f854f6
import dnsmasq-2.79-13.el8
@@ -0,0 +1,132 @@
|
|
1
|
+
commit 98c6998116e33f9f34b798682e0695f4166bd86d
|
2
|
+
Author: Simon Kelley <simon@thekelleys.org.uk>
|
3
|
+
Date: Mon Mar 2 17:10:25 2020 +0000
|
4
|
+
|
5
|
+
Optimise closing file descriptors.
|
6
|
+
|
7
|
+
Dnsmasq needs to close all the file descriptors it inherits, for security
|
8
|
+
reasons. This is traditionally done by calling close() on every possible
|
9
|
+
file descriptor (most of which won't be open.) On big servers where
|
10
|
+
"every possible file descriptor" is a rather large set, this gets
|
11
|
+
rather slow, so we use the /proc/<pid>/fd directory to get a list
|
12
|
+
of the fds which are acually open.
|
13
|
+
|
14
|
+
This only works on Linux. On other platforms, and on Linux systems
|
15
|
+
without a /proc filesystem, we fall back to the old way.
|
16
|
+
|
17
|
+
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
18
|
+
index 573aac0..10f19ea 100644
|
19
|
+
--- a/src/dnsmasq.c
|
20
|
+
+++ b/src/dnsmasq.c
|
21
|
+
@@ -138,20 +138,18 @@ int main (int argc, char **argv)
|
22
|
+
}
|
23
|
+
#endif
|
24
|
+
|
25
|
+
- /* Close any file descriptors we inherited apart from std{in|out|err}
|
26
|
+
-
|
27
|
+
- Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
|
28
|
+
+ /* Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
|
29
|
+
otherwise file descriptors we create can end up being 0, 1, or 2
|
30
|
+
and then get accidentally closed later when we make 0, 1, and 2
|
31
|
+
open to /dev/null. Normally we'll be started with 0, 1 and 2 open,
|
32
|
+
but it's not guaranteed. By opening /dev/null three times, we
|
33
|
+
ensure that we're not using those fds for real stuff. */
|
34
|
+
- for (i = 0; i < max_fd; i++)
|
35
|
+
- if (i != STDOUT_FILENO && i != STDERR_FILENO && i != STDIN_FILENO)
|
36
|
+
- close(i);
|
37
|
+
- else
|
38
|
+
- open("/dev/null", O_RDWR);
|
39
|
+
-
|
40
|
+
+ for (i = 0; i < 3; i++)
|
41
|
+
+ open("/dev/null", O_RDWR);
|
42
|
+
+
|
43
|
+
+ /* Close any file descriptors we inherited apart from std{in|out|err} */
|
44
|
+
+ close_fds(max_fd, -1, -1, -1);
|
45
|
+
+
|
46
|
+
#ifndef HAVE_LINUX_NETWORK
|
47
|
+
# if !(defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR))
|
48
|
+
if (!option_bool(OPT_NOWILD))
|
49
|
+
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
50
|
+
index 6103eb5..c46bfeb 100644
|
51
|
+
--- a/src/dnsmasq.h
|
52
|
+
+++ b/src/dnsmasq.h
|
53
|
+
@@ -1283,7 +1283,7 @@ int memcmp_masked(unsigned char *a, unsigned char *b, int len,
|
54
|
+
int expand_buf(struct iovec *iov, size_t size);
|
55
|
+
char *print_mac(char *buff, unsigned char *mac, int len);
|
56
|
+
int read_write(int fd, unsigned char *packet, int size, int rw);
|
57
|
+
-
|
58
|
+
+void close_fds(long max_fd, int spare1, int spare2, int spare3);
|
59
|
+
int wildcard_match(const char* wildcard, const char* match);
|
60
|
+
int wildcard_matchn(const char* wildcard, const char* match, int num);
|
61
|
+
|
62
|
+
diff --git a/src/helper.c b/src/helper.c
|
63
|
+
index 1b260a1..7072cf4 100644
|
64
|
+
--- a/src/helper.c
|
65
|
+
+++ b/src/helper.c
|
66
|
+
@@ -131,12 +131,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
|
67
|
+
Don't close err_fd, in case the lua-init fails.
|
68
|
+
Note that we have to do this before lua init
|
69
|
+
so we don't close any lua fds. */
|
70
|
+
- for (max_fd--; max_fd >= 0; max_fd--)
|
71
|
+
- if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO &&
|
72
|
+
- max_fd != STDIN_FILENO && max_fd != pipefd[0] &&
|
73
|
+
- max_fd != event_fd && max_fd != err_fd)
|
74
|
+
- close(max_fd);
|
75
|
+
-
|
76
|
+
+ close_fds(max_fd, pipefd[0], event_fd, err_fd);
|
77
|
+
+
|
78
|
+
#ifdef HAVE_LUASCRIPT
|
79
|
+
if (daemon->luascript)
|
80
|
+
{
|
81
|
+
diff --git a/src/util.c b/src/util.c
|
82
|
+
index 73bf62a..f058c92 100644
|
83
|
+
--- a/src/util.c
|
84
|
+
+++ b/src/util.c
|
85
|
+
@@ -705,6 +705,47 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
|
86
|
+
return 1;
|
87
|
+
}
|
88
|
+
|
89
|
+
+/* close all fds except STDIN, STDOUT and STDERR, spare1, spare2 and spare3 */
|
90
|
+
+void close_fds(long max_fd, int spare1, int spare2, int spare3)
|
91
|
+
+{
|
92
|
+
+ /* On Linux, use the /proc/ filesystem to find which files
|
93
|
+
+ are actually open, rather than iterate over the whole space,
|
94
|
+
+ for efficiency reasons. If this fails we drop back to the dumb code. */
|
95
|
+
+#ifdef HAVE_LINUX_NETWORK
|
96
|
+
+ DIR *d;
|
97
|
+
+
|
98
|
+
+ if ((d = opendir("/proc/self/fd")))
|
99
|
+
+ {
|
100
|
+
+ struct dirent *de;
|
101
|
+
+
|
102
|
+
+ while ((de = readdir(d)))
|
103
|
+
+ {
|
104
|
+
+ long fd;
|
105
|
+
+ char *e = NULL;
|
106
|
+
+
|
107
|
+
+ errno = 0;
|
108
|
+
+ fd = strtol(de->d_name, &e, 10);
|
109
|
+
+
|
110
|
+
+ if (errno != 0 || !e || *e || fd == dirfd(d) ||
|
111
|
+
+ fd == STDOUT_FILENO || fd == STDERR_FILENO || fd == STDIN_FILENO ||
|
112
|
+
+ fd == spare1 || fd == spare2 || fd == spare3)
|
113
|
+
+ continue;
|
114
|
+
+
|
115
|
+
+ close(fd);
|
116
|
+
+ }
|
117
|
+
+
|
118
|
+
+ closedir(d);
|
119
|
+
+ return;
|
120
|
+
+ }
|
121
|
+
+#endif
|
122
|
+
+
|
123
|
+
+ /* fallback, dumb code. */
|
124
|
+
+ for (max_fd--; max_fd >= 0; max_fd--)
|
125
|
+
+ if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && max_fd != STDIN_FILENO &&
|
126
|
+
+ max_fd != spare1 && max_fd != spare2 && max_fd != spare3)
|
127
|
+
+ close(max_fd);
|
128
|
+
+}
|
129
|
+
+
|
130
|
+
/* Basically match a string value against a wildcard pattern. */
|
131
|
+
int wildcard_match(const char* wildcard, const char* match)
|
132
|
+
{
|
@@ -13,7 +13,7 @@
|
|
13
13
|
|
14
14
|
Name: dnsmasq
|
15
15
|
Version: 2.79
|
16
|
-
Release:
|
16
|
+
Release: 13%{?extraversion:.%{extraversion}}%{?dist}
|
17
17
|
Summary: A lightweight DHCP/caching DNS server
|
18
18
|
|
19
19
|
License: GPLv2 or GPLv3
|
@@ -50,7 +50,8 @@ Patch17: dnsmasq-2.81-prefix-ranges-or-list-of-ipv6-addresses.patch
|
|
50
50
|
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
|
51
51
|
Patch18: dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
|
52
52
|
Patch19: dnsmasq-2.81-correct-range-check-of-dhcp-host-prefix.patch
|
53
|
-
Patch20: dnsmasq-2.81-
|
53
|
+
Patch20: dnsmasq-2.81-optimize-fds-close.patch
|
54
|
+
Patch21: dnsmasq-2.81-rh1829448.patch
|
54
55
|
|
55
56
|
# This is workaround to nettle bug #1549190
|
56
57
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
@@ -103,7 +104,8 @@ server's leases.
|
|
103
104
|
%patch17 -p1 -b .rh1779187-2
|
104
105
|
%patch18 -p1 -b .rh1779187-3
|
105
106
|
%patch19 -p1 -b .rh1779187-4
|
106
|
-
%patch20 -p1 -b .
|
107
|
+
%patch20 -p1 -b .rh1816613
|
108
|
+
%patch21 -p1 -b .rh1829448
|
107
109
|
|
108
110
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
109
111
|
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
@@ -204,9 +206,12 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
|
204
206
|
%{_mandir}/man1/dhcp_*
|
205
207
|
|
206
208
|
%changelog
|
207
|
-
*
|
209
|
+
* Tue May 05 2020 Petr Menšík <pemensik@redhat.com> - 2.79-13
|
208
210
|
- Fix mixed address family reservations on DHCP (#1829448)
|
209
211
|
|
212
|
+
* Mon Mar 30 2020 Tomas Korbar <tkorbar@redhat.com> - 2.79-12
|
213
|
+
- Minimize count of close syscalls on startup (#1816613)
|
214
|
+
|
210
215
|
* Mon Mar 02 2020 Petr Menšík <pemensik@redhat.com> - 2.79-11
|
211
216
|
- Support multiple static leases for single mac on IPv6 (#1779187)
|
212
217
|
|