[Buildroot] [PATCH 1/2] package/libhtp: new package

[Buildroot] [PATCH 1/2] package/libhtp: new package

[Fabrice Fontaine]

LibHTP is a security-aware parser for the HTTP protocol and the related
bits and pieces.

https://github.com/OISF/libhtp

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 .../0001-fix-build-without-GNU-libiconv.patch      | 60 ++++++++++++++++++++++
 package/libhtp/Config.in                           |  9 ++++
 package/libhtp/libhtp.hash                         |  3 ++
 package/libhtp/libhtp.mk                           | 20 ++++++++
 6 files changed, 94 insertions(+)
 create mode 100644 package/libhtp/0001-fix-build-without-GNU-libiconv.patch
 create mode 100644 package/libhtp/Config.in
 create mode 100644 package/libhtp/libhtp.hash
 create mode 100644 package/libhtp/libhtp.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 36e2295d2d..24737b858f 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -784,6 +784,7 @@ F:	package/libgee/
 F:	package/libglib2/
 F:	package/libgtk2/
 F:	package/libgtk3/
+F:	package/libhtp/
 F:	package/libidn/
 F:	package/libidn2/
 F:	package/libjpeg/
diff --git a/package/Config.in b/package/Config.in
index 85a37f2c0b..bb57afab08 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1534,6 +1534,7 @@ menu "Networking"
 	source "package/libeXosip2/Config.in"
 	source "package/libfcgi/Config.in"
 	source "package/libgsasl/Config.in"
+	source "package/libhtp/Config.in"
 	source "package/libhttpparser/Config.in"
 	source "package/libidn/Config.in"
 	source "package/libidn2/Config.in"
diff --git a/package/libhtp/0001-fix-build-without-GNU-libiconv.patch b/package/libhtp/0001-fix-build-without-GNU-libiconv.patch
new file mode 100644
index 0000000000..8f6cddf2da
--- /dev/null
+++ b/package/libhtp/0001-fix-build-without-GNU-libiconv.patch
@@ -0,0 +1,60 @@
+From 1531a8e9b91b567979a2a0d7fd6a4c2e9126b01c Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Wed, 6 Mar 2019 23:06:54 +0100
+Subject: [PATCH] fix build without GNU libiconv
+
+iconvctl is only defined in GNU libiconv so check for the availability
+of this function before using it
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://github.com/OISF/libhtp/pull/193]
+---
+ configure.ac         | 18 ++++++++++++++++++
+ htp/htp_transcoder.c |  2 +-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7f0a58d..388ec7b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -155,6 +155,24 @@ sinclude(m4/lib-link.m4)
+ sinclude(m4/lib-prefix.m4)
+ AM_ICONV
+ 
++# iconvctl is not standard, it is defined only in GNU libiconv
++AC_MSG_CHECKING(for iconvctl)
++TMPLIBS="${LIBS}"
++LIBS="${LIBS} ${LIBICONV}"
++
++AC_TRY_LINK([#include <stdlib.h>
++             #include <iconv.h>],
++            [int iconv_param = 0;
++             iconv_t cd = iconv_open("","");
++             iconvctl(cd, ICONV_SET_DISCARD_ILSEQ, &iconv_param);
++             iconv_close(cd);],
++            [ac_cv_func_iconvctl=yes])
++AC_MSG_RESULT($ac_cv_func_iconvctl)
++if test "$ac_cv_func_iconvctl" == yes; then
++    AC_DEFINE(HAVE_ICONVCTL,1,"Define to 1 if you have the `iconvctl' function.")
++fi
++LIBS="${TMPLIBS}"
++
+ dnl -----------------------------------------------
+ dnl Check and enable the GCC opts we want to use.
+ dnl We may need to add more checks
+diff --git a/htp/htp_transcoder.c b/htp/htp_transcoder.c
+index 57ff74c..d8e8280 100644
+--- a/htp/htp_transcoder.c
++++ b/htp/htp_transcoder.c
+@@ -64,7 +64,7 @@ int htp_transcode_params(htp_connp_t *connp, htp_table_t **params, int destroy_o
+         return HTP_ERROR;
+     }
+ 
+-    #if (_LIBICONV_VERSION >= 0x0108)
++    #if (_LIBICONV_VERSION >= 0x0108 && HAVE_ICONVCTL)
+     int iconv_param = 0;
+     iconvctl(cd, ICONV_SET_TRANSLITERATE, &iconv_param);
+     iconv_param = 1;
+-- 
+2.14.1
+
diff --git a/package/libhtp/Config.in b/package/libhtp/Config.in
new file mode 100644
index 0000000000..98b9e2adea
--- /dev/null
+++ b/package/libhtp/Config.in
@@ -0,0 +1,9 @@
+config BR2_PACKAGE_LIBHTP
+	bool "libhtp"
+	select BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
+	select BR2_PACKAGE_ZLIB
+	help
+	  LibHTP is a security-aware parser for the HTTP protocol and
+	  the related bits and pieces.
+
+	  https://github.com/OISF/libhtp
diff --git a/package/libhtp/libhtp.hash b/package/libhtp/libhtp.hash
new file mode 100644
index 0000000000..be68547be2
--- /dev/null
+++ b/package/libhtp/libhtp.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256	7384f8461ad0431e9247c49b37a73929b284f39408d1f11b80949b188069b638	libhtp-0.5.30.tar.gz
+sha256	87c93904e5434c81622ea690c2b90097b9f162aaa92a96542649a157dbf98d15	LICENSE
diff --git a/package/libhtp/libhtp.mk b/package/libhtp/libhtp.mk
new file mode 100644
index 0000000000..7606684b31
--- /dev/null
+++ b/package/libhtp/libhtp.mk
@@ -0,0 +1,20 @@
+################################################################################
+#
+# libhtp
+#
+################################################################################
+
+LIBHTP_VERSION = 0.5.30
+LIBHTP_SITE = $(call github,OISF,libhtp,$(LIBHTP_VERSION))
+LIBHTP_LICENSE = BSD-3-Clause
+LIBHTP_LICENSE_FILES = LICENSE 
+LIBHTP_DEPENDENCIES = \
+	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
+	zlib
+LIBHTP_INSTALL_STAGING = YES
+# From git
+LIBHTP_AUTORECONF = YES
+
+LIBHTP_CONF_ENV = NO_STACK_PROTECTOR=$(if $(BR2_TOOLCHAIN_HAS_SSP),no,true)
+
+$(eval $(autotools-package))
-- 
2.14.1

[Buildroot] [PATCH 2/2] package/suricata: new package

[Fabrice Fontaine]

Suricata is a free and open source, mature, fast and robust
network threat detection engine.

The Suricata engine is capable of real time intrusion
detection (IDS), inline intrusion prevention (IPS), network
security monitoring (NSM) and offline pcap processing.

https://suricata-ids.org

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 DEVELOPERS                        |   1 +
 package/Config.in                 |   1 +
 package/suricata/Config.in        |  22 +++++++
 package/suricata/S99suricata      |  39 ++++++++++++
 package/suricata/suricata.hash    |   6 ++
 package/suricata/suricata.mk      | 131 ++++++++++++++++++++++++++++++++++++++
 package/suricata/suricata.service |  13 ++++
 7 files changed, 213 insertions(+)
 create mode 100644 package/suricata/Config.in
 create mode 100644 package/suricata/S99suricata
 create mode 100644 package/suricata/suricata.hash
 create mode 100644 package/suricata/suricata.mk
 create mode 100644 package/suricata/suricata.service

diff --git a/DEVELOPERS b/DEVELOPERS
index 24737b858f..a9bec63849 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -818,6 +818,7 @@ F:	package/oprofile/
 F:	package/pcmanfm/
 F:	package/rygel/
 F:	package/safeclib/
+F:	package/suricata/
 F:	package/tinycbor/
 F:	package/tinydtls/
 F:	package/tinymembench/
diff --git a/package/Config.in b/package/Config.in
index bb57afab08..4538ac8307 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2018,6 +2018,7 @@ endif
 	source "package/sslh/Config.in"
 	source "package/strongswan/Config.in"
 	source "package/stunnel/Config.in"
+	source "package/suricata/Config.in"
 	source "package/tcpdump/Config.in"
 	source "package/tcping/Config.in"
 	source "package/tcpreplay/Config.in"
diff --git a/package/suricata/Config.in b/package/suricata/Config.in
new file mode 100644
index 0000000000..2add34956e
--- /dev/null
+++ b/package/suricata/Config.in
@@ -0,0 +1,22 @@
+config BR2_PACKAGE_SURICATA
+	bool "suricata"
+	depends on BR2_USE_MMU # fork()
+	depends on BR2_USE_WCHAR
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	select BR2_PACKAGE_LIBHTP
+	select BR2_PACKAGE_LIBPCAP
+	select BR2_PACKAGE_LIBYAML
+	select BR2_PACKAGE_PCRE
+	help
+	  Suricata is a free and open source, mature, fast and robust
+	  network threat detection engine.
+
+	  The Suricata engine is capable of real time intrusion
+	  detection (IDS), inline intrusion prevention (IPS), network
+	  security monitoring (NSM) and offline pcap processing.
+
+	  https://suricata-ids.org
+
+comment "suricata needs a toolchain w/ wchar, threads"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/suricata/S99suricata b/package/suricata/S99suricata
new file mode 100644
index 0000000000..35a034b179
--- /dev/null
+++ b/package/suricata/S99suricata
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+NAME=suricata
+PIDFILE=/var/run/$NAME.pid
+DAEMON=/usr/bin/$NAME
+DAEMON_ARGS="-c /etc/suricata/suricata.yaml -i eth0"
+
+start() {
+	printf "Starting $NAME: "
+	mkdir -p /var/log/suricata
+	start-stop-daemon -S -q -m -b -p $PIDFILE --exec $DAEMON -- $DAEMON_ARGS
+	[ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+stop() {
+	printf "Stopping $NAME: "
+	start-stop-daemon -K -q -p $PIDFILE
+	[ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart|reload)
+	restart
+	;;
+  *)
+	echo "Usage: $0 {start|stop|restart}"
+	exit 1
+esac
+
+exit $?
diff --git a/package/suricata/suricata.hash b/package/suricata/suricata.hash
new file mode 100644
index 0000000000..44ada0115a
--- /dev/null
+++ b/package/suricata/suricata.hash
@@ -0,0 +1,6 @@
+# Locally computed:
+sha256 6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0  suricata-4.1.3.tar.gz
+
+# Hash for license files:
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE
diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
new file mode 100644
index 0000000000..4b1e90435a
--- /dev/null
+++ b/package/suricata/suricata.mk
@@ -0,0 +1,131 @@
+################################################################################
+#
+# suricata
+#
+################################################################################
+
+SURICATA_VERSION = 4.1.3
+SURICATA_SITE = https://www.openinfosecfoundation.org/download
+SURICATA_LICENSE = GPL-2.0
+SURICATA_LICENSE_FILES = COPYING LICENSE
+
+SURICATA_DEPENDENCIES = \
+	host-pkgconf \
+	$(if $(BR2_PACKAGE_JANSSON),jansson) \
+	$(if $(BR2_PACKAGE_LIBCAP_NG),libcap-ng) \
+	$(if $(BR2_PACKAGE_LIBEVENT),libevent) \
+	libhtp \
+	$(if $(BR2_PACKAGE_LIBNFNETLINK),libnfnetlink) \
+	libpcap \
+	libyaml \
+	$(if $(BR2_PACKAGE_LZ4),lz4) \
+	$(if $(BR2_PACKAGE_LZMA),lzma) \
+	pcre
+
+SURICATA_CONF_OPTS = \
+	--disable-pie \
+	--disable-rust \
+	--disable-suricata-update \
+	--enable-non-bundled-htp
+
+# install: install binaries
+# install-conf: install initial configuration files
+# install-full: install binaries, configuration and rules (rules will be
+#               download through wget/curl)
+SURICATA_INSTALL_TARGET_OPTS = DESTDIR=$(TARGET_DIR) install install-conf
+
+ifeq ($(BR2_PACKAGE_FILE),y)
+SURICATA_DEPENDENCIES += file
+SURICATA_CONF_OPTS += --enable-libmagic
+else
+SURICATA_CONF_OPTS += --disable-libmagic
+endif
+
+ifeq ($(BR2_PACKAGE_GEOIP),y)
+SURICATA_DEPENDENCIES += geoip
+SURICATA_CONF_OPTS += --enable-geoip
+else
+SURICATA_CONF_OPTS += --disable-geoip
+endif
+
+ifeq ($(BR2_PACKAGE_HIREDIS),y)
+SURICATA_DEPENDENCIES += hiredis
+SURICATA_CONF_OPTS += --enable-hiredis
+else
+SURICATA_CONF_OPTS += --disable-hiredis
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNET),y)
+SURICATA_DEPENDENCIES += libnet
+SURICATA_CONF_OPTS += --with-libnet-includes=$(STAGING_DIR)/usr/include
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNETFILTER_LOG),y)
+SURICATA_DEPENDENCIES += libnetfilter_log
+SURICATA_CONF_OPTS += --enable-nflog
+else
+SURICATA_CONF_OPTS += --disable-nflog
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNETFILTER_QUEUE),y)
+SURICATA_DEPENDENCIES += libnetfilter_queue
+SURICATA_CONF_OPTS += --enable-nfqueue
+else
+SURICATA_CONF_OPTS += --disable-nfqueue
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNSPR),y)
+SURICATA_DEPENDENCIES += libnspr
+SURICATA_CONF_OPTS += --enable-nspr
+else
+SURICATA_CONF_OPTS += --disable-nspr
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNSS),y)
+SURICATA_DEPENDENCIES += libnss
+SURICATA_CONF_OPTS += --enable-nss
+else
+SURICATA_CONF_OPTS += --disable-nss
+endif
+
+ifeq ($(BR2_PACKAGE_LUA),y)
+SURICATA_CONF_OPTS += --enable-lua
+SURICATA_DEPENDENCIES += lua
+else
+SURICATA_CONF_OPTS += --disable-lua
+endif
+
+ifeq ($(BR2_PACKAGE_LUAJIT),y)
+SURICATA_CONF_OPTS += --enable-luajit
+SURICATA_DEPENDENCIES += luajit
+else
+SURICATA_CONF_OPTS += --disable-luajit
+endif
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+SURICATA_CONF_OPTS += --enable-python
+SURICATA_DEPENDENCIES += python
+else
+SURICATA_CONF_OPTS += --disable-python
+endif
+
+ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
+SURICATA_CONF_OPTS += --enable-gccprotect
+else
+SURICATA_CONF_OPTS += --disable-gccprotect
+endif
+
+define SURICATA_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 package/suricata/S99suricata \
+		$(TARGET_DIR)/etc/init.d/S99suricata
+endef
+
+define SURICATA_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 644 package/suricata/suricata.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/suricata.service
+	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+	ln -sf ../../../../usr/lib/systemd/system/suricata.service \
+		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/suricata.service
+endef
+
+$(eval $(autotools-package))
diff --git a/package/suricata/suricata.service b/package/suricata/suricata.service
new file mode 100644
index 0000000000..ca0be02dae
--- /dev/null
+++ b/package/suricata/suricata.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Suricata Intrusion Detection Service
+After=network.target
+
+[Service]
+ExecStartPre=/bin/rm -f /var/run/suricata.pid
+ExecStartPre=/usr/bin/mkdir -p /var/log/suricata
+ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid
+ExecReload=/bin/kill -USR2 $MAINPID
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
-- 
2.14.1

[Buildroot] [PATCH 2/2] package/suricata: new package

[Thomas Petazzoni]

Hello Fabrice,

On Thu, 14 Mar 2019 22:26:00 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Suricata is a free and open source, mature, fast and robust
> network threat detection engine.
> 
> The Suricata engine is capable of real time intrusion
> detection (IDS), inline intrusion prevention (IPS), network
> security monitoring (NSM) and offline pcap processing.
> 
> https://suricata-ids.org
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Overall looks good. I was about to commit, but I have some doubts about
the systemd unit, and therefore will take advantage of those doubts to
also make a few comments about other aspects.

> diff --git a/package/suricata/S99suricata b/package/suricata/S99suricata
> new file mode 100644
> index 0000000000..35a034b179
> --- /dev/null
> +++ b/package/suricata/S99suricata

In terms of init scripts, package/busybox/S02klogd is now the
"reference". I recommend following this example.

> @@ -0,0 +1,39 @@
> +#!/bin/sh
> +
> +NAME=suricata
> +PIDFILE=/var/run/$NAME.pid
> +DAEMON=/usr/bin/$NAME
> +DAEMON_ARGS="-c /etc/suricata/suricata.yaml -i eth0"

You clearly want to include a /etc/default/${DAEMON} file. DAEMON
should be just the name of the program, see S02klogd.

> +case "$1" in
> +  start)
> +	start
> +	;;
> +  stop)
> +	stop
> +	;;
> +  restart|reload)
> +	restart
> +	;;
> +  *)
> +	echo "Usage: $0 {start|stop|restart}"
> +	exit 1

Please follow the indentation style of S02klogd.


> +ifeq ($(BR2_PACKAGE_PYTHON),y)
> +SURICATA_CONF_OPTS += --enable-python
> +SURICATA_DEPENDENCIES += python
> +else
> +SURICATA_CONF_OPTS += --disable-python
> +endif

So only Python 2.x is supported ?

> +ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
> +SURICATA_CONF_OPTS += --enable-gccprotect
> +else
> +SURICATA_CONF_OPTS += --disable-gccprotect
> +endif

We should unconditionally use --disable-gccprotect and let our
gcc/wrapper pass the appropriate SSP/hardening options.

> diff --git a/package/suricata/suricata.service b/package/suricata/suricata.service
> new file mode 100644
> index 0000000000..ca0be02dae
> --- /dev/null
> +++ b/package/suricata/suricata.service
> @@ -0,0 +1,13 @@
> +[Unit]
> +Description=Suricata Intrusion Detection Service
> +After=network.target
> +
> +[Service]
> +ExecStartPre=/bin/rm -f /var/run/suricata.pid
> +ExecStartPre=/usr/bin/mkdir -p /var/log/suricata
> +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid
> +ExecReload=/bin/kill -USR2 $MAINPID

I am a bit skeptical about the PID file handling. How is systemd going
to know that the PID file is /var/run/suricata.pid ? Is this useful in
the context of systemd ?

I'm by no means not a systemd expert, but this seems weird to me. If a
systemd-person could give more details about this, it would be nice.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/2] package/suricata: new package

[Fabrice Fontaine]

Hello Thomas,

Le sam. 13 avr. 2019 ? 22:53, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a ?crit :
>
> Hello Fabrice,
>
> On Thu, 14 Mar 2019 22:26:00 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > Suricata is a free and open source, mature, fast and robust
> > network threat detection engine.
> >
> > The Suricata engine is capable of real time intrusion
> > detection (IDS), inline intrusion prevention (IPS), network
> > security monitoring (NSM) and offline pcap processing.
> >
> > https://suricata-ids.org
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Overall looks good. I was about to commit, but I have some doubts about
> the systemd unit, and therefore will take advantage of those doubts to
> also make a few comments about other aspects.
>
> > diff --git a/package/suricata/S99suricata b/package/suricata/S99suricata
> > new file mode 100644
> > index 0000000000..35a034b179
> > --- /dev/null
> > +++ b/package/suricata/S99suricata
>
> In terms of init scripts, package/busybox/S02klogd is now the
> "reference". I recommend following this example.
OK, updated in v2
>
> > @@ -0,0 +1,39 @@
> > +#!/bin/sh
> > +
> > +NAME=suricata
> > +PIDFILE=/var/run/$NAME.pid
> > +DAEMON=/usr/bin/$NAME
> > +DAEMON_ARGS="-c /etc/suricata/suricata.yaml -i eth0"
>
> You clearly want to include a /etc/default/${DAEMON} file. DAEMON
> should be just the name of the program, see S02klogd.
>
> > +case "$1" in
> > +  start)
> > +     start
> > +     ;;
> > +  stop)
> > +     stop
> > +     ;;
> > +  restart|reload)
> > +     restart
> > +     ;;
> > +  *)
> > +     echo "Usage: $0 {start|stop|restart}"
> > +     exit 1
>
> Please follow the indentation style of S02klogd.
OK
>
>
> > +ifeq ($(BR2_PACKAGE_PYTHON),y)
> > +SURICATA_CONF_OPTS += --enable-python
> > +SURICATA_DEPENDENCIES += python
> > +else
> > +SURICATA_CONF_OPTS += --disable-python
> > +endif
>
> So only Python 2.x is supported ?
python3 is also supported, I updated v2.
>
> > +ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
> > +SURICATA_CONF_OPTS += --enable-gccprotect
> > +else
> > +SURICATA_CONF_OPTS += --disable-gccprotect
> > +endif
>
> We should unconditionally use --disable-gccprotect and let our
> gcc/wrapper pass the appropriate SSP/hardening options.
OK
>
> > diff --git a/package/suricata/suricata.service b/package/suricata/suricata.service
> > new file mode 100644
> > index 0000000000..ca0be02dae
> > --- /dev/null
> > +++ b/package/suricata/suricata.service
> > @@ -0,0 +1,13 @@
> > +[Unit]
> > +Description=Suricata Intrusion Detection Service
> > +After=network.target
> > +
> > +[Service]
> > +ExecStartPre=/bin/rm -f /var/run/suricata.pid
> > +ExecStartPre=/usr/bin/mkdir -p /var/log/suricata
> > +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid
> > +ExecReload=/bin/kill -USR2 $MAINPID
>
> I am a bit skeptical about the PID file handling. How is systemd going
> to know that the PID file is /var/run/suricata.pid ? Is this useful in
> the context of systemd ?
I followed the template given by upstream in
https://github.com/OISF/suricata/blob/ec77632e84a106ddbcd0baef4e4368b4fe5c5f9e/etc/suricata.service.in

I updated v2 to add an EnvironmentFile to /etc/default/suricata.
Concerning the PID, it works because $MAINPID is an internal systemd
variable that save the same value than the /var/run/suricata.pid file
because we didn't ask systemd to fork suricata.


>
> I'm by no means not a systemd expert, but this seems weird to me. If a
> systemd-person could give more details about this, it would be nice.
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [PATCH 1/2] package/libhtp: new package

[Thomas Petazzoni]

Hello Fabrice,

On Thu, 14 Mar 2019 22:25:59 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> +LIBHTP_VERSION = 0.5.30
> +LIBHTP_SITE = $(call github,OISF,libhtp,$(LIBHTP_VERSION))
> +LIBHTP_LICENSE = BSD-3-Clause
> +LIBHTP_LICENSE_FILES = LICENSE 

There was a trailing white space on this line.

> +LIBHTP_DEPENDENCIES = \
> +	$(if $(BR2_PACKAGE_LIBICONV),libiconv) \
> +	zlib
> +LIBHTP_INSTALL_STAGING = YES
> +# From git
> +LIBHTP_AUTORECONF = YES
> +
> +LIBHTP_CONF_ENV = NO_STACK_PROTECTOR=$(if $(BR2_TOOLCHAIN_HAS_SSP),no,true)

I changed to:

LIBHTP_CONF_ENV = NO_STACK_PROTECTOR=true

indeed, our policy is that we prefer to have our gcc/wrapper handle SSP
support by passing the appropriate flags.

Applied with those changes. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com