Index: build_tools/menuselect-deps.in
===================================================================
--- build_tools/menuselect-deps.in (revision 166949)
+++ build_tools/menuselect-deps.in (working copy)
@@ -39,3 +39,4 @@
MISDN=@PBX_MISDN@
SUPPSERV=@PBX_SUPPSERV@
GNU_LD=@GNU_LD@
+WORKING_FORK=@PBX_WORKING_FORK@
Index: configure
===================================================================
--- configure (revision 166949)
+++ configure (working copy)
@@ -1,5 +1,5 @@
#! /bin/sh
-# From configure.ac Revision: 159808 .
+# From configure.ac Revision: 164343 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for asterisk 1.4.
#
@@ -883,6 +883,7 @@
PBX_ZAPTEL
ALLOCA
LIBOBJS
+PBX_WORKING_FORK
POW_LIB
GC_CFLAGS
GC_LDFLAGS
@@ -12114,6 +12115,8 @@
#define HAVE_WORKING_FORK 1
_ACEOF
+ PBX_WORKING_FORK=1
+
fi
{ echo "$as_me:$LINENO: checking for _LARGEFILE_SOURCE value needed for large files" >&5
@@ -32546,6 +32549,7 @@
PBX_ZAPTEL!$PBX_ZAPTEL$ac_delim
ALLOCA!$ALLOCA$ac_delim
LIBOBJS!$LIBOBJS$ac_delim
+PBX_WORKING_FORK!$PBX_WORKING_FORK$ac_delim
POW_LIB!$POW_LIB$ac_delim
GC_CFLAGS!$GC_CFLAGS$ac_delim
GC_LDFLAGS!$GC_LDFLAGS$ac_delim
@@ -32572,7 +32576,6 @@
PBX_ZAPTEL_VLDTMF!$PBX_ZAPTEL_VLDTMF$ac_delim
EDITLINE_LIB!$EDITLINE_LIB$ac_delim
PBX_H323!$PBX_H323$ac_delim
-PBX_IXJUSER!$PBX_IXJUSER$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -32614,6 +32617,7 @@
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
+PBX_IXJUSER!$PBX_IXJUSER$ac_delim
GTKCONFIG!$GTKCONFIG$ac_delim
PBX_GTK!$PBX_GTK$ac_delim
GTK_INCLUDE!$GTK_INCLUDE$ac_delim
@@ -32626,7 +32630,7 @@
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 10; then
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 11; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
Index: apps/app_festival.c
===================================================================
--- apps/app_festival.c (revision 166949)
+++ apps/app_festival.c (working copy)
@@ -25,6 +25,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ working_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -46,6 +50,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/file.h"
#include "asterisk/logger.h"
@@ -132,21 +139,33 @@
char c;
#endif
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
- res = fork();
- if (res < 0)
- ast_log(LOG_WARNING, "Fork failed\n");
- if (res) {
+ res = fork();
+ if (res < 0)
+ ast_log(LOG_WARNING, "Fork failed\n");
+ if (res) {
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
- return res;
+ return res;
}
- for (x=0;x<256;x++) {
- if (x != fd)
- close(x);
- }
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+ for (x=0;x<256;x++) {
+ if (x != fd)
+ close(x);
+ }
if (ast_opt_high_priority)
ast_set_priority(0);
signal(SIGPIPE, SIG_DFL);
Index: apps/app_mp3.c
===================================================================
--- apps/app_mp3.c (revision 166949)
+++ apps/app_mp3.c (working copy)
@@ -25,6 +25,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ working_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -36,6 +40,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -65,6 +72,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -76,6 +86,15 @@
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
return res;
}
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
if (ast_opt_high_priority)
ast_set_priority(0);
signal(SIGPIPE, SIG_DFL);
@@ -83,8 +102,7 @@
dup2(fd, STDOUT_FILENO);
for (x=STDERR_FILENO + 1;x<256;x++) {
- if (x != STDOUT_FILENO)
- close(x);
+ close(x);
}
/* Execute mpg123, but buffer if it's a net connection */
if (!strncasecmp(filename, "http://", 7)) {
Index: apps/app_ices.c
===================================================================
--- apps/app_ices.c (revision 166949)
+++ apps/app_ices.c (working copy)
@@ -25,6 +25,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ working_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -37,6 +41,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -65,6 +72,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -81,6 +91,16 @@
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+
if (ast_opt_high_priority)
ast_set_priority(0);
dup2(fd, STDIN_FILENO);
Index: apps/app_nbscat.c
===================================================================
--- apps/app_nbscat.c (revision 166949)
+++ apps/app_nbscat.c (working copy)
@@ -25,6 +25,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ working_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -37,6 +41,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -69,6 +76,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -83,6 +93,15 @@
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
if (ast_opt_high_priority)
ast_set_priority(0);
Index: apps/app_dahdiras.c
===================================================================
--- apps/app_dahdiras.c (revision 166949)
+++ apps/app_dahdiras.c (working copy)
@@ -27,6 +27,7 @@
/*** MODULEINFO
dahdi
+ working_fork
***/
#include "asterisk.h"
@@ -48,6 +49,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -92,6 +96,9 @@
int argc = 0;
char *stringp=NULL;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -103,6 +110,16 @@
return pid;
}
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+
/* Restore original signal handlers */
for (x=0;xworking_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -41,6 +45,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -317,7 +324,16 @@
if (!pid) {
/* child process */
int i;
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
Index: autoconf/ast_func_fork.m4
===================================================================
--- autoconf/ast_func_fork.m4 (revision 166949)
+++ autoconf/ast_func_fork.m4 (working copy)
@@ -39,6 +39,8 @@
fi
if test "x$ac_cv_func_fork_works" = xyes; then
AC_DEFINE(HAVE_WORKING_FORK, 1, [Define to 1 if `fork' works.])
+ PBX_WORKING_FORK=1
+ AC_SUBST(PBX_WORKING_FORK)
fi
])# AST_FUNC_FORK
Index: main/asterisk.c
===================================================================
--- main/asterisk.c (revision 166949)
+++ main/asterisk.c (working copy)
@@ -818,6 +818,15 @@
#endif
if (pid == 0) {
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
#ifdef HAVE_WORKING_FORK
if (ast_opt_high_priority)
ast_set_priority(0);
@@ -842,7 +851,7 @@
}
ast_unreplace_sigchld();
-#else
+#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
res = -1;
#endif
@@ -2913,7 +2922,7 @@
if (has_cap) {
cap_t cap;
- cap = cap_from_text("cap_net_admin=ep");
+ cap = cap_from_text("cap_net_admin=eip");
if (cap_set_proc(cap))
ast_log(LOG_WARNING, "Unable to install capabilities.\n");
Index: res/res_agi.c
===================================================================
--- res/res_agi.c (revision 166949)
+++ res/res_agi.c (working copy)
@@ -23,6 +23,10 @@
* \author Mark Spencer
*/
+/*** MODULEINFO
+ working_fork
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -44,6 +48,9 @@
#include
#include
#include
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/file.h"
#include "asterisk/logger.h"
@@ -299,6 +306,16 @@
return AGI_RESULT_FAILURE;
}
if (!pid) {
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+
/* Pass paths to AGI via environmental variables */
setenv("AST_CONFIG_DIR", ast_config_AST_CONFIG_DIR, 1);
setenv("AST_CONFIG_FILE", ast_config_AST_CONFIG_FILE, 1);
Index: res/res_musiconhold.c
===================================================================
--- res/res_musiconhold.c (revision 166949)
+++ res/res_musiconhold.c (working copy)
@@ -28,6 +28,7 @@
/*** MODULEINFO
win32
+ working_fork
***/
#include "asterisk.h"
@@ -51,6 +52,9 @@
#ifdef SOLARIS
#include
#endif
+#ifdef HAVE_CAP
+#include
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -450,7 +454,15 @@
return -1;
}
if (!class->pid) {
+ /* Child */
int x;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
+ if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
+ ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
+ _exit(1);
+ }
if (ast_opt_high_priority)
ast_set_priority(0);
@@ -459,6 +471,14 @@
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &signal_set, NULL);
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
close(fds[0]);
/* Stdout goes to pipe */
dup2(fds[1], STDOUT_FILENO);
@@ -468,12 +488,8 @@
close(x);
}
}
- /* Child */
- if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
- ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
- _exit(1);
- }
setpgid(0, getpid());
+
if (ast_test_flag(class, MOH_CUSTOM)) {
execv(argv[0], argv);
} else {