From fd3c4dd129742ec50457a3fd5d5e460466a0a113 Mon Sep 17 00:00:00 2001 From: crusader Date: Thu, 4 Oct 2018 14:49:34 +0900 Subject: [PATCH] ing --- config/build/mac/ChmodBPF/ChmodBPF | 40 +++++++++++++++++++ ...com.loafle.overflow.scanner.ChmodBPF.plist | 12 ++++++ config/build/mac/pkg/scripts/postinstall | 20 +++++++++- 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 config/build/mac/ChmodBPF/ChmodBPF create mode 100644 config/build/mac/ChmodBPF/com.loafle.overflow.scanner.ChmodBPF.plist diff --git a/config/build/mac/ChmodBPF/ChmodBPF b/config/build/mac/ChmodBPF/ChmodBPF new file mode 100644 index 0000000..8564790 --- /dev/null +++ b/config/build/mac/ChmodBPF/ChmodBPF @@ -0,0 +1,40 @@ +#! /bin/bash + +# +# Unfortunately, macOS's devfs is based on the old FreeBSD +# one, not the current one, so there's no way to configure it +# to create BPF devices with particular owners or groups. BPF +# devices on macOS are also non-cloning, that is they can +# be created on demand at any time. This startup item will +# pre-create a number of BPF devices, then make them owned by +# the access_bpf group, with permissions rw-rw----, so that +# anybody in the access_bpf group can use programs that capture +# or send raw packets. +# +# Change this as appropriate for your site, e.g. to make +# it owned by a particular user without changing the permissions, +# so only that user and the super-user can capture or send raw +# packets, or give it the permissions rw-r-----, so that +# only the super-user can send raw packets but anybody in the +# admin group can capture packets. +# + +# Pre-create BPF devices. Set to 0 to disable. +FORCE_CREATE_BPF_MAX=256 + +SYSCTL_MAX=$( sysctl -n debug.bpf_maxdevices ) +if [ "$FORCE_CREATE_BPF_MAX" -gt "$SYSCTL_MAX" ] ; then + FORCE_CREATE_BPF_MAX=$SYSCTL_MAX +fi + +syslog -s -l notice "ChmodBPF: Forcing creation and setting permissions for /dev/bpf*" + +CUR_DEV=0 +while [ "$CUR_DEV" -lt "$FORCE_CREATE_BPF_MAX" ] ; do + # Try to do the minimum necessary to trigger the next device. + read -n 0 < /dev/bpf$CUR_DEV > /dev/null 2>&1 + CUR_DEV=$(( $CUR_DEV + 1 )) +done + +chgrp access_bpf /dev/bpf* +chmod g+rw /dev/bpf* diff --git a/config/build/mac/ChmodBPF/com.loafle.overflow.scanner.ChmodBPF.plist b/config/build/mac/ChmodBPF/com.loafle.overflow.scanner.ChmodBPF.plist new file mode 100644 index 0000000..2dd64e4 --- /dev/null +++ b/config/build/mac/ChmodBPF/com.loafle.overflow.scanner.ChmodBPF.plist @@ -0,0 +1,12 @@ + + + + + Label + com.loafle.overflow.scanner.ChmodBPF + RunAtLoad + + Program + /Library/Application Support/overFlow-NetworkScanner/ChmodBPF/ChmodBPF + + diff --git a/config/build/mac/pkg/scripts/postinstall b/config/build/mac/pkg/scripts/postinstall index 92b94c4..e90d1ae 100755 --- a/config/build/mac/pkg/scripts/postinstall +++ b/config/build/mac/pkg/scripts/postinstall @@ -1,3 +1,21 @@ #!/bin/sh -exit 0 \ No newline at end of file + +CHMOD_BPF="/Library/LaunchDaemons/com.loafle.overflow.scanner.ChmodBPF.plist" +BPF_GROUP="access_bpf" +BPF_GROUP_NAME="BPF device access ACL" + +dscl . -read /Groups/"$BPF_GROUP" > /dev/null 2>&1 || \ + dseditgroup -q -o create "$BPF_GROUP" +dseditgroup -q -o edit -a "$USER" -t user "$BPF_GROUP" + +cp "/Library/Application Support/overFlow-NetworkScanner/ChmodBPF/com.loafle.overflow.scanner.ChmodBPF.plist" \ + "$CHMOD_BPF" +chmod 755 "$CHMOD_BPF" +chown root:wheel "$CHMOD_BPF" + +rm -rf /Library/StartupItems/ChmodBPF + +launchctl load "$CHMOD_BPF" + +exit 0