diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/openvpn@.service | 4 | ||||
-rw-r--r-- | debian/patches/fix-pkcs11-helper-hang.patch | 13 | ||||
-rw-r--r-- | debian/patches/kfreebsd_support.patch | 58 | ||||
-rw-r--r-- | debian/patches/series | 1 |
4 files changed, 40 insertions, 36 deletions
diff --git a/debian/openvpn@.service b/debian/openvpn@.service index 7f0134b..da7adc7 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -17,8 +17,8 @@ ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 PIDFile=/run/openvpn/%i.pid KillMode=process ExecReload=/bin/kill -HUP $MAINPID -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE -LimitNPROC=10 +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +LimitNPROC=100 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true diff --git a/debian/patches/fix-pkcs11-helper-hang.patch b/debian/patches/fix-pkcs11-helper-hang.patch new file mode 100644 index 0000000..41d9be1 --- /dev/null +++ b/debian/patches/fix-pkcs11-helper-hang.patch @@ -0,0 +1,13 @@ +Index: openvpn/src/openvpn/pkcs11.c +=================================================================== +--- openvpn.orig/src/openvpn/pkcs11.c ++++ openvpn/src/openvpn/pkcs11.c +@@ -312,7 +312,7 @@ pkcs11_initialize( + + pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level())); + +- if ((rv = pkcs11h_setForkMode(TRUE)) != CKR_OK) ++ if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK) + { + msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv)); + goto cleanup; diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch index 7780e0d..4e89f32 100644 --- a/debian/patches/kfreebsd_support.patch +++ b/debian/patches/kfreebsd_support.patch @@ -1,11 +1,9 @@ Description: Improve kFreeBSD support Author: Gonéri Le Bouder <goneri@rulezlan.org> Bug-Debian: http://bugs.debian.org/626062 -Index: trunk/src/openvpn/route.c -=================================================================== ---- trunk.orig/src/openvpn/route.c -+++ trunk/src/openvpn/route.c -@@ -1693,7 +1693,7 @@ add_route(struct route_ipv4 *r, +--- a/src/openvpn/route.c ++++ b/src/openvpn/route.c +@@ -1693,7 +1693,7 @@ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed"); @@ -14,7 +12,7 @@ Index: trunk/src/openvpn/route.c argv_printf(&argv, "%s add", ROUTE_PATH); -@@ -1879,7 +1879,7 @@ add_route_ipv6(struct route_ipv6 *r6, co +@@ -1879,7 +1879,7 @@ network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); @@ -23,7 +21,7 @@ Index: trunk/src/openvpn/route.c || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) -@@ -2047,7 +2047,7 @@ add_route_ipv6(struct route_ipv6 *r6, co +@@ -2047,7 +2047,7 @@ argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed"); @@ -32,7 +30,7 @@ Index: trunk/src/openvpn/route.c argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, -@@ -2239,7 +2239,7 @@ delete_route(struct route_ipv4 *r, +@@ -2239,7 +2239,7 @@ argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed"); @@ -41,7 +39,7 @@ Index: trunk/src/openvpn/route.c argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, -@@ -2346,7 +2346,7 @@ delete_route_ipv6(const struct route_ipv +@@ -2346,7 +2346,7 @@ network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); @@ -50,7 +48,7 @@ Index: trunk/src/openvpn/route.c || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) -@@ -2481,7 +2481,7 @@ delete_route_ipv6(const struct route_ipv +@@ -2481,7 +2481,7 @@ argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed"); @@ -59,7 +57,7 @@ Index: trunk/src/openvpn/route.c argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, -@@ -3532,7 +3532,8 @@ done: +@@ -3532,7 +3532,8 @@ #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ @@ -69,20 +67,18 @@ Index: trunk/src/openvpn/route.c #include <sys/types.h> #include <sys/socket.h> -Index: trunk/src/openvpn/tun.c -=================================================================== ---- trunk.orig/src/openvpn/tun.c -+++ trunk/src/openvpn/tun.c -@@ -845,7 +845,7 @@ delete_route_connected_v6_net(struct tun +--- a/src/openvpn/tun.c ++++ b/src/openvpn/tun.c +@@ -845,7 +845,7 @@ #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */ #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ -- || defined(TARGET_OPENBSD) -+ || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__) +- || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) ++ || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" -@@ -1414,7 +1414,7 @@ do_ifconfig(struct tuntap *tt, +@@ -1429,7 +1429,7 @@ add_route_connected_v6_net(tt, es); } @@ -91,7 +87,7 @@ Index: trunk/src/openvpn/tun.c in_addr_t remote_end; /* for "virtual" subnet topology */ -@@ -2770,7 +2770,7 @@ read_tun(struct tuntap *tt, uint8_t *buf +@@ -2785,7 +2785,7 @@ } } @@ -100,11 +96,9 @@ Index: trunk/src/openvpn/tun.c static inline int freebsd_modify_read_write_return(int len) -Index: trunk/src/openvpn/lladdr.c -=================================================================== ---- trunk.orig/src/openvpn/lladdr.c -+++ trunk/src/openvpn/lladdr.c -@@ -50,7 +50,7 @@ set_lladdr(const char *ifname, const cha +--- a/src/openvpn/lladdr.c ++++ b/src/openvpn/lladdr.c +@@ -50,7 +50,7 @@ "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); @@ -113,10 +107,8 @@ Index: trunk/src/openvpn/lladdr.c argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, -Index: trunk/src/openvpn/syshead.h -=================================================================== ---- trunk.orig/src/openvpn/syshead.h -+++ trunk/src/openvpn/syshead.h +--- a/src/openvpn/syshead.h ++++ b/src/openvpn/syshead.h @@ -297,7 +297,7 @@ #endif /* TARGET_OPENBSD */ @@ -126,11 +118,9 @@ Index: trunk/src/openvpn/syshead.h #ifdef HAVE_SYS_UIO_H #include <sys/uio.h> -Index: trunk/src/openvpn/ssl.c -=================================================================== ---- trunk.orig/src/openvpn/ssl.c -+++ trunk/src/openvpn/ssl.c -@@ -2265,7 +2265,7 @@ push_peer_info(struct buffer *buf, struc +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -2270,7 +2270,7 @@ buf_printf(&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) buf_printf(&out, "IV_PLAT=netbsd\n"); diff --git a/debian/patches/series b/debian/patches/series index a903d3d..8b19c3d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ kfreebsd_support.patch match-manpage-and-command-help.patch spelling_errors.patch systemd.patch +fix-pkcs11-helper-hang.patch |