summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/close_socket_before_scripts.patch112
-rw-r--r--debian/patches/openvpn-pkcs11warn.patch6
2 files changed, 94 insertions, 24 deletions
diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
index 0b848a0..6e00c00 100644
--- a/debian/patches/close_socket_before_scripts.patch
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -1,32 +1,102 @@
-Description: Set socket's FD_CLOEXEC flag before calling up script
- Moving the set_cloexec() call from link_socket_init_phase2() to
- link_socket_init_phase1().
-Author: Julien Cristau <jcristau@debian.org>
-Bug-Debian: http://bugs.debian.org/367716
-
-Index: openvpn/src/openvpn/socket.c
-===================================================================
---- openvpn.orig/src/openvpn/socket.c 2016-11-21 09:58:03.562096178 +0100
-+++ openvpn/src/openvpn/socket.c 2016-11-21 10:01:20.143091482 +0100
-@@ -1625,6 +1625,10 @@
- }
- resolve_remote (sock, 1, NULL, NULL);
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -1499,7 +1499,6 @@ man_new_connection_post (struct management *man, const char *description)
+ struct gc_arena gc = gc_new ();
+
+ set_nonblock (man->connection.sd_cli);
+- set_cloexec (man->connection.sd_cli);
+
+ man_connection_settings_reset (man);
+
+@@ -1640,7 +1639,6 @@ man_listen (struct management *man)
+ * Set misc socket properties
+ */
+ set_nonblock (man->connection.sd_top);
+- set_cloexec (man->connection.sd_top);
+
+ #if UNIX_SOCK_SUPPORT
+ if (man->settings.flags & MF_UNIX_SOCK)
+--- a/src/openvpn/socket.c
++++ b/src/openvpn/socket.c
+@@ -771,6 +771,10 @@ create_socket_tcp (struct addrinfo* addrinfo)
+ }
+ #endif
+
++ /* set socket file descriptor to not pass across execs, so that
++ scripts don't have access to it */
++ set_cloexec (sd);
++
+ return sd;
+ }
+
+@@ -815,6 +819,11 @@ create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags)
+ }
}
+ #endif
+
+ /* set socket file descriptor to not pass across execs, so that
+ scripts don't have access to it */
-+ set_cloexec (sock->sd);
++ set_cloexec (sd);
++
+ return sd;
+ }
+
+@@ -968,6 +977,12 @@ socket_do_accept (socket_descriptor_t sd,
+ openvpn_close_socket (new_sd);
+ new_sd = SOCKET_UNDEFINED;
+ }
++ else
++ {
++ /* set socket file descriptor to not pass across execs, so that
++ scripts don't have access to it */
++ set_cloexec (sd);
++ }
+ return new_sd;
}
-
- static
-@@ -1677,10 +1681,6 @@
+
+@@ -1617,6 +1632,7 @@ link_socket_init_phase1 (struct link_socket *sock,
+ ASSERT (sock->info.proto != PROTO_TCP_CLIENT);
+ ASSERT (socket_defined (inetd_socket_descriptor));
+ sock->sd = inetd_socket_descriptor;
++ set_cloexec (sock->sd); /* not created by create_socket*() */
+ }
+ else if (mode != LS_MODE_TCP_ACCEPT_FROM)
+ {
+@@ -1677,13 +1693,6 @@ phase2_set_socket_flags (struct link_socket* sock)
/* set socket to non-blocking mode */
set_nonblock (sock->sd);
-
+
- /* set socket file descriptor to not pass across execs, so that
- scripts don't have access to it */
- set_cloexec (sock->sd);
-
- if (socket_defined (sock->ctrl_sd))
- set_cloexec (sock->ctrl_sd);
-
+- if (socket_defined (sock->ctrl_sd))
+- set_cloexec (sock->ctrl_sd);
+-
+ /* set Path MTU discovery options on the socket */
+ set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af);
+
+@@ -3476,6 +3485,11 @@ create_socket_unix (void)
+
+ if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0)
+ msg (M_ERR, "Cannot create unix domain socket");
++
++ /* set socket file descriptor to not pass across execs, so that
++ scripts don't have access to it */
++ set_cloexec (sd);
++
+ return sd;
+ }
+
+@@ -3516,6 +3530,12 @@ socket_accept_unix (socket_descriptor_t sd,
+
+ CLEAR (*remote);
+ ret = accept (sd, (struct sockaddr *) remote, &remote_len);
++ if ( ret >= 0 )
++ {
++ /* set socket file descriptor to not pass across execs, so that
++ scripts don't have access to it */
++ set_cloexec (ret);
++ }
+ return ret;
+ }
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
index eae8fe4..758a555 100644
--- a/debian/patches/openvpn-pkcs11warn.patch
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -3,9 +3,9 @@ Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
Bug-Debian: http://bugs.debian.org/475353
Index: openvpn/src/openvpn/options.c
===================================================================
---- openvpn.orig/src/openvpn/options.c 2016-11-21 09:53:53.100906016 +0100
-+++ openvpn/src/openvpn/options.c 2016-11-21 09:53:53.096905998 +0100
-@@ -6569,6 +6569,20 @@
+--- openvpn.orig/src/openvpn/options.c 2016-12-07 13:18:03.856865710 +0100
++++ openvpn/src/openvpn/options.c 2016-12-07 13:18:03.856865710 +0100
+@@ -6647,6 +6647,20 @@
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
}