From 0 Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@altlinux.org>
Date: Wed, 5 Dec 2018 15:34:42 +0300
Subject: [PATCH 2] alt-owl-chroot


diff --git a/bind/bin/named/server.c b/bind/bin/named/server.c
index defaced..defaced 100644
--- a/bind/bin/named/server.c
+++ b/bind/bin/named/server.c
@@ -8292,8 +8292,13 @@ load_configuration(const char *filename, ns_server_t *server,
 		} else {
 			const char *randomdev = cfg_obj_asstring(obj);
 			int level = ISC_LOG_ERROR;
-			result = isc_entropy_createfilesource(ns_g_entropy,
+			if (strcmp(randomdev, PATH_RANDOMDEV)) {
+				result = isc_entropy_createfilesource(ns_g_entropy,
 							      randomdev);
+			} else {
+				result = isc_entropy_createfilefd(ns_g_entropy,
+							      ns_os_open_randomdev(), false, false);
+			}
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
@@ -8349,14 +8354,6 @@ load_configuration(const char *filename, ns_server_t *server,
 		ns_os_changeuser();
 	}
 
-	/*
-	 * Check that the working directory is writable.
-	 */
-	if (!isc_file_isdirwritable(".")) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "the working directory is not writable");
-	}
 
 #ifdef HAVE_LMDB
 	/*
diff --git a/bind/bin/named/unix/include/named/os.h b/bind/bin/named/unix/include/named/os.h
index defaced..defaced 100644
--- a/bind/bin/named/unix/include/named/os.h
+++ b/bind/bin/named/unix/include/named/os.h
@@ -52,6 +52,9 @@ ns_os_minprivs(void);
 FILE *
 ns_os_openfile(const char *filename, mode_t mode, bool switch_user);
 
+int
+ns_os_open_randomdev(void);
+
 void
 ns_os_writepidfile(const char *filename, bool first_time);
 
diff --git a/bind/bin/named/unix/os.c b/bind/bin/named/unix/os.c
index defaced..defaced 100644
--- a/bind/bin/named/unix/os.c
+++ b/bind/bin/named/unix/os.c
@@ -425,6 +425,20 @@ ns_os_init(const char *progname) {
 #endif
 }
 
+int
+ns_os_open_randomdev (void)
+{
+	static int fd = -1;
+
+#ifdef PATH_RANDOMDEV
+	if (fd < 0) {
+		fd = open(PATH_RANDOMDEV, O_RDONLY | O_NONBLOCK, 0);
+	}
+#endif
+
+	return fd;
+}
+
 void
 ns_os_daemonize(void) {
 	pid_t pid;
@@ -548,6 +562,7 @@ ns_os_chroot(const char *root) {
 #endif
 	if (root != NULL) {
 #ifdef HAVE_CHROOT
+		ns_os_open_randomdev();
 		if (chroot(root) < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			ns_main_earlyfatal("chroot(): %s", strbuf);
diff --git a/bind/lib/isc/include/isc/entropy.h b/bind/lib/isc/include/isc/entropy.h
index defaced..defaced 100644
--- a/bind/lib/isc/include/isc/entropy.h
+++ b/bind/lib/isc/include/isc/entropy.h
@@ -165,6 +165,9 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
  * The file will never be opened/read again once EOF is reached.
  */
 
+isc_result_t
+isc_entropy_createfilefd(isc_entropy_t *ent, int fd, bool is_usocket, bool is_connected);
+
 void
 isc_entropy_destroysource(isc_entropysource_t **sourcep);
 /*!<
diff --git a/bind/lib/isc/unix/entropy.c b/bind/lib/isc/unix/entropy.c
index defaced..defaced 100644
--- a/bind/lib/isc/unix/entropy.c
+++ b/bind/lib/isc/unix/entropy.c
@@ -483,23 +483,85 @@ make_nonblock(int fd) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+isc_entropy_createfilefd(isc_entropy_t *ent, int fd, bool is_usocket, bool is_connected) {
+	isc_result_t ret;
+	isc_entropysource_t *source;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(fd >= 0);
+
+	LOCK(&ent->lock);
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		(void) close(fd);
+		UNLOCK(&ent->lock);
+		return ISC_R_NOMEMORY;
+	}
+
+	ret = make_nonblock(fd);
+	if (ret != ISC_R_SUCCESS) {
+		goto closefd;
+	}
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->ent = ent;
+	source->total = 0;
+	source->bad = false;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+	if (is_usocket) {
+		source->sources.usocket.handle = fd;
+		if (is_connected) {
+			source->sources.usocket.status =
+					isc_usocketsource_connected;
+		} else {
+			source->sources.usocket.status =
+					isc_usocketsource_connecting;
+		}
+		source->sources.usocket.sz_to_recv = 0;
+		source->type = ENTROPY_SOURCETYPE_USOCKET;
+	} else {
+		source->sources.file.handle = fd;
+		source->type = ENTROPY_SOURCETYPE_FILE;
+	}
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ closefd:
+	(void)close(fd);
+
+	if (source != NULL) {
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+	}
+
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
+
 isc_result_t
 isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
-	int fd;
 	struct stat _stat;
 	bool is_usocket = false;
 	bool is_connected = false;
-	isc_result_t ret;
-	isc_entropysource_t *source;
+	int fd;
 
 	REQUIRE(VALID_ENTROPY(ent));
 	REQUIRE(fname != NULL);
 
-	LOCK(&ent->lock);
-
 	if (stat(fname, &_stat) < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
+		return isc__errno2result(errno);
 	}
 	/*
 	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
@@ -522,14 +584,9 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 		fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
 
 	if (fd < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
+		return isc__errno2result(errno);
 	}
 
-	ret = make_nonblock(fd);
-	if (ret != ISC_R_SUCCESS)
-		goto closefd;
-
 	if (is_usocket) {
 		struct sockaddr_un sname;
 
@@ -547,57 +604,12 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 		if (connect(fd, (struct sockaddr *) &sname,
 			    sizeof(struct sockaddr_un)) < 0) {
 			if (errno != EINPROGRESS) {
-				ret = isc__errno2result(errno);
-				goto closefd;
+				(void) close(fd);
+				return isc__errno2result(errno);
 			}
 		} else
 			is_connected = true;
 	}
 
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto closefd;
-	}
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->ent = ent;
-	source->total = 0;
-	source->bad = false;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-	if (is_usocket) {
-		source->sources.usocket.handle = fd;
-		if (is_connected)
-			source->sources.usocket.status =
-					isc_usocketsource_connected;
-		else
-			source->sources.usocket.status =
-					isc_usocketsource_connecting;
-		source->sources.usocket.sz_to_recv = 0;
-		source->type = ENTROPY_SOURCETYPE_USOCKET;
-	} else {
-		source->sources.file.handle = fd;
-		source->type = ENTROPY_SOURCETYPE_FILE;
-	}
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- closefd:
-	(void)close(fd);
-
- errout:
-	UNLOCK(&ent->lock);
-
-	return (ret);
+	return isc_entropy_createfilefd(ent, fd, is_usocket, is_connected);
 }