Skip to content
Snippets Groups Projects
Select Git revision
  • refresh_expires_in
  • redis
  • master default protected
  • auto_reverse_multi
  • kdig_dnssec_valid
  • ctl_sockets_multi
  • redis_squashed
  • 3.4 protected
  • onlinesign_interference
  • zone_load_from_dir
  • redis-tls
  • incr_decr_as_in_c
  • python_libknot_api_doc
  • tests_socket_starting_dv
  • 3.3 protected
  • doc_backup_members
  • kxdpgun_latency
  • dbg_dname_v3.4.1
  • status_frozen_fix
  • memsan_fixes
  • v3.4.5 protected
  • v3.4.4 protected
  • v3.3.10 protected
  • v3.4.3 protected
  • v3.4.2 protected
  • v3.4.1 protected
  • v3.5.dev protected
  • v3.4.0 protected
  • v3.3.9 protected
  • v3.3.8 protected
  • v3.2.13 protected
  • v3.3.7 protected
  • v3.3.6 protected
  • v3.3.5 protected
  • v3.3.4 protected
  • v3.2.12 protected
  • v3.3.3 protected
  • v3.2.11 protected
  • v3.3.2 protected
  • v3.2.10 protected
40 results
Search by author
  • Any Author
  • Aleš Mrázek Aleš Mrázek amrazek
  • Daniel Salzman Daniel Salzman dsalzman
  • David Vasek David Vasek dvasek
  • Frantisek Tobias Frantisek Tobias ftobias
  • Hynek Šabacký Hynek Šabacký hsabacky
  • Jakub Ružička Jakub Ružička jruzicka
  • Jan Doskočil Jan Doskočil jan.doskocil
  • Jan Hák Jan Hák jhak
  • Ladislav Lhotka Ladislav Lhotka llhotka
  • Libor Peltan Libor Peltan lpeltan
  • Lukáš Ondráček Lukáš Ondráček londracek
  • Oto Šťáva Oto Šťáva ostava
  • Petr Špaček Petr Špaček isc-pspacek
  • Robert Edmonds Robert Edmonds edmonds
  • Štěpán Balážik Štěpán Balážik sbalazik
  • Tomas Krizek Tomas Krizek tkrizek
  • Vaclav Sraier Vaclav Sraier vsraier
  • Vladimír Čunát Vladimír Čunát vcunat
18 authors
  1. Dec 24, 2017
    • Jonathan Foote's avatar
      Initial integration with google/oss-fuzz · 60729287
      Jonathan Foote authored 
      Implements initial support for continuous fuzzing with [google/oss-fuzz](http://github.com/google/oss-fuzz). Changes:

- Removes `--with-santize-coverage` config flag: the clang6 `-fsanitize=fuzzer-no-link` replaces this
- Adds `--with-oss-fuzz` config flag: links `-lFuzzingEngine` into fuzz targets
- Adds logic to `make check` that runs the fuzz targets with a single seed input to ensure they exit successfully
      60729287
  3. Dec 22, 2017
  5. Dec 21, 2017
  7. Dec 20, 2017
  9. Dec 19, 2017
  11. Dec 15, 2017
  13. Dec 14, 2017
  15. Dec 12, 2017
  17. Dec 08, 2017
    • Robert Edmonds's avatar
      udp-handler: Remove capability dropping code · c0c3f972
      Robert Edmonds authored 
      Capabilities should already have been dropped prior to threads being
spawned.
      c0c3f972
    • Robert Edmonds's avatar
      tcp-handler: Remove #include <cap-ng.h> · fa7de88e
      Robert Edmonds authored 
      This commit removes the conditional import of <cap-ng.h> in tcp-handler,
because there are no dependencies on the libcap-ng API in tcp-handler.c.
      fa7de88e
    • Robert Edmonds's avatar
      dthreads: Remove capability dropping code · fd7f3f39
      Robert Edmonds authored 
      Capabilities should have already been dropped prior to threads being
spawned.
      fd7f3f39
    • Robert Edmonds's avatar
      knotd: Simplify POSIX capabilities setup to drop all capabilities · 16c12f1b
      Robert Edmonds authored 
      This commit renames knotd's setup_capabilities() to drop_capabilities(),
and makes this function simply drop all capabilities.

The call to this function from main() was previously very early, prior
to sockets being bound. Since we most likely need to retain some
capabilities in order to bind to privileged sockets, this commit moves
the dropping of capabilities to be just after the dropping of
privileges, since we also need capabilities in order to change uid/gid.

Capabilities dropping is still performed prior to any daemonization or
spawning of threads, so the interaction of capabilities with threads and
child processes should be straight forward to analyze.

We also call drop_capabilities() prior to activating any global query
modules, so any threads spawned by those modules should see the same,
minimal set of privileges and capabilities that the main thread and
worker threads will see during runtime.
      16c12f1b
    • Robert Edmonds's avatar
      knotd: Make global query module activation occur later · 8d53d75a
      Robert Edmonds authored 
      This commit moves the call to conf_activate_modules() out of the
set_config() function and into main() so that global query modules are
activated after privilege dropping has occurred.

This makes the global query modules match the zone query modules a
little better. The zone query modules are activated later, after
privilege dropping has occurred.

This ensures that if a global query module launches its own threads at
startup, those threads are spawned from a main thread that has already
performed privilege dropping.
      8d53d75a
    • Libor Peltan's avatar
      doc: described key rollover schemes · 99e9ce87
      Libor Peltan authored
      99e9ce87
  19. Dec 06, 2017
  21. Dec 05, 2017
  23. Dec 04, 2017