools for cjdns.
|
||||
|
||||
%prep
|
||||
%setup -qn cjdns-%{name}-v%{version}
|
||||
%patch0 -b .selinux
|
||||
%if 0%{?rhel} == 6
|
||||
%patch1 -b .el6
|
||||
%endif
|
||||
|
||||
%patch2 -b .nprocs
|
||||
%patch4 -b .genconf
|
||||
%patch5 -b .sbin
|
||||
|
||||
%if !%{use_embedded}
|
||||
# use system nacl library if provided.
|
||||
if test -x %{_libdir}/libnacl.so; then
|
||||
%patch6 -b .dyn
|
||||
rm -rf node_build/dependencies/cnacl
|
||||
# use static library if system nacl doesn't provide dynamic
|
||||
elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then
|
||||
cd node_build/dependencies
|
||||
rm -rf cnacl
|
||||
mkdir -p cnacl/jsbuild
|
||||
ln -s %{_libdir}/libnacl.a cnacl/jsbuild
|
||||
ln -s %{_includedir}/nacl cnacl/jsbuild/include
|
||||
cd -
|
||||
fi
|
||||
%endif
|
||||
|
||||
%patch7 -b .cap3
|
||||
|
||||
%if !0%{?rhel} || 0%{?rhel} > 6
|
||||
%patch8 -b .warnings
|
||||
%endif
|
||||
|
||||
%patch9 -b .man
|
||||
|
||||
cp %{SOURCE1} README_Fedora.md
|
||||
|
||||
# Remove #!env from python scripts
|
||||
chmod a+x contrib/python/cjdnsadmin/cli.py
|
||||
find contrib/python/cjdnsadmin ! -executable -name "*.py" |
|
||||
xargs sed -e '\,^#!/usr/bin/env, d' -i
|
||||
find contrib/python -type f |
|
||||
xargs sed -e '1 s,^#!/usr/bin/env ,#!/usr/bin/,' -i
|
||||
|
||||
# Remove #!env from nodejs scripts
|
||||
find tools -type f | xargs grep -l '^#!\/usr\/bin\/env ' |
|
||||
xargs sed -e '1 s,^#!/usr/bin/env ,#!/usr/bin/,' -i
|
||||
|
||||
# Remove unpackaged code with undeclared licenses
|
||||
%if %{with_admin}
|
||||
rm -rf contrib/nodejs # GPLv3 and ASL 2.0
|
||||
%endif
|
||||
rm -rf contrib/http # GPLv2 and MIT
|
||||
|
||||
# FIXME: grep Version_CURRENT_PROTOCOL util/version/Version.h and
|
||||
# check that it matches major %%{version}
|
||||
|
||||
%build
|
||||
cd contrib/selinux
|
||||
ln -s /usr/share/selinux/devel/Makefile .
|
||||
make
|
||||
cd -
|
||||
# nodejs based build system
|
||||
CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do
|
||||
|
||||
# FIXME: use system libuv on compatible systems
|
||||
# bundled libuv is 0.11.4 with changes:
|
||||
# https://github.com/cjdelisle/cjdns/commits/master/node_build/dependencies/libuv
|
||||
|
||||
%install
|
||||
%if 0%{?rhel} == 5
|
||||
rm -rf %{buildroot} # needed on RHEL5
|
||||
%endif
|
||||
|
||||
# the main switch process
|
||||
mkdir -p %{buildroot}%{_sbindir}
|
||||
install -p cjdroute %{buildroot}%{_sbindir}
|
||||
|
||||
# init support
|
||||
%if %{use_upstart}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/init
|
||||
install -pm 644 contrib/upstart/cjdns.conf %{buildroot}%{_sysconfdir}/init
|
||||
%endif
|
||||
%if %{use_systemd}
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
install -pm 644 contrib/systemd/cjdns*.service %{buildroot}%{_unitdir}
|
||||
%endif
|
||||
|
||||
# chroot
|
||||
mkdir -p %{buildroot}/var/empty/cjdns
|
||||
|
||||
# install selinux modules
|
||||
mkdir -p %{buildroot}%{_datadir}/selinux/targeted
|
||||
install -pm 644 contrib/selinux/cjdns.pp %{buildroot}%{_datadir}/selinux/targeted
|
||||
ln -f contrib/selinux/cjdns.{te,fc} . # for doc dir
|
||||
|
||||
# install c and nodejs tools
|
||||
mkdir -p %{buildroot}%{_libexecdir}/cjdns/{node_build,contrib}
|
||||
install -p publictoip6 privatetopublic makekeys randombytes sybilsim \
|
||||
%{buildroot}%{_libexecdir}/cjdns
|
||||
rm -f node_modules/nthen/.npmignore
|
||||
cp -pr tools node_modules %{buildroot}%{_libexecdir}/cjdns
|
||||
|
||||
|
||||
%if %{with_admin}
|
||||
rm -f contrib/nodejs/admin/.gitignore
|
||||
cp -pr contrib/nodejs/admin %{buildroot}%{_libexecdir}/cjdns
|
||||
%endif
|
||||
|
||||
# symlinks for selected nodejs tools
|
||||
mkdir -p %{buildroot}%{_bindir}
|
||||
for t in peerStats sessionStats cjdnslog search dumpLinks dumptable \
|
||||
dumpRumorMill pathfinderTree pingAll; do
|
||||
ln -sf %{_libexecdir}/cjdns/tools/$t %{buildroot}%{_bindir}
|
||||
done
|
||||
|
||||
# symlinks for selected C tools
|
||||
for t in publictoip6 randombytes makekeys; do
|
||||
ln -sf %{_libexecdir}/cjdns/$t %{buildroot}%{_bindir}
|
||||
done
|
||||
|
||||
# cjdns-online script
|
||||
install -pm 755 contrib/systemd/cjdns-online.sh \
|
||||
%{buildroot}%{_bindir}/cjdns-online
|
||||
|
||||
# man pages
|
||||
mkdir -p %{buildroot}%{_mandir}/man1
|
||||
mkdir -p %{buildroot}%{_mandir}/man5
|
||||
mkdir -p %{buildroot}%{_mandir}/man8
|
||||
install -pm 644 doc/man/cjdroute.conf.5 %{buildroot}%{_mandir}/man5
|
||||
cd contrib/doc
|
||||
for m in *.md; do
|
||||
case ${m%.md} in
|
||||
cjdroute|publictoip6|randombytes|makekeys|cjdns-online) M="1" ;;
|
||||
*) M="8" ;;
|
||||
esac
|
||||
ronn-nodejs $m >%{buildroot}%{_mandir}/man$M/${m%.md}.$M
|
||||
done
|
||||
cd -
|
||||
|
||||
%if %{with_python}
|
||||
|
||||
# install python tools that pull in networkx for graphing
|
||||
cp -pr contrib/python %{buildroot}%{_libexecdir}/cjdns
|
||||
|
||||
# These files are installed via doc and license
|
||||
rm %{buildroot}%{_libexecdir}/cjdns/python/README.md
|
||||
rm %{buildroot}%{_libexecdir}/cjdns/python/cjdns-dynamic.conf
|
||||
rm %{buildroot}%{_libexecdir}/cjdns/python/cjdnsadmin/bencode.py.LICENSE.txt
|
||||
|
||||
# symlink python tools w/o conflict with nodejs tools or needing networkx
|
||||
for t in pingAll.py trashroutes \
|
||||
getLinks ip6topk pktoip6 cjdnsa searches findnodes; do
|
||||
ln -sf %{_libexecdir}/cjdns/python/$t %{buildroot}%{_bindir}
|
||||
done
|
||||
|
||||
# symlink python tools that pull in networkx for graphing
|
||||
for t in drawgraph dumpgraph graphStats; do
|
||||
ln -sf %{_libexecdir}/cjdns/python/$t %{buildroot}%{_bindir}
|
||||
done
|
||||
|
||||
%endif
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license LICENSE
|
||||
%doc README.md README_*.md HACKING.md
|
||||
%attr(0100,root,root) /var/empty/cjdns
|
||||
%attr(0755,root,root) %{_sbindir}/cjdroute
|
||||
%ghost %attr(0600,root,root) %config(missingok,noreplace) %{_sysconfdir}/cjdroute.conf
|
||||
%dir %{_libexecdir}/cjdns
|
||||
%if %{use_upstart}
|
||||
%{_sysconfdir}/init/*
|
||||
%endif
|
||||
%if %{use_systemd}
|
||||
%{_unitdir}/*
|
||||
%endif
|
||||
%{_libexecdir}/cjdns/randombytes
|
||||
%{_libexecdir}/cjdns/publictoip6
|
||||
%{_libexecdir}/cjdns/privatetopublic
|
||||
%{_libexecdir}/cjdns/sybilsim
|
||||
%{_libexecdir}/cjdns/makekeys
|
||||
%{_bindir}/randombytes
|
||||
%{_bindir}/publictoip6
|
||||
%{_bindir}/makekeys
|
||||
%{_bindir}/cjdns-online
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man8/*
|
||||
|
||||
%pre
|
||||
getent group cjdns > /dev/null || groupadd -r cjdns
|
||||
getent passwd cjdns > /dev/null || /usr/sbin/useradd -g cjdns \
|
||||
-c "End to end encrypted IPv6 mesh" \
|
||||
-r -d %{_libexecdir}/cjdns -s /sbin/nologin cjdns
|
||||
exit 0
|
||||
|
||||
%if %{use_systemd}
|
||||
|
||||
%post
|
||||
%systemd_post cjdns.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart cjdns.service
|
||||
|
||||
%preun
|
||||
%systemd_preun cjdns.service
|
||||
|
||||
%endif
|
||||
|
||||
%if %{use_upstart}
|
||||
|
||||
%preun
|
||||
if [ "$1" -eq 0 ]; then
|
||||
/sbin/initctl stop cjdns
|
||||
fi
|
||||
|
||||
%postun
|
||||
if [ "$1" -ge 1 ]; then
|
||||
/sbin/initctl restart cjdns
|
||||
fi
|
||||
|
||||
%endif
|
||||
|
||||
%files selinux
|
||||
%doc cjdns.te cjdns.fc
|
||||
%{_datadir}/selinux/targeted/*
|
||||
|
||||
%post selinux
|
||||
/usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/cjdns.pp \
|
||||
&>/dev/null || :
|
||||
%{__restorecon} %{_sbindir}/cjdroute
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ] ; then
|
||||
/usr/sbin/semodule -s targeted -r cjdns &> /dev/null || :
|
||||
fi
|
||||
|
||||
%files tools
|
||||
%if %{with_admin}
|
||||
%{_libexecdir}/cjdns/admin
|
||||
%endif
|
||||
%{_libexecdir}/cjdns/tools
|
||||
%{_libexecdir}/cjdns/node_build
|
||||
%{_libexecdir}/cjdns/node_modules
|
||||
%{_bindir}/peerStats
|
||||
%{_bindir}/sessionStats
|
||||
%{_bindir}/cjdnslog
|
||||
%{_bindir}/dumpRumorMill
|
||||
%{_bindir}/dumpLinks
|
||||
%{_bindir}/pathfinderTree
|
||||
%{_bindir}/dumptable
|
||||
%{_bindir}/pingAll
|
||||
%{_bindir}/search
|
||||
|
||||
%files python
|
||||
%doc contrib/python/README.md contrib/python/cjdns-dynamic.conf
|
||||
%license contrib/python/cjdnsadmin/bencode.py.LICENSE.txt
|
||||
%dir %{_libexecdir}/cjdns/python
|
||||
%{_libexecdir}/cjdns/python/cexec
|
||||
%{_libexecdir}/cjdns/python/cjdnsadminmaker.py*
|
||||
%{_libexecdir}/cjdns/python/cjdnslog
|
||||
%{_libexecdir}/cjdns/python/dumptable
|
||||
%{_libexecdir}/cjdns/python/dynamicEndpoints.py*
|
||||
%{_libexecdir}/cjdns/python/peerStats
|
||||
%{_libexecdir}/cjdns/python/sessionStats
|
||||
%{_libexecdir}/cjdns/python/cjdnsadmin
|
||||
%{_libexecdir}/cjdns/python/pingAll.py*
|
||||
%{_libexecdir}/cjdns/python/trashroutes
|
||||
%{_libexecdir}/cjdns/python/getLinks
|
||||
%{_libexecdir}/cjdns/python/ip6topk
|
||||
%{_libexecdir}/cjdns/python/pktoip6
|
||||
%{_libexecdir}/cjdns/python/cjdnsa
|
||||
%{_libexecdir}/cjdns/python/searches
|
||||
%{_libexecdir}/cjdns/python/findnodes
|
||||
%{_bindir}/pingAll.py
|
||||
%{_bindir}/trashroutes
|
||||
%{_bindir}/getLinks
|
||||
%{_bindir}/ip6topk
|
||||
%{_bindir}/pktoip6
|
||||
%{_bindir}/cjdnsa
|
||||
%{_bindir}/searches
|
||||
%{_bindir}/findnodes
|
||||
|
||||
%files graph
|
||||
%{_libexecdir}/cjdns/python/drawgraph
|
||||
%{_libexecdir}/cjdns/python/dumpgraph
|
||||
%{_libexecdir}/cjdns/python/graphStats
|
||||
%{_bindir}/drawgraph
|
||||
%{_bindir}/dumpgraph
|
||||
%{_bindir}/graphStats
|
||||
|
||||
%changelog
|
||||
* Thu Mar 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-10
|
||||
- Mark nodejs and selinux noarch
|
||||
- Remove _isa from noarch subpackages.
|
||||
|
||||
* Thu Mar 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-9
|
||||
- Strip /8 from IPs printed by cjdns-online
|
||||
- Add GPL3+ to cjdns-online
|
||||
- ghost /etc/cjdroute.conf
|
||||
- Include _isa formula in subpackage requires.
|
||||
|
||||
* Tue Mar 8 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-8
|
||||
- Add release to main package dependencies
|
||||
- More man pages
|
||||
- Restore missing cjdns-resume.service
|
||||
- Add empty config to be owned by package
|
||||
|
||||
* Tue Mar 1 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-7
|
||||
- Add explicit systemd dependency
|
||||
- Add selinux-policy-targeted dependency
|
||||
- Add version to main package dependencies
|
||||
- Remove use of #!/usr/bin/env in nodejs tools
|
||||
- Change all top level define to global
|
||||
- Remove workaround for missing -fPIC on libnacl for X86_64 on f22.
|
||||
|
||||
* Mon Feb 29 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-6
|
||||
- Man pages
|
||||
- Move /usr/lib/cjdns to /usr/libexec/cjdns
|
||||
- Move all C tools to main package, mark (nodejs) tools noarch
|
||||
|
||||
* Wed Feb 24 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-5
|
||||
- Add use_embedded option
|
||||
- Reorganize with use_systemd, use_upstart
|
||||
- Set __restorecon only if not defined
|
||||
- Use install instead of cp to set file modes
|
||||
- Move randombytes,publictoip6 and /usr/lib/cjdns to main package
|
||||
- Fix bad #! lines in contrib/python
|
||||
- Patch util/Security.c to call setgroups(0,...) before setuid().
|
||||
|
||||
* Fri Feb 12 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-4
|
||||
- Add Fedora README
|
||||
- No libnacl on EL7 or EPEL7
|
||||
|
||||
* Tue Feb 2 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-3
|
||||
- Add node_modules to tools
|
||||
- Add #pragmas to ignore bogus warnings from gcc6
|
||||
- Fix shift of signed int
|
||||
|
||||
* Mon Feb 1 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-2
|
||||
- Fix extra line in updated sbin patch
|
||||
|
||||
* Mon Feb 1 2016 Stuart D. Gathman <stuart@gathman.org> 17.3-1
|
||||
- New upstream release
|
||||
- Add cjdns-resume.service to restart cjdns on resume from sleep
|
||||
|
||||
* Tue Jan 19 2016 Stuart D. Gathman <stuart@gathman.org> 17.2-1
|
||||
- New upstream release
|
||||
|
||||
* Sat Nov 07 2015 Stuart D. Gathman <stuart@gathman.org> 17.1-3
|
||||
- remove defattr
|
||||
- TODO: generate default config at install time, not first start
|
||||
|
||||
* Wed Nov 04 2015 Stuart D. Gathman <stuart@gathman.org> 17.1-2
|
||||
- use dynamic nacl library backported from rawhide
|
||||
|
||||
* Tue Nov 03 2015 Stuart D. Gathman <stuart@gathman.org> 17.1-1
|
||||
- update to new protocol version
|
||||
|
||||
* Tue Oct 27 2015 Stuart D. Gathman <stuart@gathman.org> 16.3-2
|
||||
- move graphing tools to graph subpackage: networkx has a lot of dependencies.
|
||||
- use embedded nacl only for i686 (which compiles it with -fPIC)
|
||||
|
||||
* Fri Oct 16 2015 Stuart D. Gathman <stuart@gathman.org> 16.3-1
|
||||
- Allow hostname lookup in selinux policy
|
||||
- python tools subpackage
|
||||
|
||||
* Sun Oct 4 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-6
|
||||
- restorecon after selinux install to initialize cjdroute context
|
||||
- remove module_request (to load tun driver) from selinux policy
|
||||
- make init scripts load tun driver
|
||||
|
||||
* Sun Sep 27 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-5
|
||||
- Restart cjdroute on update, stop on uninstall
|
||||
- symlink selected tools to bin
|
||||
- use /var/empty/cjdns for chroot
|
||||
- patch genconf to change chroot and setuser
|
||||
|
||||
* Wed Sep 23 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-4
|
||||
- Remove doc subpackage - only a meg of docs, and protocol is experimental.
|
||||
- Fix for RLIMIT_NPROC - setuid bug.
|
||||
- Add setgid to Security.c
|
||||
- add contrib/nodejs so tools work
|
||||
|
||||
* Wed Sep 23 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-3
|
||||
- Add selinux, doc and tools subpackages
|
||||
- Support EL6
|
||||
|
||||
* Mon Sep 21 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-2
|
||||
- nodejs not a runtime dependency of main package
|
||||
- move binaries to /usr/bin (good idea?)
|
||||
|
||||
* Mon Sep 21 2015 Stuart D. Gathman <stuart@gathman.org> 16.0-1
|
||||
- Initial RPM
|
65
cjdns.warnings.patch
Normal file
65
cjdns.warnings.patch
Normal file
@ -0,0 +1,65 @@
|
||||
diff -up ./dht/CJDHTConstants.h.warnings ./dht/CJDHTConstants.h
|
||||
--- ./dht/CJDHTConstants.h.warnings 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./dht/CJDHTConstants.h 2016-02-02 21:42:27.810535881 -0500
|
||||
@@ -17,7 +17,9 @@
|
||||
|
||||
#include "benc/String.h"
|
||||
#include "util/version/Version.h"
|
||||
-
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wpragmas"
|
||||
+#pragma GCC diagnostic ignored "-Wunused-const-variable"
|
||||
// Signifying that this message is a query and defining the query type.
|
||||
static String* const CJDHTConstants_QUERY = String_CONST_SO("q");
|
||||
|
||||
@@ -61,5 +63,5 @@ static String* const CJDHTConstants_ENC_
|
||||
// Encoding scheme and index for the closest peer along the path.
|
||||
static String* const CJDHTConstants_PEER_ENC_SCHEME = String_CONST_SO("pes");
|
||||
static String* const CJDHTConstants_PEER_ENC_INDEX = String_CONST_SO("pei");
|
||||
-
|
||||
+#pragma GCC diagnostic pop
|
||||
#endif
|
||||
diff -up ./node_build/dependencies/libuv/test/test-getsockname.c.warnings ./node_build/dependencies/libuv/test/test-getsockname.c
|
||||
--- ./node_build/dependencies/libuv/test/test-getsockname.c.warnings 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./node_build/dependencies/libuv/test/test-getsockname.c 2016-02-02 19:53:49.293769496 -0500
|
||||
@@ -18,7 +18,7 @@
|
||||
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
* IN THE SOFTWARE.
|
||||
*/
|
||||
-
|
||||
+#pragma GCC diagnostic ignored "-Wstrict-aliasing"
|
||||
#include "uv.h"
|
||||
#include "task.h"
|
||||
|
||||
diff -up ./util/platform/netdev/NetPlatform_linux.c.warnings ./util/platform/netdev/NetPlatform_linux.c
|
||||
--- ./util/platform/netdev/NetPlatform_linux.c.warnings 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./util/platform/netdev/NetPlatform_linux.c 2016-02-02 19:53:49.293769496 -0500
|
||||
@@ -142,7 +142,7 @@ void NetPlatform_addAddress(const char*
|
||||
Except_throw(eh, "ioctl(SIOCSIFADDR) failed: [%s]", strerror(err));
|
||||
}
|
||||
|
||||
- uint32_t x = ~0 << (32 - prefixLen);
|
||||
+ uint32_t x = ~0U << (32 - prefixLen);
|
||||
x = Endian_hostToBigEndian32(x);
|
||||
memcpy(&sin.sin_addr, &x, 4);
|
||||
memcpy(&ifRequest.ifr_addr, &sin, sizeof(struct sockaddr_in));
|
||||
@@ -213,7 +213,7 @@ void NetPlatform_addRoute(const char* in
|
||||
struct sockaddr_in sin = { .sin_family = AF_INET, .sin_port = 0 };
|
||||
memcpy(&sin.sin_addr.s_addr, address, 4);
|
||||
memcpy(&rt.rt_dst, &sin, sizeof(struct sockaddr));
|
||||
- sin.sin_addr.s_addr = Endian_hostToBigEndian32(~0 << (32 - prefixLen));
|
||||
+ sin.sin_addr.s_addr = Endian_hostToBigEndian32(~0U << (32 - prefixLen));
|
||||
memcpy(&rt.rt_genmask, &sin, sizeof(struct sockaddr));
|
||||
rt.rt_dev = (char *) interfaceName;
|
||||
|
||||
diff -up ./util/platform/Sockaddr.c.warnings ./util/platform/Sockaddr.c
|
||||
--- ./util/platform/Sockaddr.c.warnings 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./util/platform/Sockaddr.c 2016-02-02 19:53:49.294769524 -0500
|
||||
@@ -12,6 +12,7 @@
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
+#pragma GCC diagnostic ignored "-Wstrict-aliasing"
|
||||
#include "util/events/libuv/UvWrapper.h"
|
||||
#include "benc/String.h"
|
||||
#include "memory/Allocator.h"
|
Loading…
Reference in New Issue
Block a user