2493. [bug] The linux capabilites code was not correctly cleaning

                        up after itself. [RT #18767]

diff --git a/CHANGES b/CHANGES
index de9e9f362902ecfb329d1b813d3c0b72eeaabfbb..0acb8c620459ceb0d690562e081a27f38465c4d7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2493.  [bug]           The linux capabilites code was not correctly cleaning
+                       up after itself. [RT #18767]
+
 2492.  [func]          Rndc status now reports the number of cpus discovered
                        and the number of worker threads when running
                        multi-threaded. [RT #18273]

diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 15888c889e13f9b3cd36a4e0fc43f7d9d79b6842..d3b2ff3a1d592a9a6edf2f220b22246ec0ea6d4a 100644 (file)
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.88 2008/11/06 05:30:24 marka Exp $ */
+/* $Id: os.c,v 1.89 2008/11/14 05:08:48 marka Exp $ */
 
 /*! \file */
 
@@ -196,7 +196,7 @@ linux_setcaps(cap_t caps) {
        do { \
                capval = (flag); \
                cap_flag_value_t curval; \
-               err = cap_get_flag(cap_get_proc(), capval, CAP_PERMITTED, &curval); \
+               err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
                if (err != -1 && curval) { \
                        err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
                        if (err == -1) { \
@@ -218,16 +218,27 @@ linux_setcaps(cap_t caps) {
                        isc__strerror(errno, strbuf, sizeof(strbuf)); \
                        ns_main_earlyfatal("cap_init failed: %s", strbuf); \
                } \
+               curcaps = cap_get_proc(); \
+               if (curcaps == NULL) { \
+                       isc__strerror(errno, strbuf, sizeof(strbuf)); \
+                       ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
+               } \
+       } while (0)
+#define FREE_CAP \
+       { \
+               cap_free(caps); \
+               cap_free(curcaps); \
        } while (0)
 #else
-#define SET_CAP(flag) { caps |= (1 << (flag)); }
-#define INIT_CAP { caps = 0; }
+#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
+#define INIT_CAP do { caps = 0; } while (0)
 #endif /* HAVE_LIBCAP */
 
 static void
 linux_initialprivs(void) {
        cap_t caps;
 #ifdef HAVE_LIBCAP
+       cap_t curcaps;
        cap_value_t capval;
        char strbuf[ISC_STRERRORSIZE];
        int err;
@@ -281,12 +292,17 @@ linux_initialprivs(void) {
        SET_CAP(CAP_SYS_RESOURCE);
 
        linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+       FREE_CAP;
+#endif
 }
 
 static void
 linux_minprivs(void) {
        cap_t caps;
 #ifdef HAVE_LIBCAP
+       cap_t curcaps;
        cap_value_t capval;
        char strbuf[ISC_STRERRORSIZE];
        int err;
@@ -313,6 +329,10 @@ linux_minprivs(void) {
        SET_CAP(CAP_SYS_RESOURCE);
 
        linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+       FREE_CAP;
+#endif
 }
 
 #ifdef HAVE_SYS_PRCTL_H