From dc2a0aa7aaa8b85398ae183c7274c0eeec5009af Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Jan 2008 04:50:00 +0000 Subject: [PATCH] 2325. [port] Linux: use capset() function if available. [RT #17557] --- CHANGES | 2 + bin/named/unix/os.c | 25 ++++++++++- config.h.in | 8 +++- configure | 101 ++++++++++++++++++++++++++++++++++++++++++-- configure.in | 5 ++- 5 files changed, 133 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 9881f4e20c..bfa6dc90b5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2325. [port] Linux: use capset() function if available. [RT #17557] + 2324. [bug] Fix IPv6 matching against "any;" [RT #17533] 2323. [port] tru64: namespace clash. [RT #17547] diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index d0b9e6ab64..3c75009d20 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.82 2008/01/18 23:46:57 tbox Exp $ */ +/* $Id: os.c,v 1.83 2008/01/30 04:48:05 marka Exp $ */ /*! \file */ @@ -116,6 +116,16 @@ static int dfd[2] = { -1, -1 }; static isc_boolean_t non_root = ISC_FALSE; static isc_boolean_t non_root_caps = ISC_FALSE; +#if defined(HAVE_CAPSET) +#undef _POSIX_SOURCE +#ifdef HAVE_SYS_CAPABILITY_H +#include +#else +#include +int capset(cap_user_header_t hdrp, const cap_user_data_t datap); +#endif +#include +#else /*% * We define _LINUX_FS_H to prevent it from being included. We don't need * anything from it, and the files it includes cause warnings with 2.2 @@ -148,6 +158,7 @@ static isc_boolean_t non_root_caps = ISC_FALSE; #endif #define SYS_capset __NR_capset #endif +#endif static void linux_setcaps(unsigned int caps) { @@ -165,13 +176,23 @@ linux_setcaps(unsigned int caps) { cap.effective = caps; cap.permitted = caps; cap.inheritable = 0; - if (syscall(SYS_capset, &caphead, &cap) < 0) { +#ifdef HAVE_CAPSET + if (capset(&caphead, &cap) < 0 ) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlyfatal("capset failed: %s:" " please ensure that the capset kernel" " module is loaded. see insmod(8)", strbuf); } +#else + if (syscall(SYS_capset, &caphead, &cap) < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlyfatal("syscall(capset) failed: %s:" + " please ensure that the capset kernel" + " module is loaded. see insmod(8)", + strbuf); + } +#endif } static void diff --git a/config.h.in b/config.h.in index 0866b09c54..3e6b2e4255 100644 --- a/config.h.in +++ b/config.h.in @@ -16,7 +16,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.in,v 1.94 2008/01/24 02:39:43 marka Exp $ */ +/* $Id: config.h.in,v 1.96 2008/03/20 04:51:00 marka Exp $ */ /*! \file */ @@ -157,6 +157,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define if you cannot bind() before connect() for TCP sockets. */ #undef BROKEN_TCP_BIND_BEFORE_CONNECT +/* Define to 1 if you have the `capset' function. */ +#undef HAVE_CAPSET + /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H @@ -223,6 +226,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_CAPABILITY_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PARAM_H diff --git a/configure b/configure index 6eda18e149..0df76dc03e 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.422 2008/01/24 02:39:43 marka Exp $ +# $Id: configure,v 1.423 2008/01/30 04:49:59 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.437 . +# From configure.in Revision: 1.438 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61. # @@ -27490,7 +27490,8 @@ fi case "$enable_linux_caps" in yes|'') -for ac_header in linux/capability.h + +for ac_header in linux/capability.h sys/capability.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then @@ -27627,6 +27628,100 @@ _ACEOF fi +done + + +for ac_func in capset +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval echo '${'$as_ac_var'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi done ;; diff --git a/configure.in b/configure.in index c7a4d47d6a..a05b7f8e1d 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.437 $) +AC_REVISION($Revision: 1.438 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -1875,7 +1875,8 @@ AC_ARG_ENABLE(linux-caps, [ --disable-linux-caps disable linux capabilities]) case "$enable_linux_caps" in yes|'') - AC_CHECK_HEADERS(linux/capability.h) + AC_CHECK_HEADERS(linux/capability.h sys/capability.h) + AC_CHECK_FUNCS(capset) ;; no) ;;