diff options
-rw-r--r-- | apps/app_rpt.c | 4 | ||||
-rw-r--r-- | autoconf/ast_func_fork.m4 | 2 | ||||
-rwxr-xr-x | configure | 22 | ||||
-rw-r--r-- | main/app.c | 11 | ||||
-rw-r--r-- | main/asterisk.c | 13 |
5 files changed, 42 insertions, 10 deletions
diff --git a/apps/app_rpt.c b/apps/app_rpt.c index 381a15a65..2fa0cd0d4 100644 --- a/apps/app_rpt.c +++ b/apps/app_rpt.c @@ -359,6 +359,8 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/cdr.h" #include "asterisk/options.h" #include "asterisk/manager.h" +#include "asterisk/app.h" + #include <termios.h> #ifdef NEW_ASTERISK @@ -1966,7 +1968,7 @@ unsigned int seq; sprintf(str,"%s?node=%s&time=%u&seqno=%u",myrpt->p.statpost_url, myrpt->name,(unsigned int) now,seq); if (pairs) sprintf(str + strlen(str),"&%s",pairs); - if (!(pid = fork())) + if (!(pid = ast_safe_fork(0))) { execv(astrs[0],astrs); ast_log(LOG_ERROR, "exec of %s failed.\n", astrs[0]); diff --git a/autoconf/ast_func_fork.m4 b/autoconf/ast_func_fork.m4 index 37bf0c397..a5c0835ff 100644 --- a/autoconf/ast_func_fork.m4 +++ b/autoconf/ast_func_fork.m4 @@ -39,6 +39,8 @@ else fi if test "x$ac_cv_func_fork_works" = xyes; then AC_DEFINE(HAVE_WORKING_FORK, 1, [Define to 1 if `fork' works.]) + PBX_WORKING_FORK=1 + AC_SUBST(PBX_WORKING_FORK) fi ])# AST_FUNC_FORK @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Revision: 168734 . +# From configure.ac Revision: 170112 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61 for asterisk 1.6. # @@ -972,6 +972,7 @@ TIMERFD_DIR PBX_TIMERFD ALLOCA LIBOBJS +PBX_WORKING_FORK POW_LIB HAS_POLL PBX_PTHREAD_RWLOCK_INITIALIZER @@ -13318,6 +13319,8 @@ cat >>confdefs.h <<\_ACEOF #define HAVE_WORKING_FORK 1 _ACEOF + PBX_WORKING_FORK=1 + fi { echo "$as_me:$LINENO: checking for _LARGEFILE_SOURCE value needed for large files" >&5 @@ -13332,11 +13335,13 @@ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#include <stdio.h> +#include <sys/types.h> /* for off_t */ + #include <stdio.h> int main () { -return fseeko (stdin, 0, 0) && (fseeko) (stdin, 0, 0); +int (*fp) (FILE *, off_t, int) = fseeko; + return fseeko (stdin, 0, 0) && fp (stdin, 0, 0); ; return 0; } @@ -13376,11 +13381,13 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ #define _LARGEFILE_SOURCE 1 -#include <stdio.h> +#include <sys/types.h> /* for off_t */ + #include <stdio.h> int main () { -return fseeko (stdin, 0, 0) && (fseeko) (stdin, 0, 0); +int (*fp) (FILE *, off_t, int) = fseeko; + return fseeko (stdin, 0, 0) && fp (stdin, 0, 0); ; return 0; } @@ -53711,6 +53718,7 @@ TIMERFD_DIR!$TIMERFD_DIR$ac_delim PBX_TIMERFD!$PBX_TIMERFD$ac_delim ALLOCA!$ALLOCA$ac_delim LIBOBJS!$LIBOBJS$ac_delim +PBX_WORKING_FORK!$PBX_WORKING_FORK$ac_delim POW_LIB!$POW_LIB$ac_delim HAS_POLL!$HAS_POLL$ac_delim PBX_PTHREAD_RWLOCK_INITIALIZER!$PBX_PTHREAD_RWLOCK_INITIALIZER$ac_delim @@ -53745,7 +53753,6 @@ AIS_INCLUDE!$AIS_INCLUDE$ac_delim AIS_LIB!$AIS_LIB$ac_delim CONFIG_GMIME!$CONFIG_GMIME$ac_delim EDITLINE_LIB!$EDITLINE_LIB$ac_delim -PBX_H323!$PBX_H323$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -53787,6 +53794,7 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +PBX_H323!$PBX_H323$ac_delim PBX_IXJUSER!$PBX_IXJUSER$ac_delim CONFIG_SDL!$CONFIG_SDL$ac_delim CONFIG_GTK!$CONFIG_GTK$ac_delim @@ -53798,7 +53806,7 @@ PBX_GENERIC_ODBC!$PBX_GENERIC_ODBC$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 9; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 10; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 diff --git a/main/app.c b/main/app.c index 2c2704483..789425fb7 100644 --- a/main/app.c +++ b/main/app.c @@ -36,6 +36,9 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include <sys/time.h> /* for getrlimit(2) */ #include <sys/resource.h> /* for getrlimit(2) */ #include <stdlib.h> /* for closefrom(3) */ +#ifdef HAVE_CAP +#include <sys/capability.h> +#endif /* HAVE_CAP */ #include "asterisk/paths.h" /* use ast_config_AST_DATA_DIR */ #include "asterisk/channel.h" @@ -1883,6 +1886,14 @@ int ast_safe_fork(int stop_reaper) return pid; } else { /* Child */ +#ifdef HAVE_CAP + cap_t cap = cap_from_text("cap_net_admin-eip"); + + if (cap_set_proc(cap)) { + ast_log(LOG_WARNING, "Unable to remove capabilities.\n"); + } + cap_free(cap); +#endif /* Before we unblock our signals, return our trapped signals back to the defaults */ signal(SIGHUP, SIG_DFL); diff --git a/main/asterisk.c b/main/asterisk.c index 25c08f44f..3567fbae5 100644 --- a/main/asterisk.c +++ b/main/asterisk.c @@ -1013,6 +1013,15 @@ int ast_safe_system(const char *s) #endif if (pid == 0) { +#ifdef HAVE_CAP + cap_t cap = cap_from_text("cap_net_admin-eip"); + + if (cap_set_proc(cap)) { + /* Careful with order! Logging cannot happen after we close FDs */ + ast_log(LOG_WARNING, "Unable to remove capabilities.\n"); + } + cap_free(cap); +#endif #ifdef HAVE_WORKING_FORK if (ast_opt_high_priority) ast_set_priority(0); @@ -1036,7 +1045,7 @@ int ast_safe_system(const char *s) } ast_unreplace_sigchld(); -#else +#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */ res = -1; #endif @@ -3380,7 +3389,7 @@ int main(int argc, char *argv[]) if (has_cap) { cap_t cap; - cap = cap_from_text("cap_net_admin=ep"); + cap = cap_from_text("cap_net_admin=eip"); if (cap_set_proc(cap)) ast_log(LOG_WARNING, "Unable to install capabilities.\n"); |