f854f6 import dnsmasq-2.79-13.el8

Authored and Committed by centosrcm 4 years ago
    import dnsmasq-2.79-13.el8
    
        
SOURCES/dnsmasq-2.81-optimize-fds-close.patch ADDED
@@ -0,0 +1,132 @@
1
+ commit 98c6998116e33f9f34b798682e0695f4166bd86d
2
+ Author: Simon Kelley <simon@thekelleys.org.uk>
3
+ Date: Mon Mar 2 17:10:25 2020 +0000
4
+
5
+ Optimise closing file descriptors.
6
+
7
+ Dnsmasq needs to close all the file descriptors it inherits, for security
8
+ reasons. This is traditionally done by calling close() on every possible
9
+ file descriptor (most of which won't be open.) On big servers where
10
+ "every possible file descriptor" is a rather large set, this gets
11
+ rather slow, so we use the /proc/<pid>/fd directory to get a list
12
+ of the fds which are acually open.
13
+
14
+ This only works on Linux. On other platforms, and on Linux systems
15
+ without a /proc filesystem, we fall back to the old way.
16
+
17
+ diff --git a/src/dnsmasq.c b/src/dnsmasq.c
18
+ index 573aac0..10f19ea 100644
19
+ --- a/src/dnsmasq.c
20
+ +++ b/src/dnsmasq.c
21
+ @@ -138,20 +138,18 @@ int main (int argc, char **argv)
22
+ }
23
+ #endif
24
+
25
+ - /* Close any file descriptors we inherited apart from std{in|out|err}
26
+ -
27
+ - Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
28
+ + /* Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
29
+ otherwise file descriptors we create can end up being 0, 1, or 2
30
+ and then get accidentally closed later when we make 0, 1, and 2
31
+ open to /dev/null. Normally we'll be started with 0, 1 and 2 open,
32
+ but it's not guaranteed. By opening /dev/null three times, we
33
+ ensure that we're not using those fds for real stuff. */
34
+ - for (i = 0; i < max_fd; i++)
35
+ - if (i != STDOUT_FILENO && i != STDERR_FILENO && i != STDIN_FILENO)
36
+ - close(i);
37
+ - else
38
+ - open("/dev/null", O_RDWR);
39
+ -
40
+ + for (i = 0; i < 3; i++)
41
+ + open("/dev/null", O_RDWR);
42
+ +
43
+ + /* Close any file descriptors we inherited apart from std{in|out|err} */
44
+ + close_fds(max_fd, -1, -1, -1);
45
+ +
46
+ #ifndef HAVE_LINUX_NETWORK
47
+ # if !(defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR))
48
+ if (!option_bool(OPT_NOWILD))
49
+ diff --git a/src/dnsmasq.h b/src/dnsmasq.h
50
+ index 6103eb5..c46bfeb 100644
51
+ --- a/src/dnsmasq.h
52
+ +++ b/src/dnsmasq.h
53
+ @@ -1283,7 +1283,7 @@ int memcmp_masked(unsigned char *a, unsigned char *b, int len,
54
+ int expand_buf(struct iovec *iov, size_t size);
55
+ char *print_mac(char *buff, unsigned char *mac, int len);
56
+ int read_write(int fd, unsigned char *packet, int size, int rw);
57
+ -
58
+ +void close_fds(long max_fd, int spare1, int spare2, int spare3);
59
+ int wildcard_match(const char* wildcard, const char* match);
60
+ int wildcard_matchn(const char* wildcard, const char* match, int num);
61
+
62
+ diff --git a/src/helper.c b/src/helper.c
63
+ index 1b260a1..7072cf4 100644
64
+ --- a/src/helper.c
65
+ +++ b/src/helper.c
66
+ @@ -131,12 +131,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
67
+ Don't close err_fd, in case the lua-init fails.
68
+ Note that we have to do this before lua init
69
+ so we don't close any lua fds. */
70
+ - for (max_fd--; max_fd >= 0; max_fd--)
71
+ - if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO &&
72
+ - max_fd != STDIN_FILENO && max_fd != pipefd[0] &&
73
+ - max_fd != event_fd && max_fd != err_fd)
74
+ - close(max_fd);
75
+ -
76
+ + close_fds(max_fd, pipefd[0], event_fd, err_fd);
77
+ +
78
+ #ifdef HAVE_LUASCRIPT
79
+ if (daemon->luascript)
80
+ {
81
+ diff --git a/src/util.c b/src/util.c
82
+ index 73bf62a..f058c92 100644
83
+ --- a/src/util.c
84
+ +++ b/src/util.c
85
+ @@ -705,6 +705,47 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
86
+ return 1;
87
+ }
88
+
89
+ +/* close all fds except STDIN, STDOUT and STDERR, spare1, spare2 and spare3 */
90
+ +void close_fds(long max_fd, int spare1, int spare2, int spare3)
91
+ +{
92
+ + /* On Linux, use the /proc/ filesystem to find which files
93
+ + are actually open, rather than iterate over the whole space,
94
+ + for efficiency reasons. If this fails we drop back to the dumb code. */
95
+ +#ifdef HAVE_LINUX_NETWORK
96
+ + DIR *d;
97
+ +
98
+ + if ((d = opendir("/proc/self/fd")))
99
+ + {
100
+ + struct dirent *de;
101
+ +
102
+ + while ((de = readdir(d)))
103
+ + {
104
+ + long fd;
105
+ + char *e = NULL;
106
+ +
107
+ + errno = 0;
108
+ + fd = strtol(de->d_name, &e, 10);
109
+ +
110
+ + if (errno != 0 || !e || *e || fd == dirfd(d) ||
111
+ + fd == STDOUT_FILENO || fd == STDERR_FILENO || fd == STDIN_FILENO ||
112
+ + fd == spare1 || fd == spare2 || fd == spare3)
113
+ + continue;
114
+ +
115
+ + close(fd);
116
+ + }
117
+ +
118
+ + closedir(d);
119
+ + return;
120
+ + }
121
+ +#endif
122
+ +
123
+ + /* fallback, dumb code. */
124
+ + for (max_fd--; max_fd >= 0; max_fd--)
125
+ + if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && max_fd != STDIN_FILENO &&
126
+ + max_fd != spare1 && max_fd != spare2 && max_fd != spare3)
127
+ + close(max_fd);
128
+ +}
129
+ +
130
+ /* Basically match a string value against a wildcard pattern. */
131
+ int wildcard_match(const char* wildcard, const char* match)
132
+ {
file modified
+9 -4
SPECS/dnsmasq.spec CHANGED
@@ -13,7 +13,7 @@
13
13
14
14
Name: dnsmasq
15
15
Version: 2.79
16
- Release: 11%{?extraversion:.%{extraversion}}%{?dist}.1
16
+ Release: 13%{?extraversion:.%{extraversion}}%{?dist}
17
17
Summary: A lightweight DHCP/caching DNS server
18
18
19
19
License: GPLv2 or GPLv3
@@ -50,7 +50,8 @@ Patch17: dnsmasq-2.81-prefix-ranges-or-list-of-ipv6-addresses.patch
50
50
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
51
51
Patch18: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
52
52
Patch19: dnsmasq-2.81-correct-range-check-of-dhcp-host-prefix.patch
53
- Patch20: dnsmasq-2.81-rh1829448.patch
53
+ Patch20: dnsmasq-2.81-optimize-fds-close.patch
54
+ Patch21: dnsmasq-2.81-rh1829448.patch
54
55
55
56
# This is workaround to nettle bug #1549190
56
57
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -103,7 +104,8 @@ server's leases.
103
104
%patch17 -p1 -b .rh1779187-2
104
105
%patch18 -p1 -b .rh1779187-3
105
106
%patch19 -p1 -b .rh1779187-4
106
- %patch20 -p1 -b .rh1829448
107
+ %patch20 -p1 -b .rh1816613
108
+ %patch21 -p1 -b .rh1829448
107
109
108
110
# use /var/lib/dnsmasq instead of /var/lib/misc
109
111
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -204,9 +206,12 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
204
206
%{_mandir}/man1/dhcp_*
205
207
206
208
%changelog
207
- * Mon May 18 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11.1
209
+ * Tue May 05 2020 Petr Menšík <pemensik@redhat.com> - 2.79-13
208
210
- Fix mixed address family reservations on DHCP (#1829448)
209
211
212
+ * Mon Mar 30 2020 Tomas Korbar <tkorbar@redhat.com> - 2.79-12
213
+ - Minimize count of close syscalls on startup (#1816613)
214
+
210
215
* Mon Mar 02 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11
211
216
- Support multiple static leases for single mac on IPv6 (#1779187)
212
217