Группа :: Система/Библиотеки
Пакет: libisc-export-dhcp
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: 0002-alt-owl-chroot.patch
Скачать
Скачать
From 0 Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@altlinux.org>
Date: Wed, 5 Dec 2018 15:34:42 +0300
Subject: [PATCH 2] alt-owl-chroot
diff --git a/bind/bin/named/server.c b/bind/bin/named/server.c
index defaced..defaced 100644
--- a/bind/bin/named/server.c
+++ b/bind/bin/named/server.c
@@ -8292,8 +8292,13 @@ load_configuration(const char *filename, ns_server_t *server,
} else {
const char *randomdev = cfg_obj_asstring(obj);
int level = ISC_LOG_ERROR;
- result = isc_entropy_createfilesource(ns_g_entropy,
+ if (strcmp(randomdev, PATH_RANDOMDEV)) {
+ result = isc_entropy_createfilesource(ns_g_entropy,
randomdev);
+ } else {
+ result = isc_entropy_createfilefd(ns_g_entropy,
+ ns_os_open_randomdev(), false, false);
+ }
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8349,14 +8354,6 @@ load_configuration(const char *filename, ns_server_t *server,
ns_os_changeuser();
}
- /*
- * Check that the working directory is writable.
- */
- if (!isc_file_isdirwritable(".")) {
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "the working directory is not writable");
- }
#ifdef HAVE_LMDB
/*
diff --git a/bind/bin/named/unix/include/named/os.h b/bind/bin/named/unix/include/named/os.h
index defaced..defaced 100644
--- a/bind/bin/named/unix/include/named/os.h
+++ b/bind/bin/named/unix/include/named/os.h
@@ -52,6 +52,9 @@ ns_os_minprivs(void);
FILE *
ns_os_openfile(const char *filename, mode_t mode, bool switch_user);
+int
+ns_os_open_randomdev(void);
+
void
ns_os_writepidfile(const char *filename, bool first_time);
diff --git a/bind/bin/named/unix/os.c b/bind/bin/named/unix/os.c
index defaced..defaced 100644
--- a/bind/bin/named/unix/os.c
+++ b/bind/bin/named/unix/os.c
@@ -425,6 +425,20 @@ ns_os_init(const char *progname) {
#endif
}
+int
+ns_os_open_randomdev (void)
+{
+ static int fd = -1;
+
+#ifdef PATH_RANDOMDEV
+ if (fd < 0) {
+ fd = open(PATH_RANDOMDEV, O_RDONLY | O_NONBLOCK, 0);
+ }
+#endif
+
+ return fd;
+}
+
void
ns_os_daemonize(void) {
pid_t pid;
@@ -548,6 +562,7 @@ ns_os_chroot(const char *root) {
#endif
if (root != NULL) {
#ifdef HAVE_CHROOT
+ ns_os_open_randomdev();
if (chroot(root) < 0) {
isc__strerror(errno, strbuf, sizeof(strbuf));
ns_main_earlyfatal("chroot(): %s", strbuf);
diff --git a/bind/lib/isc/include/isc/entropy.h b/bind/lib/isc/include/isc/entropy.h
index defaced..defaced 100644
--- a/bind/lib/isc/include/isc/entropy.h
+++ b/bind/lib/isc/include/isc/entropy.h
@@ -165,6 +165,9 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
* The file will never be opened/read again once EOF is reached.
*/
+isc_result_t
+isc_entropy_createfilefd(isc_entropy_t *ent, int fd, bool is_usocket, bool is_connected);
+
void
isc_entropy_destroysource(isc_entropysource_t **sourcep);
/*!<
diff --git a/bind/lib/isc/unix/entropy.c b/bind/lib/isc/unix/entropy.c
index defaced..defaced 100644
--- a/bind/lib/isc/unix/entropy.c
+++ b/bind/lib/isc/unix/entropy.c
@@ -483,23 +483,85 @@ make_nonblock(int fd) {
return (ISC_R_SUCCESS);
}
+isc_result_t
+isc_entropy_createfilefd(isc_entropy_t *ent, int fd, bool is_usocket, bool is_connected) {
+ isc_result_t ret;
+ isc_entropysource_t *source;
+
+ REQUIRE(VALID_ENTROPY(ent));
+ REQUIRE(fd >= 0);
+
+ LOCK(&ent->lock);
+
+ source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+ if (source == NULL) {
+ (void) close(fd);
+ UNLOCK(&ent->lock);
+ return ISC_R_NOMEMORY;
+ }
+
+ ret = make_nonblock(fd);
+ if (ret != ISC_R_SUCCESS) {
+ goto closefd;
+ }
+ /*
+ * From here down, no failures can occur.
+ */
+ source->magic = SOURCE_MAGIC;
+ source->ent = ent;
+ source->total = 0;
+ source->bad = false;
+ memset(source->name, 0, sizeof(source->name));
+ ISC_LINK_INIT(source, link);
+ if (is_usocket) {
+ source->sources.usocket.handle = fd;
+ if (is_connected) {
+ source->sources.usocket.status =
+ isc_usocketsource_connected;
+ } else {
+ source->sources.usocket.status =
+ isc_usocketsource_connecting;
+ }
+ source->sources.usocket.sz_to_recv = 0;
+ source->type = ENTROPY_SOURCETYPE_USOCKET;
+ } else {
+ source->sources.file.handle = fd;
+ source->type = ENTROPY_SOURCETYPE_FILE;
+ }
+
+ /*
+ * Hook it into the entropy system.
+ */
+ ISC_LIST_APPEND(ent->sources, source, link);
+ ent->nsources++;
+
+ UNLOCK(&ent->lock);
+ return (ISC_R_SUCCESS);
+
+ closefd:
+ (void)close(fd);
+
+ if (source != NULL) {
+ isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+ }
+
+ UNLOCK(&ent->lock);
+
+ return (ret);
+}
+
isc_result_t
isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
- int fd;
struct stat _stat;
bool is_usocket = false;
bool is_connected = false;
- isc_result_t ret;
- isc_entropysource_t *source;
+ int fd;
REQUIRE(VALID_ENTROPY(ent));
REQUIRE(fname != NULL);
- LOCK(&ent->lock);
-
if (stat(fname, &_stat) < 0) {
- ret = isc__errno2result(errno);
- goto errout;
+ return isc__errno2result(errno);
}
/*
* Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
@@ -522,14 +584,9 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
if (fd < 0) {
- ret = isc__errno2result(errno);
- goto errout;
+ return isc__errno2result(errno);
}
- ret = make_nonblock(fd);
- if (ret != ISC_R_SUCCESS)
- goto closefd;
-
if (is_usocket) {
struct sockaddr_un sname;
@@ -547,57 +604,12 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
if (connect(fd, (struct sockaddr *) &sname,
sizeof(struct sockaddr_un)) < 0) {
if (errno != EINPROGRESS) {
- ret = isc__errno2result(errno);
- goto closefd;
+ (void) close(fd);
+ return isc__errno2result(errno);
}
} else
is_connected = true;
}
- source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
- if (source == NULL) {
- ret = ISC_R_NOMEMORY;
- goto closefd;
- }
-
- /*
- * From here down, no failures can occur.
- */
- source->magic = SOURCE_MAGIC;
- source->ent = ent;
- source->total = 0;
- source->bad = false;
- memset(source->name, 0, sizeof(source->name));
- ISC_LINK_INIT(source, link);
- if (is_usocket) {
- source->sources.usocket.handle = fd;
- if (is_connected)
- source->sources.usocket.status =
- isc_usocketsource_connected;
- else
- source->sources.usocket.status =
- isc_usocketsource_connecting;
- source->sources.usocket.sz_to_recv = 0;
- source->type = ENTROPY_SOURCETYPE_USOCKET;
- } else {
- source->sources.file.handle = fd;
- source->type = ENTROPY_SOURCETYPE_FILE;
- }
-
- /*
- * Hook it into the entropy system.
- */
- ISC_LIST_APPEND(ent->sources, source, link);
- ent->nsources++;
-
- UNLOCK(&ent->lock);
- return (ISC_R_SUCCESS);
-
- closefd:
- (void)close(fd);
-
- errout:
- UNLOCK(&ent->lock);
-
- return (ret);
+ return isc_entropy_createfilefd(ent, fd, is_usocket, is_connected);
}