From ef4eed2a2a8897bd4e5b19dd94f638e0861ebda5 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 14 Nov 2008 05:08:48 +0000
Subject: [PATCH] 2493.   [bug]           The linux capabilites code was not
 correctly cleaning                         up after itself. [RT #18767]

---
 CHANGES             |  3 +++
 bin/named/unix/os.c | 28 ++++++++++++++++++++++++----
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index de9e9f3629..0acb8c6204 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2493.	[bug]		The linux capabilites code was not correctly cleaning
+			up after itself. [RT #18767]
+
 2492.	[func]		Rndc status now reports the number of cpus discovered
 			and the number of worker threads when running
 			multi-threaded. [RT #18273]
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 15888c889e..d3b2ff3a1d 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.88 2008/11/06 05:30:24 marka Exp $ */
+/* $Id: os.c,v 1.89 2008/11/14 05:08:48 marka Exp $ */
 
 /*! \file */
 
@@ -196,7 +196,7 @@ linux_setcaps(cap_t caps) {
 	do { \
 		capval = (flag); \
 		cap_flag_value_t curval; \
-		err = cap_get_flag(cap_get_proc(), capval, CAP_PERMITTED, &curval); \
+		err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
 		if (err != -1 && curval) { \
 			err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
 			if (err == -1) { \
@@ -218,16 +218,27 @@ linux_setcaps(cap_t caps) {
 			isc__strerror(errno, strbuf, sizeof(strbuf)); \
 			ns_main_earlyfatal("cap_init failed: %s", strbuf); \
 		} \
+		curcaps = cap_get_proc(); \
+		if (curcaps == NULL) { \
+			isc__strerror(errno, strbuf, sizeof(strbuf)); \
+			ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
+		} \
+	} while (0)
+#define FREE_CAP \
+	{ \
+		cap_free(caps); \
+		cap_free(curcaps); \
 	} while (0)
 #else
-#define SET_CAP(flag) { caps |= (1 << (flag)); }
-#define INIT_CAP { caps = 0; }
+#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
+#define INIT_CAP do { caps = 0; } while (0)
 #endif /* HAVE_LIBCAP */
 
 static void
 linux_initialprivs(void) {
 	cap_t caps;
 #ifdef HAVE_LIBCAP
+	cap_t curcaps;
 	cap_value_t capval;
 	char strbuf[ISC_STRERRORSIZE];
 	int err;
@@ -281,12 +292,17 @@ linux_initialprivs(void) {
 	SET_CAP(CAP_SYS_RESOURCE);
 
 	linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+	FREE_CAP;
+#endif
 }
 
 static void
 linux_minprivs(void) {
 	cap_t caps;
 #ifdef HAVE_LIBCAP
+	cap_t curcaps;
 	cap_value_t capval;
 	char strbuf[ISC_STRERRORSIZE];
 	int err;
@@ -313,6 +329,10 @@ linux_minprivs(void) {
 	SET_CAP(CAP_SYS_RESOURCE);
 
 	linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+	FREE_CAP;
+#endif
 }
 
 #ifdef HAVE_SYS_PRCTL_H