From 6d7e7fa28868e1eb2954cfd03fa1a882e6cb739c Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: May 23 2014 09:33:18 +0000 Subject: Update to 0.12 version - Drop merged patches - Drop downstream files (systemd, dispatcher scripts) Signed-off-by: Tomas Hozza --- diff --git a/.gitignore b/.gitignore index b7a7a8d..6888079 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /dnssec-trigger-0.9.tar.gz /dnssec-trigger-0.10.tar.gz /dnssec-trigger-0.11.tar.gz +/dnssec-trigger-0.12.tar.gz diff --git a/01-dnssec-trigger-hook b/01-dnssec-trigger-hook deleted file mode 100755 index 858af2e..0000000 --- a/01-dnssec-trigger-hook +++ /dev/null @@ -1,550 +0,0 @@ -#!/usr/bin/python2 -# -*- coding: utf-8 -*- -""" -@author: Tomas Hozza -""" - -from gi.repository import NMClient -import socket -import struct -import subprocess -import os -import os.path -import syslog -import sys - - -# DO NOT CHANGE THE VALUE HERE, CHANGE IT IN **DNSSEC_CONF** file -DEFAULT_VALIDATE_FORWARD_ZONES = True -DEFAULT_ADD_WIFI_PROVIDED_ZONES = False - -STATE_DIR = "/var/run/dnssec-trigger" -DNSSEC_CONF = "/etc/dnssec.conf" - -UNBOUND = "/usr/sbin/unbound" -UNBOUND_CONTROL = "/usr/sbin/unbound-control" -DNSSEC_TRIGGER = "/usr/sbin/dnssec-triggerd" -DNSSEC_TRIGGER_CONTROL = "/usr/sbin/dnssec-trigger-control" -PIDOF = "/usr/sbin/pidof" - - -class FZonesConfig: - - """ - Class representing dnssec-trigger script forward zones behaviour - configuration. - """ - - def __init__(self): - self.validate_fzones = DEFAULT_VALIDATE_FORWARD_ZONES - self.add_wifi_zones = DEFAULT_ADD_WIFI_PROVIDED_ZONES - - -class ActiveConnection: - - """ - Simple class representing NM Active Connection with information relevant - for this script. - """ - - TYPE_WIFI = "WIFI" - TYPE_VPN = "VPN" - TYPE_OTHER = "OTHER" - - def __init__(self): - self.type = self.TYPE_OTHER - self.is_default = False - self.nameservers = [] - self.domains = [] - self.uuid = "" - pass - - def __str__(self): - string = "UUID: " + self.get_uuid() + "\n" - string += "TYPE: " + str(self.get_type()) + "\n" - string += "DEFAULT: " + str(self.get_is_default()) + "\n" - string += "NS: " + str(self.get_nameservers()) + "\n" - string += "DOMAINS: " + str(self.get_domains()) - return string - - def get_uuid(self): - return self.uuid - - def get_type(self): - return self.type - - def get_is_default(self): - return self.is_default - - def get_nameservers(self): - return self.nameservers - - def get_domains(self): - return self.domains - - def set_uuid(self, uuid=""): - self.uuid = uuid - - def set_type(self, conn_type=TYPE_OTHER): - if conn_type == self.TYPE_VPN: - self.type = self.TYPE_VPN - elif conn_type == self.TYPE_WIFI: - self.type = self.TYPE_WIFI - else: - self.type = self.TYPE_OTHER - - def set_is_default(self, is_default=True): - self.is_default = is_default - - def set_nameservers(self, servers=[]): - self.nameservers = servers - - def set_domains(self, domains=[]): - self.domains = domains - - -def ip4_to_str(ip4): - """ - Converts IPv4 address from integer to string. - """ - return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4)) - - -def ip6_to_str(ip6): - """ - Converts IPv6 address from integer to string. - """ - addr_struct = ip6 - return socket.inet_ntop(socket.AF_INET6, addr_struct) - - -def get_fzones_settings_from_conf(conf_file=""): - """ - Reads the forward zones behaviour config from file. - """ - config = FZonesConfig() - - try: - with open(conf_file, "r") as f: - lines = [l.strip() - for l in f.readlines() if l.strip() and not l.strip().startswith("#")] - for line in lines: - option_line = line.split("=") - if option_line: - if option_line[0].strip() == "validate_connection_provided_zones": - if option_line[1].strip() == "yes": - config.validate_fzones = True - else: - config.validate_fzones = False - elif option_line[0].strip() == "add_wifi_provided_zones": - if option_line[1].strip() == "yes": - config.add_wifi_zones = True - else: - config.add_wifi_zones = False - except IOError: - # we don't mind if the config file does not exist - pass - - return config - - -def get_nm_active_connections(): - """ - Process Active Connections from NM and return list of ActiveConnection - objects. Active Connections from NM without nameservers are ignored. - """ - result = [] - client = NMClient.Client() - ac = client.get_active_connections() - - for connection in ac: - new_connection = ActiveConnection() - - # get the UUID - new_connection.set_uuid(connection.get_uuid()) - - # Find out if the ActiveConnection is VPN, WIFI or OTHER - try: - connection.get_vpn_state() - except AttributeError: - # We don't need to change anything - pass - else: - new_connection.set_type(ActiveConnection.TYPE_VPN) - - # if the connection is NOT VPN, then check if it's WIFI - if new_connection.get_type() != ActiveConnection.TYPE_VPN: - try: - device_type = connection.get_devices()[ - 0].get_device_type().value_name - except IndexError: - # if there is no device for a connection, the connection - # is going down so ignore it... - continue - except AttributeError: - # We don't need to change anything - pass - else: - if device_type == "NM_DEVICE_TYPE_WIFI": - new_connection.set_type(ActiveConnection.TYPE_WIFI) - - # Finc out if default connection for IP4 or IP6 - if connection.get_default() or connection.get_default6(): - new_connection.set_is_default(True) - else: - new_connection.set_is_default(False) - - # Get nameservers (IP4 + IP6) - ips = [] - try: - ips4_int = connection.get_ip4_config().get_nameservers() - except AttributeError: - # we don't mind if there are no IP4 nameservers - pass - else: - for ip4 in ips4_int: - ips.append(ip4_to_str(ip4)) - try: - num = connection.get_ip6_config().get_num_nameservers() - for i in range(0,num): - ips.append(ip6_to_str(connection.get_ip6_config().get_nameserver(i))) - except AttributeError: - # we don't mind if there are no IP6 nameservers - pass - new_connection.set_nameservers(ips) - - # Get domains (IP4 + IP6) - domains = [] - try: - domains.extend(connection.get_ip4_config().get_domains()) - except AttributeError: - # we don't mind if there are no IP6 domains - pass - try: - domains.extend(connection.get_ip6_config().get_domains()) - except AttributeError: - # we don't mind if there are no IP6 domains - pass - new_connection.set_domains(domains) - - # If there are no nameservers in the connection, it is useless - if new_connection.get_nameservers(): - result.append(new_connection) - - return result - - -def is_running(binary=""): - """ - Checks if the given binary is running. - """ - if binary: - sp = subprocess.Popen(PIDOF + " " + binary, - stdout=subprocess.PIPE, - stderr=open(os.devnull, "wb"), - shell=True) - sp.wait() - if sp.returncode == 0: - # pidof returns "0" if at least one program with the name runs - return True - return False - - -def dnssec_trigger_set_global_ns(servers=[]): - """ - Configures global nameservers into dnssec-trigger. - """ - if servers: - servers_list = " ".join(servers) - ret = subprocess.call( - DNSSEC_TRIGGER_CONTROL + " submit " + servers_list, - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - if ret == 0: - syslog.syslog( - syslog.LOG_INFO, "Global forwarders added: " + servers_list) - else: - syslog.syslog( - syslog.LOG_ERR, "Global forwarders NOT added: " + servers_list) - - -def unbound_add_forward_zone(domain="", servers=[], secure=DEFAULT_VALIDATE_FORWARD_ZONES): - """ - Adds a forward zone into the unbound. - """ - if domain and servers: - servers_list = " ".join(servers) - # build the command - cmd = UNBOUND_CONTROL + " forward_add" - if not secure: - cmd += " +i" - cmd += " " + domain + " " + servers_list - # Add the forward zone - ret = subprocess.call(cmd, - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - # Flush cache - subprocess.call(UNBOUND_CONTROL + " flush_zone " + domain, - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - subprocess.call(UNBOUND_CONTROL + " flush_requestlist", - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - - if secure: - validated = "(DNSSEC validated)" - else: - validated = "(*NOT* DNSSEC validated)" - - if ret == 0: - syslog.syslog( - syslog.LOG_INFO, "Added " + validated + " connection provided forward zone '" + domain + "' with NS: " + servers_list) - else: - syslog.syslog( - syslog.LOG_ERR, "NOT added connection provided forward zone '" + domain + "' with NS: " + servers_list) - - -def unbound_del_forward_zone(domain="", secure=DEFAULT_VALIDATE_FORWARD_ZONES): - """ - Deletes a forward zone from the unbound. - """ - if domain: - cmd = UNBOUND_CONTROL + " forward_remove" - if not secure: - cmd += " +i" - cmd += " " + domain - # Remove the forward zone - ret = subprocess.call(cmd, - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - # Flush cache - subprocess.call(UNBOUND_CONTROL + " flush_zone " + domain, - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - subprocess.call(UNBOUND_CONTROL + " flush_requestlist", - stdout=open(os.devnull, "wb"), - stderr=subprocess.STDOUT, - shell=True) - if ret == 0: - syslog.syslog( - syslog.LOG_INFO, "Removed connection provided forward zone '" + domain + "'") - else: - syslog.syslog( - syslog.LOG_ERR, "NOT removed connection provided forward zone '" + domain + "'") - - -def unbound_get_forward_zones(): - """ - Returns list of currently configured forward zones from the unbound. - """ - zones = [] - # get all configured forward zones - sp = subprocess.Popen(UNBOUND_CONTROL + " list_forwards", - stdout=subprocess.PIPE, - stderr=open(os.devnull, "wb"), - shell=True) - - sp.wait() - - if sp.returncode == 0: - for line in sp.stdout.readlines(): - zones.append(line.strip().split(" ")[0][:-1]) - - return zones - -############################################################################## - - -def append_fzone_to_file(uuid="", zone=""): - """ - Append forward zones from connection with UUID to the disk file. - """ - if uuid and zone: - with open(os.path.join(STATE_DIR, uuid), "a") as f: - f.write(zone + "\n") - - -def write_fzones_to_file(uuid="", zones=[]): - """ - Write forward zones from connection with UUID to the disk file. - """ - if uuid and zones: - with open(os.path.join(STATE_DIR, uuid), "w") as f: - for zone in zones: - f.write(zone + "\n") - - -def get_fzones_from_file(uuid=""): - """ - Gets all zones from a file with specified UUID name din STATE_DIR - """ - zones = [] - if uuid: - with open(os.path.join(STATE_DIR, uuid), "r") as f: - zones = [line.strip() for line in f.readlines()] - return zones - - -def get_fzones_from_disk(): - """ - Gets all forward zones from the disk STATE_DIR. - Return a dict of "zone" : "connection UUID" - """ - zones = {} - conn_files = os.listdir(STATE_DIR) - for uuid in conn_files: - for zone in get_fzones_from_file(uuid): - zones[zone] = uuid - return zones - - -def del_all_fzones_from_file(uuid="", secure=DEFAULT_VALIDATE_FORWARD_ZONES): - """ - Removes all forward zones contained in file with UUID name in STATE_DIR. - """ - if uuid: - with open(os.path.join(STATE_DIR, uuid), "r") as f: - for line in f.readlines(): - unbound_del_forward_zone(line.strip(), secure) - - -def del_fzones_for_nonexisting_conn(ac=[], secure=DEFAULT_VALIDATE_FORWARD_ZONES): - """ - Removes all forward zones contained in file (in STATE_DIR) for non-existing - active connections. - """ - ac_uuid_list = [conn.get_uuid() for conn in ac] - conn_files = os.listdir(STATE_DIR) - # Remove all non-existing connections zones - for uuid in conn_files: - if uuid not in ac_uuid_list: - # remove all zones from the file - del_all_fzones_from_file(uuid, secure) - # remove the file - os.unlink(os.path.join(STATE_DIR, uuid)) - - -def del_fzone_from_file(uuid="", zone=""): - """ - Deletes a zone from file and writes changes into it. If there are no zones - left, the file is deleted. - """ - if uuid and zone: - zones = get_fzones_from_file(uuid) - zones.remove(zone) - if zones: - write_fzones_to_file(uuid, zones) - else: - os.unlink(os.path.join(STATE_DIR, uuid)) - - -############################################################################## - - -def configure_global_forwarders(active_connections=[]): - """ - Configure global forwarders using dnssec-trigger-control - """ - # get only default connections - default_conns = filter(lambda x: x.get_is_default(), active_connections) - # get forwarders from default connections - default_forwarders = [] - for conn in default_conns: - default_forwarders.extend(conn.get_nameservers()) - - if default_forwarders: - dnssec_trigger_set_global_ns(default_forwarders) - -############################################################################## - - -def configure_forward_zones(active_connections=[], fzones_config=None): - """ - Configures forward zones in the unbound using unbound-control. - """ - # Filter out WIFI connections if desirable - if not fzones_config.add_wifi_zones: - connections = filter( - lambda x: x.get_type() != ActiveConnection.TYPE_WIFI, active_connections) - else: - connections = active_connections - # If validate forward zones - secure = fzones_config.validate_fzones - - # Filter active connections with domain(s) - conns_with_domains = filter(lambda x: x.get_domains(), connections) - fzones_from_ac = {} - # Construct dict of domain -> active connection - for conn in conns_with_domains: - # iterate through all domains in the active connection - for domain in conn.get_domains(): - # if there is already such a domain - if domain in fzones_from_ac: - # if the "conn" is VPN and the conn for existing domain is not - if fzones_from_ac[domain].get_type() != ActiveConnection.TYPE_VPN and conn.get_type() == ActiveConnection.TYPE_VPN: - fzones_from_ac[domain] = conn - # if none of there connections are VPNs or both are VPNs, - # prefer the default one - elif not fzones_from_ac[domain].get_is_default() and conn.get_is_default(): - fzones_from_ac[domain] = conn - else: - fzones_from_ac[domain] = conn - - # Remove all zones which connection UUID does not match any existing AC - del_fzones_for_nonexisting_conn(conns_with_domains, secure) - - # Remove all zones which connection UUID is different than the current AC - # UUID for the zone - fzones_from_disk = get_fzones_from_disk() - for zone, uuid in fzones_from_disk.iteritems(): - connection = fzones_from_ac[zone] - # if the AC UUID is NOT the same as from the disk, remove the zone - if connection.get_uuid() != uuid: - unbound_del_forward_zone(zone, secure) - del_fzone_from_file(uuid, zone) - - # get zones from unbound and delete them from fzones_from_ac - # there may be zones manually configured in unbound.conf and we - # don't want to replace them - unbound_zones = unbound_get_forward_zones() - for zone in unbound_zones: - try: - del fzones_from_ac[zone] - except KeyError: - # we don't mind if there is no such zone - pass - - # Add forward zones that are not already configured - fzones_from_disk = get_fzones_from_disk() - for zone, connection in fzones_from_ac.iteritems(): - if zone not in fzones_from_disk: - unbound_add_forward_zone( - zone, connection.get_nameservers(), secure) - append_fzone_to_file(connection.get_uuid(), zone) - - -############################################################################## - - -if __name__ == "__main__": - if not is_running(DNSSEC_TRIGGER): - syslog.syslog(syslog.LOG_ERR, "dnssec-triggerd daemon is not running!") - sys.exit(1) - if not is_running(UNBOUND): - syslog.syslog(syslog.LOG_ERR, "unbound server daemon is not running!") - sys.exit(1) - - fzones_config = get_fzones_settings_from_conf(DNSSEC_CONF) - - # Get all actove connections from NM - ac = get_nm_active_connections() - # Configure global forwarders - configure_global_forwarders(ac) - # Configure forward zones - configure_forward_zones(ac, fzones_config) diff --git a/dnssec-trigger-0.11-coverity_scan.patch b/dnssec-trigger-0.11-coverity_scan.patch deleted file mode 100644 index 30a70e3..0000000 --- a/dnssec-trigger-0.11-coverity_scan.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b6e3deeef71a78c575d6e169d007956c02abc5da Mon Sep 17 00:00:00 2001 -From: wouter -Date: Mon, 26 Aug 2013 08:41:03 +0000 -Subject: [PATCH] - Fix#522: Errors found by static analysis of source from - Tomas Hozza. - -git-svn-id: http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk@649 14dc9c71-5cc2-e011-b339-0019d10b89f4 ---- - riggerd/riggerd.c | 1 + - riggerd/update.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/riggerd/riggerd.c b/riggerd/riggerd.c -index dc61216..ef46691 100644 ---- a/riggerd/riggerd.c -+++ b/riggerd/riggerd.c -@@ -110,6 +110,7 @@ static RETSIGTYPE record_sigh(int sig) - #ifdef SIGHUP - case SIGHUP: - sig_reload = 1; -+ /* fall through and exit commbase with reload boolean set */ - #endif - case SIGTERM: - #ifdef SIGQUIT -diff --git a/riggerd/update.c b/riggerd/update.c -index 437f981..dff5380 100644 ---- a/riggerd/update.c -+++ b/riggerd/update.c -@@ -573,6 +573,7 @@ selfupdate_write_file(struct selfupdate* se, struct http_get* hg) - out)) { - log_err("cannot write to file %s: %s", se->download_file, - strerror(errno)); -+ fclose(out); - goto fail; - } - fclose(out); --- -1.8.3.1 - diff --git a/dnssec-trigger-0.11-improve_dialog_texts.patch b/dnssec-trigger-0.11-improve_dialog_texts.patch deleted file mode 100644 index 360bfef..0000000 --- a/dnssec-trigger-0.11-improve_dialog_texts.patch +++ /dev/null @@ -1,134 +0,0 @@ -From d01ec0b07d425580cf3dcf7246ec807dbcf1aa5e Mon Sep 17 00:00:00 2001 -From: Tomas Hozza -Date: Fri, 15 Nov 2013 10:44:45 +0100 -Subject: [PATCH] Improve texts in dialogs to be more clear - -Improve texts in Hotspot sing-on dialog and also -some dialogs labels and pop-up panel button label, -to describe the situation more clearly. - -Changes are proposed and reviewed by Red Hat -Documentation Team. - -Signed-off-by: Tomas Hozza ---- - panel/pui.xml | 48 +++++++++++++++++++++++++++--------------------- - 1 file changed, 27 insertions(+), 21 deletions(-) - -diff --git a/panel/pui.xml b/panel/pui.xml -index 4915d83..f1051b2 100644 ---- a/panel/pui.xml -+++ b/panel/pui.xml -@@ -4,7 +4,7 @@ - - False - 5 -- Hotspot Signon -+ Disable DNSSEC for Hotspot Sign On - dialog - - -@@ -16,10 +16,15 @@ - - True - False -- Some networks need insecure signon. After you log in to the --network via its portal page, select <i>Reprobe</i> to get secure again. -+ Some networks, such as Hotspots, require you to sign on, or register, -+before allowing full network access. By clicking <i>OK</i>, DNSSEC will be -+disabled to allow you to connect to the captive portal's sign-on -+page. After you have signed on and full network access has been enabled, -+DNSSEC-trigger should detect this and enable DNSSEC again. You can also -+select <i>Reprobe</i> to attempt to establish a secure connection to a DNSSEC -+capable name server. - --<i>Please, stay safe out there.</i> -+<i>A red exclamation mark in the icon warns you when DNSSEC is disabled.</i> - True - - -@@ -138,10 +143,10 @@ network via its portal page, select <i>Reprobe</i> to get secure aga - - True - False -- There is no web access on this network. Do you have to login for that? -+ There is no access to external websites from this network. Do you have to login for that? - --While you login you are <i>insecure</i>, for backwards compatibility, until --dnssec-trigger can detect web access. -+When you select <i>Log in</i>, DNSSEC will be disabled for backwards compatibility reasons, until -+DNSSEC-trigger can detect web access. - - <i>Skip</i> this if you do not have to log in on this network. - True -@@ -162,7 +167,7 @@ dnssec-trigger can detect web access. - - False - 5 -- probe dnssec results -+ Results of DNSSEC probe - 400 - 280 - normal -@@ -251,7 +256,7 @@ dnssec-trigger can detect web access. - True - False - False -- Hotspot signon -+ Hotspot sign-on - True - - -@@ -331,28 +336,29 @@ dnssec-trigger can detect web access. - - True - False -- <b>The Network Fails to Support DNSSEC</b> -+ <b>This Network Fails to Support DNSSEC</b> - --The network you are connected to does not allow DNSSEC, via --the provided DNS caches, nor via contacting servers on the --internet directly (it filters traffic to this end). It is not possible --to provide DNSSEC security, but you can connect insecurely. -+The network you are connected to does not allow DNS Security -+Extensions (DNSSEC) via the provided DNS caches, nor via contacting -+DNS name servers on the Internet directly (it filters traffic -+to this end). It is not possible to provide DNSSEC, but you can -+connect insecurely. - - Do you want to connect insecurely? - --* if you choose <b>Disconnect</b> then DNS is disabled. It is safe, --but there is very little that works. -+* if you choose <b>Disconnect</b> then DNS is disabled. -+It is safe, but there is very little that works. - --* if you choose <b>Insecure</b> then the DNSSEC security is lost. -+* if you choose <b>Insecure</b> then DNSSEC is disabled and security is lost. - You can connect and work. But there is no safety. The network - interferes with DNSSEC, it may also interfere with other things. - Have caution and work with sensitive personal and financial - things some other time. - --Some hotspots may work after you have gained access via --its signon page. Then use <i>Reprobe</i> from the menu to retry. -+Some Hotspots may work after you have gained access via -+its sign-on page. Then use <i>Reprobe</i> from the menu to retry. - --<i>Stay safe out there!</i> -+<i>A red exclamation mark in the icon warns you when DNSSEC is disabled.</i> - True - - -@@ -383,7 +389,7 @@ its signon page. Then use <i>Reprobe</i> from the menu to retry. - - True - False -- There is a software update available for dnssec-trigger. -+ There is a software update available for DNSSEC-trigger. - Do you wish to install the update? - True - --- -1.8.3.1 - diff --git a/dnssec-trigger-0.11-nl489.patch b/dnssec-trigger-0.11-nl489.patch deleted file mode 100644 index 7af6ab3..0000000 --- a/dnssec-trigger-0.11-nl489.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in.nl489 dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in ---- dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in.nl489 2013-03-04 18:48:38.606852783 +0100 -+++ dnssec-trigger-0.11/panel/dnssec-trigger-panel.desktop.in 2013-03-04 18:48:46.838834610 +0100 -@@ -8,7 +8,7 @@ Comment=Shows DNS state and warning dial - Exec=0bindir0/dnssec-trigger - Icon=0uidir0/status-icon.png - Terminal=false --Categories=Application;Utility; -+Categories=Utility; - X-KDE-StartupNotify=false - StartupNotify=false - diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec index 0f1ab6c..051a0ba 100644 --- a/dnssec-trigger.spec +++ b/dnssec-trigger.spec @@ -1,29 +1,16 @@ -global _hardened_build 1 +%global _hardened_build 1 Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving Name: dnssec-trigger -Version: 0.11 -Release: 21%{?dist} +Version: 0.12 +Release: 1%{?dist} License: BSD Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/ -Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz -Source1:dnssec-triggerd.service -Source2: dnssec-triggerd-keygen.service -Source3: dnssec-trigger.conf -# Latest NM dispatcher hook from upstream SVN -# http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/contrib/01-dnssec-trigger-hook-new_nm -Source4: 01-dnssec-trigger-hook -Source5: dnssec-trigger.tmpfiles.d -Source6: dnssec-triggerd-resolvconf-handle.sh -Source7: dnssec-triggerd-resolvconf-handle.service -# http://www.nlnetlabs.nl/svn/dnssec-trigger/trunk/contrib/dnssec.conf.sample -# we turned the validation of forward zones off, to not break existing installations. -Source8: dnssec.conf.sample -Patch1: dnssec-trigger-0.11-improve_dialog_texts.patch -Patch2: dnssec-trigger-842455.patch -# https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=489 -Patch3: dnssec-trigger-0.11-nl489.patch -Patch4: dnssec-trigger-0.11-coverity_scan.patch +Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz +Source1: dnssec-trigger.conf +Source2: dnssec-trigger.tmpfiles.d + +Patch1: dnssec-trigger-842455.patch Requires(postun): initscripts Requires: ldns >= 1.6.10, NetworkManager, NetworkManager-glib, unbound, xdg-utils @@ -48,42 +35,31 @@ dnssec-trigger-applet the option to go with insecure DNS only. # Fixup the name to not include "panel" in the menu item or name sed -i "s/ Panel//" panel/dnssec-trigger-panel.desktop.in sed -i "s/-panel//" panel/dnssec-trigger-panel.desktop.in -# NM has no /usr/sbin in path -sed -i "s/^dnssec-trigger-control/\/usr\/sbin\/dnssec-trigger-control/" 01-dnssec-trigger-hook.sh.in -# change some text in the popups + %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 + # change default RSA key between deamon/control from 1536 to 3072 sed -i "s/BITS=1536/BITS=3072/" dnssec-trigger-control-setup.sh.in +# don't use DNSSEC for forward zones for now +sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf %build -%configure --with-keydir=/etc/dnssec-trigger +%configure --with-keydir=/etc/dnssec-trigger --with-hooks=networkmanager %{__make} %{?_smp_mflags} %install rm -rf %{buildroot} %{__make} DESTDIR=%{buildroot} install install -d 0755 %{buildroot}%{_unitdir} -install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}d.service -install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}d-keygen.service -install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/ +install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}/ mkdir -p %{buildroot}%{_libexecdir} -install -m 0755 %{SOURCE6} %{buildroot}%{_libexecdir}/%{name}d-resolvconf-handle.sh -install -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/%{name}d-resolvconf-handle.service desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop -# overwrite the stock NM hook since there is new and improved one in upstream SVN contrib/ -install -p -m 0755 %{SOURCE4} %{buildroot}/%{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook -# install the /etc/dnssec.conf -install -p -m 0644 %{SOURCE8} %{buildroot}/%{_sysconfdir}/dnssec.conf - # install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir mkdir -p %{buildroot}%{_tmpfilesdir} -install -m 644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf +install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf # we must create the /var/run/dnssec-trigger directory mkdir -p %{buildroot}%{_localstatedir}/run install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name} @@ -106,10 +82,9 @@ rm -rf ${RPM_BUILD_ROOT} %doc README LICENSE %{_unitdir}/%{name}d.service %{_unitdir}/%{name}d-keygen.service -%{_unitdir}/%{name}d-resolvconf-handle.service %attr(0755,root,root) %dir %{_sysconfdir}/%{name} -%attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger-hook +%attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/xdg/autostart/dnssec-trigger-panel.desktop @@ -118,7 +93,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/dnssec-trigger-panel %{_bindir}/dnssec-trigger %{_sbindir}/dnssec-trigger* -%{_libexecdir}/%{name}d-resolvconf-handle.sh +%{_libexecdir}/dnssec-trigger-script %{_mandir}/*/* %attr(0755,root,root) %dir %{_datadir}/%{name} %attr(0644,root,root) %{_datadir}/%{name}/* @@ -140,6 +115,11 @@ fi %systemd_postun_with_restart %{name}d.service %changelog +* Fri May 23 2014 Tomas Hozza - 0.12-1 +- Update to 0.12 version +- Drop merged patches +- Drop downstream files (systemd, dispatcher scripts) + * Tue May 13 2014 Paul Wouters - 0.11-21 - Enable full hardening (includig PIE) - Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size diff --git a/dnssec-triggerd-keygen.service b/dnssec-triggerd-keygen.service deleted file mode 100644 index 749ce57..0000000 --- a/dnssec-triggerd-keygen.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=dnssec-triggerd Control Key And Certificate Generator -After=syslog.target -ConditionPathExists=!/etc/dnssec-trigger/dnssec_trigger_control.key - -[Service] -Type=oneshot -ExecStart=/usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/ -ExecStart=/sbin/restorecon /etc/dnssec-trigger/* - -[Install] -WantedBy=multi-user.target diff --git a/dnssec-triggerd-resolvconf-handle.service b/dnssec-triggerd-resolvconf-handle.service deleted file mode 100644 index a23760c..0000000 --- a/dnssec-triggerd-resolvconf-handle.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Backups and restores /etc/resolv.conf after dnssec-trigger starts/stops -PartOf=dnssec-triggerd.service - - -[Service] -Type=oneshot -RemainAfterExit=yes - -ExecStart=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh backup -ExecStop=/usr/libexec/dnssec-triggerd-resolvconf-handle.sh restore diff --git a/dnssec-triggerd-resolvconf-handle.sh b/dnssec-triggerd-resolvconf-handle.sh deleted file mode 100755 index 622df12..0000000 --- a/dnssec-triggerd-resolvconf-handle.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# dnssec-trigger script handling possible backup and restore of resolv.conf - -SCRIPT_NAME="dnssec-trigger-resolvconf-handle.sh" -STATE_DIR="/var/run/dnssec-trigger" -RESOLV_CONF="/etc/resolv.conf" -RESOLV_CONF_BAK="$STATE_DIR/resolv.conf.bak" -NM_CONFIG="/etc/NetworkManager/NetworkManager.conf" - -usage() -{ - echo - echo "This script backs up or restores /etc/resolv.conf content" - echo "Usage: $SCRIPT_NAME [backup|restore]" -} - -# check number of arguments -if ! [ "$#" -eq 1 ]; then - echo "ERROR: Wrong number of arguments!" - usage - exit 1 -fi - -does_nm_handle_resolv_conf() -{ - grep -x "^dns=none" $NM_CONFIG &> /dev/null - echo "$?" -} - -backup_resolv_conf() -{ - # find out if NM handles the resolv.conf - if [ "`does_nm_handle_resolv_conf`" -eq 0 ]; then - cp -fp $RESOLV_CONF $RESOLV_CONF_BAK - fi -} - -restore_resolv_conf() -{ - # if we have a backup and NM does not handle resolv.conf -> restore it - if [ "`does_nm_handle_resolv_conf`" -eq 0 ] && [ -s $RESOLV_CONF_BAK ]; then - cp -fp $RESOLV_CONF_BAK $RESOLV_CONF - else - # let NM rewrite the resolv.conf - systemctl restart NetworkManager.service - fi -} - -case "$1" in - backup) - backup_resolv_conf - ;; - restore) - restore_resolv_conf - ;; - *) - echo "ERROR: Wrong argument!" - usage - exit 1 -esac - -exit 0 diff --git a/dnssec-triggerd.service b/dnssec-triggerd.service deleted file mode 100644 index 9d55778..0000000 --- a/dnssec-triggerd.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Reconfigure local DNS(SEC) resolver on network change -After=syslog.target network.target -After=dnssec-triggerd-keygen.service -Wants=dnssec-triggerd-keygen.service -After=dnssec-triggerd-resolvconf-handle.service -Wants=dnssec-triggerd-resolvconf-handle.service -After=unbound.service -Wants=unbound.service - -[Service] -Type=simple -Restart=always -#EnvironmentFile=-/etc/sysconfig/dnssec-trigger -ExecStart=/usr/sbin/dnssec-triggerd -d -ExecStartPost=/etc/NetworkManager/dispatcher.d/01-dnssec-trigger-hook -RestartSec=0 -ExecStopPost=/usr/bin/chattr -i /etc/resolv.conf - -[Install] -WantedBy=multi-user.target -Alias=dnssec-trigger.service diff --git a/dnssec.conf.sample b/dnssec.conf.sample deleted file mode 100644 index ef29603..0000000 --- a/dnssec.conf.sample +++ /dev/null @@ -1,54 +0,0 @@ -# validate_connection_provided_zones: -# ----------------------------------- -# Setts if forward zones added into unbound by dnssec-trigger script -# will be DNSSEC validated or NOT. Note that this setting is global -# for all added forward zones.. -# Possible options are: -# -# validate_connection_provided_zones=yes - All connection provided zones -# configured as forward zones into -# unbound WILL BE DNSSEC validated -# (NOTE: If connection provided DNS -# servers are NOT DNSSEC capable, the -# resolving of provided zones will -# NOT work!) -# -# validate_connection_provided_zones=no - All connection provided zones -# configured as forward zones into -# unbound will NOT be DNSSEC validated -# -# -# NOTICE: if you turn the validation OFF then all forward zones added by -# dnssec-trigger script will NOT be DNSSEC validated. If you turn the -# validation ON, only newly added forward zones will be DNSSEC validated. -# Forward zones added before the change will still NOT be DNSSEC validated. -# To force validation of previously added forward zone you need to restart -# it. For VPNs this can be done by restart NetworkManager. -validate_connection_provided_zones=no - -# add_wifi_provided_zones: -# ------------------------ -# Setts if domains provided by WiFi connection are configured as forward zones -# into unbound. -# Possible options are: -# -# add_wifi_provided_zones=yes - Domains provided by ANY WiFi connection will -# be configured as forward zones into unbound. -# (NOTE: See the possible security implications -# stated below!) -# -# add_wifi_provided_zones=no - Domains provided by ANY WiFi connection will -# NOT be configured as forward zones into unbound. -# (NOTE: Forward zones will be still configured -# for any other type of connection!) -# -# NOTICE: Turning ON the addition of WiFi provided domains as forward zones -# into unbound may have SECURITY implications such as: -# - A WiFi access point can intentionally provide you a domain via DHCP for -# which it does not have authority and route all your DNS queries to its -# DNS servers. -# - In addition to the previous point, if you have the DNSSEC validation -# of forward zones turned OFF, the WiFi provided DNS servers can spoof -# the IP address for domain names from the provided domain WITHOUT YOU -# KNOWING IT! -add_wifi_provided_zones=no diff --git a/sources b/sources index 3131e3d..26bb275 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7efb79cb5813b1fab10c4a9518810431 dnssec-trigger-0.11.tar.gz +811b14e79b97defcff17ea4d58325b2b dnssec-trigger-0.12.tar.gz