import dnsmasq-2.79-13.el8
This commit is contained in:
parent
b329adf800
commit
7b92db154a
132
SOURCES/dnsmasq-2.81-optimize-fds-close.patch
Normal file
132
SOURCES/dnsmasq-2.81-optimize-fds-close.patch
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
commit 98c6998116e33f9f34b798682e0695f4166bd86d
|
||||||
|
Author: Simon Kelley <simon@thekelleys.org.uk>
|
||||||
|
Date: Mon Mar 2 17:10:25 2020 +0000
|
||||||
|
|
||||||
|
Optimise closing file descriptors.
|
||||||
|
|
||||||
|
Dnsmasq needs to close all the file descriptors it inherits, for security
|
||||||
|
reasons. This is traditionally done by calling close() on every possible
|
||||||
|
file descriptor (most of which won't be open.) On big servers where
|
||||||
|
"every possible file descriptor" is a rather large set, this gets
|
||||||
|
rather slow, so we use the /proc/<pid>/fd directory to get a list
|
||||||
|
of the fds which are acually open.
|
||||||
|
|
||||||
|
This only works on Linux. On other platforms, and on Linux systems
|
||||||
|
without a /proc filesystem, we fall back to the old way.
|
||||||
|
|
||||||
|
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
||||||
|
index 573aac0..10f19ea 100644
|
||||||
|
--- a/src/dnsmasq.c
|
||||||
|
+++ b/src/dnsmasq.c
|
||||||
|
@@ -138,20 +138,18 @@ int main (int argc, char **argv)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- /* Close any file descriptors we inherited apart from std{in|out|err}
|
||||||
|
-
|
||||||
|
- Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
|
||||||
|
+ /* Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
|
||||||
|
otherwise file descriptors we create can end up being 0, 1, or 2
|
||||||
|
and then get accidentally closed later when we make 0, 1, and 2
|
||||||
|
open to /dev/null. Normally we'll be started with 0, 1 and 2 open,
|
||||||
|
but it's not guaranteed. By opening /dev/null three times, we
|
||||||
|
ensure that we're not using those fds for real stuff. */
|
||||||
|
- for (i = 0; i < max_fd; i++)
|
||||||
|
- if (i != STDOUT_FILENO && i != STDERR_FILENO && i != STDIN_FILENO)
|
||||||
|
- close(i);
|
||||||
|
- else
|
||||||
|
- open("/dev/null", O_RDWR);
|
||||||
|
-
|
||||||
|
+ for (i = 0; i < 3; i++)
|
||||||
|
+ open("/dev/null", O_RDWR);
|
||||||
|
+
|
||||||
|
+ /* Close any file descriptors we inherited apart from std{in|out|err} */
|
||||||
|
+ close_fds(max_fd, -1, -1, -1);
|
||||||
|
+
|
||||||
|
#ifndef HAVE_LINUX_NETWORK
|
||||||
|
# if !(defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR))
|
||||||
|
if (!option_bool(OPT_NOWILD))
|
||||||
|
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||||||
|
index 6103eb5..c46bfeb 100644
|
||||||
|
--- a/src/dnsmasq.h
|
||||||
|
+++ b/src/dnsmasq.h
|
||||||
|
@@ -1283,7 +1283,7 @@ int memcmp_masked(unsigned char *a, unsigned char *b, int len,
|
||||||
|
int expand_buf(struct iovec *iov, size_t size);
|
||||||
|
char *print_mac(char *buff, unsigned char *mac, int len);
|
||||||
|
int read_write(int fd, unsigned char *packet, int size, int rw);
|
||||||
|
-
|
||||||
|
+void close_fds(long max_fd, int spare1, int spare2, int spare3);
|
||||||
|
int wildcard_match(const char* wildcard, const char* match);
|
||||||
|
int wildcard_matchn(const char* wildcard, const char* match, int num);
|
||||||
|
|
||||||
|
diff --git a/src/helper.c b/src/helper.c
|
||||||
|
index 1b260a1..7072cf4 100644
|
||||||
|
--- a/src/helper.c
|
||||||
|
+++ b/src/helper.c
|
||||||
|
@@ -131,12 +131,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
|
||||||
|
Don't close err_fd, in case the lua-init fails.
|
||||||
|
Note that we have to do this before lua init
|
||||||
|
so we don't close any lua fds. */
|
||||||
|
- for (max_fd--; max_fd >= 0; max_fd--)
|
||||||
|
- if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO &&
|
||||||
|
- max_fd != STDIN_FILENO && max_fd != pipefd[0] &&
|
||||||
|
- max_fd != event_fd && max_fd != err_fd)
|
||||||
|
- close(max_fd);
|
||||||
|
-
|
||||||
|
+ close_fds(max_fd, pipefd[0], event_fd, err_fd);
|
||||||
|
+
|
||||||
|
#ifdef HAVE_LUASCRIPT
|
||||||
|
if (daemon->luascript)
|
||||||
|
{
|
||||||
|
diff --git a/src/util.c b/src/util.c
|
||||||
|
index 73bf62a..f058c92 100644
|
||||||
|
--- a/src/util.c
|
||||||
|
+++ b/src/util.c
|
||||||
|
@@ -705,6 +705,47 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* close all fds except STDIN, STDOUT and STDERR, spare1, spare2 and spare3 */
|
||||||
|
+void close_fds(long max_fd, int spare1, int spare2, int spare3)
|
||||||
|
+{
|
||||||
|
+ /* On Linux, use the /proc/ filesystem to find which files
|
||||||
|
+ are actually open, rather than iterate over the whole space,
|
||||||
|
+ for efficiency reasons. If this fails we drop back to the dumb code. */
|
||||||
|
+#ifdef HAVE_LINUX_NETWORK
|
||||||
|
+ DIR *d;
|
||||||
|
+
|
||||||
|
+ if ((d = opendir("/proc/self/fd")))
|
||||||
|
+ {
|
||||||
|
+ struct dirent *de;
|
||||||
|
+
|
||||||
|
+ while ((de = readdir(d)))
|
||||||
|
+ {
|
||||||
|
+ long fd;
|
||||||
|
+ char *e = NULL;
|
||||||
|
+
|
||||||
|
+ errno = 0;
|
||||||
|
+ fd = strtol(de->d_name, &e, 10);
|
||||||
|
+
|
||||||
|
+ if (errno != 0 || !e || *e || fd == dirfd(d) ||
|
||||||
|
+ fd == STDOUT_FILENO || fd == STDERR_FILENO || fd == STDIN_FILENO ||
|
||||||
|
+ fd == spare1 || fd == spare2 || fd == spare3)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ close(fd);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ closedir(d);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ /* fallback, dumb code. */
|
||||||
|
+ for (max_fd--; max_fd >= 0; max_fd--)
|
||||||
|
+ if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && max_fd != STDIN_FILENO &&
|
||||||
|
+ max_fd != spare1 && max_fd != spare2 && max_fd != spare3)
|
||||||
|
+ close(max_fd);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Basically match a string value against a wildcard pattern. */
|
||||||
|
int wildcard_match(const char* wildcard, const char* match)
|
||||||
|
{
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.79
|
Version: 2.79
|
||||||
Release: 11%{?extraversion:.%{extraversion}}%{?dist}.1
|
Release: 13%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -50,7 +50,8 @@ Patch17: dnsmasq-2.81-prefix-ranges-or-list-of-ipv6-addresses.patch
|
|||||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
|
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
|
||||||
Patch18: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
|
Patch18: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
|
||||||
Patch19: dnsmasq-2.81-correct-range-check-of-dhcp-host-prefix.patch
|
Patch19: dnsmasq-2.81-correct-range-check-of-dhcp-host-prefix.patch
|
||||||
Patch20: dnsmasq-2.81-rh1829448.patch
|
Patch20: dnsmasq-2.81-optimize-fds-close.patch
|
||||||
|
Patch21: dnsmasq-2.81-rh1829448.patch
|
||||||
|
|
||||||
# This is workaround to nettle bug #1549190
|
# This is workaround to nettle bug #1549190
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||||
@ -103,7 +104,8 @@ server's leases.
|
|||||||
%patch17 -p1 -b .rh1779187-2
|
%patch17 -p1 -b .rh1779187-2
|
||||||
%patch18 -p1 -b .rh1779187-3
|
%patch18 -p1 -b .rh1779187-3
|
||||||
%patch19 -p1 -b .rh1779187-4
|
%patch19 -p1 -b .rh1779187-4
|
||||||
%patch20 -p1 -b .rh1829448
|
%patch20 -p1 -b .rh1816613
|
||||||
|
%patch21 -p1 -b .rh1829448
|
||||||
|
|
||||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||||
@ -204,9 +206,12 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon May 18 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11.1
|
* Tue May 05 2020 Petr Menšík <pemensik@redhat.com> - 2.79-13
|
||||||
- Fix mixed address family reservations on DHCP (#1829448)
|
- Fix mixed address family reservations on DHCP (#1829448)
|
||||||
|
|
||||||
|
* Mon Mar 30 2020 Tomas Korbar <tkorbar@redhat.com> - 2.79-12
|
||||||
|
- Minimize count of close syscalls on startup (#1816613)
|
||||||
|
|
||||||
* Mon Mar 02 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11
|
* Mon Mar 02 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11
|
||||||
- Support multiple static leases for single mac on IPv6 (#1779187)
|
- Support multiple static leases for single mac on IPv6 (#1779187)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user