summaryrefslogtreecommitdiffstats
path: root/packaging/macosx/ChmodBPF
diff options
context:
space:
mode:
Diffstat (limited to 'packaging/macosx/ChmodBPF')
-rw-r--r--packaging/macosx/ChmodBPF/install-distribution.xml25
-rwxr-xr-xpackaging/macosx/ChmodBPF/install-scripts/postinstall35
-rwxr-xr-xpackaging/macosx/ChmodBPF/root/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF41
-rw-r--r--packaging/macosx/ChmodBPF/root/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist14
-rw-r--r--packaging/macosx/ChmodBPF/uninstall-distribution.xml25
-rwxr-xr-xpackaging/macosx/ChmodBPF/uninstall-scripts/postinstall26
6 files changed, 166 insertions, 0 deletions
diff --git a/packaging/macosx/ChmodBPF/install-distribution.xml b/packaging/macosx/ChmodBPF/install-distribution.xml
new file mode 100644
index 00000000..fbd6fd91
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/install-distribution.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Created using `productbuild -\-synthesize -\-package install.ChmodBPF.pkg /tmp/distribution.xml`
+See also: https://github.com/open-eid/osx-installer/blob/master/distribution.xml
+https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
+https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/
+-->
+<installer-gui-script minSpecVersion="1">
+ <title>ChmodBPF</title>
+ <welcome language="en" mime-type="text/html"><![CDATA[<html><body><br />
+<p style="margin: 0px; font: 13px 'Lucida Grande'">This package will install the ChmodBPF launch daemon, create the access_bpf group, and add you to that group.</p></body></html>]]></welcome>
+ <pkg-ref id="org.wireshark.ChmodBPF.pkg"/>
+ <options customize="never" require-scripts="false" hostArchitectures="arm64,x86_64"/>
+ <domains enable_anywhere="false" enable_currentUserHome="false" enable_localSystem="true"/>
+ <choices-outline>
+ <line choice="default">
+ <line choice="org.wireshark.ChmodBPF.pkg"/>
+ </line>
+ </choices-outline>
+ <choice id="default"/>
+ <choice id="org.wireshark.ChmodBPF.pkg" visible="false">
+ <pkg-ref id="org.wireshark.ChmodBPF.pkg"/>
+ </choice>
+ <pkg-ref id="org.wireshark.ChmodBPF.pkg" onConclusion="none">install.ChmodBPF.pkg</pkg-ref>
+</installer-gui-script>
diff --git a/packaging/macosx/ChmodBPF/install-scripts/postinstall b/packaging/macosx/ChmodBPF/install-scripts/postinstall
new file mode 100755
index 00000000..1f11eb3e
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/install-scripts/postinstall
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+#
+# Fix up ownership and permissions on /Library/Application Support/Wireshark;
+# for some reason, it's not being owned by root:wheel, and it's not
+# publicly readable and, for directories and executables, not publicly
+# searchable/executable.
+#
+# Also take away group write permission.
+#
+# XXX - that may be a problem with the process of building the installer
+# package; if so, that's where it *should* be fixed.
+#
+chown -R root:wheel "/Library/Application Support/Wireshark"
+chmod -R a+rX,go-w "/Library/Application Support/Wireshark"
+
+CHMOD_BPF_PLIST="/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist"
+BPF_GROUP="access_bpf"
+BPF_GROUP_NAME="BPF device access ACL"
+min_gid=100
+
+if ! dscl . -read /Groups/"$BPF_GROUP" > /dev/null 2>&1; then
+ free_gid=$(dscl . -list /Groups PrimaryGroupID | sort -bnk2 | awk -v min_gid=$min_gid 'BEGIN{i=min_gid}{if($2==i)i++}END{print i}')
+ dseditgroup -q -o create -i $free_gid -r "$BPF_GROUP_NAME" "$BPF_GROUP"
+fi
+
+dseditgroup -q -o edit -a "$USER" -t user "$BPF_GROUP"
+
+chmod u=rw,g=r,o=r "$CHMOD_BPF_PLIST"
+chown root:wheel "$CHMOD_BPF_PLIST"
+
+# Clean up our legacy startup item if it's still around.
+rm -rf /Library/StartupItems/ChmodBPF
+
+launchctl bootstrap system "$CHMOD_BPF_PLIST"
diff --git a/packaging/macosx/ChmodBPF/root/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF b/packaging/macosx/ChmodBPF/root/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF
new file mode 100755
index 00000000..1dc12e7a
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/root/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF
@@ -0,0 +1,41 @@
+#! /bin/zsh
+# shellcheck shell=bash
+
+#
+# Unfortunately, macOS's devfs is based on the old FreeBSD
+# one, not the current one, so there's no way to configure it
+# to create BPF devices with particular owners or groups. BPF
+# devices on macOS are also non-cloning, that is they can
+# be created on demand at any time. This startup item will
+# pre-create a number of BPF devices, then make them owned by
+# the access_bpf group, with permissions rw-rw----, so that
+# anybody in the access_bpf group can use programs that capture
+# or send raw packets.
+#
+# Change this as appropriate for your site, e.g. to make
+# it owned by a particular user without changing the permissions,
+# so only that user and the super-user can capture or send raw
+# packets, or give it the permissions rw-r-----, so that
+# only the super-user can send raw packets but anybody in the
+# admin group can capture packets.
+#
+
+# Pre-create BPF devices. Set to 0 to disable.
+FORCE_CREATE_BPF_MAX=256
+
+SYSCTL_MAX=$( sysctl -n debug.bpf_maxdevices )
+if [ "$FORCE_CREATE_BPF_MAX" -gt "$SYSCTL_MAX" ] ; then
+ FORCE_CREATE_BPF_MAX=$SYSCTL_MAX
+fi
+
+syslog -s -l notice "ChmodBPF: Forcing creation and setting permissions for /dev/bpf0-$(( FORCE_CREATE_BPF_MAX - 1))"
+
+CUR_DEV=0
+while [ "$CUR_DEV" -lt "$FORCE_CREATE_BPF_MAX" ] ; do
+ # Try to do the minimum necessary to trigger the next device.
+ read -r -n 0 < /dev/bpf$CUR_DEV > /dev/null 2>&1
+ CUR_DEV=$(( CUR_DEV + 1 ))
+done
+
+chgrp access_bpf /dev/bpf*
+chmod g+rw /dev/bpf*
diff --git a/packaging/macosx/ChmodBPF/root/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist b/packaging/macosx/ChmodBPF/root/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
new file mode 100644
index 00000000..1b3317e3
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/root/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>Label</key>
+ <string>org.wireshark.ChmodBPF</string>
+ <key>RunAtLoad</key>
+ <true/>
+ <key>Program</key>
+ <string>/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF</string>
+ <key>AssociatedBundleIdentifiers</key>
+ <string>org.wireshark.Wireshark</string>
+</dict>
+</plist>
diff --git a/packaging/macosx/ChmodBPF/uninstall-distribution.xml b/packaging/macosx/ChmodBPF/uninstall-distribution.xml
new file mode 100644
index 00000000..001f6e14
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/uninstall-distribution.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Created using `productbuild -\-synthesize -\-package install.ChmodBPF.pkg /tmp/distribution.xml`
+See also: https://github.com/open-eid/osx-installer/blob/master/distribution.xml
+https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
+https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/
+-->
+<installer-gui-script minSpecVersion="1">
+ <title>Uninstall ChmodBPF</title>
+ <welcome language="en" mime-type="text/html"><![CDATA[<html><body><br />
+<p style="margin: 0px; font: 13px 'Lucida Grande'">This package will uninstall the ChmodBPF launch daemon and remove the access_bpf group.</p></body></html>]]></welcome>
+ <pkg-ref id="org.wireshark.uninstall.ChmodBPF.pkg"/>
+ <options customize="never" require-scripts="false" hostArchitectures="arm64,x86_64"/>
+ <domains enable_anywhere="false" enable_currentUserHome="false" enable_localSystem="true"/>
+ <choices-outline>
+ <line choice="default">
+ <line choice="org.wireshark.uninstall.ChmodBPF.pkg"/>
+ </line>
+ </choices-outline>
+ <choice id="default"/>
+ <choice id="org.wireshark.uninstall.ChmodBPF.pkg" visible="false">
+ <pkg-ref id="org.wireshark.uninstall.ChmodBPF.pkg"/>
+ </choice>
+ <pkg-ref id="org.wireshark.uninstall.ChmodBPF.pkg" onConclusion="none">uninstall.ChmodBPF.pkg</pkg-ref>
+</installer-gui-script>
diff --git a/packaging/macosx/ChmodBPF/uninstall-scripts/postinstall b/packaging/macosx/ChmodBPF/uninstall-scripts/postinstall
new file mode 100755
index 00000000..93a33b4c
--- /dev/null
+++ b/packaging/macosx/ChmodBPF/uninstall-scripts/postinstall
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+#
+# Remove the following:
+# - The ChmmodBPF launch daemon
+# - The ChmmodBPF script
+# - The access_bpf group
+#
+
+CHMOD_BPF_PLIST="/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist"
+BPF_GROUP="access_bpf"
+
+launchctl bootout system "$CHMOD_BPF_PLIST"
+
+dscl . -read /Groups/"$BPF_GROUP" > /dev/null 2>&1 && \
+ dseditgroup -q -o delete "$BPF_GROUP"
+
+rm -rf "/Library/Application Support/Wireshark"
+
+rm -f "$CHMOD_BPF_PLIST"
+
+# ChmodBPF hasn't been a startup item since 2018 (ac4f3c0f4d).
+rm -rf /Library/StartupItems/ChmodBPF
+
+# https://gitlab.com/wireshark/wireshark/-/issues/18734
+pkgutil --forget org.wireshark.ChmodBPF.pkg
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-05 22:17:16 +0000