Linux capabilities rewrite

See merge request !864

Capabilities should already have been dropped prior to threads being
spawned.

This commit removes the conditional import of <cap-ng.h> in tcp-handler,
because there are no dependencies on the libcap-ng API in tcp-handler.c.

Capabilities should have already been dropped prior to threads being
spawned.

This commit renames knotd's setup_capabilities() to drop_capabilities(),
and makes this function simply drop all capabilities.

The call to this function from main() was previously very early, prior
to sockets being bound. Since we most likely need to retain some
capabilities in order to bind to privileged sockets, this commit moves
the dropping of capabilities to be just after the dropping of
privileges, since we also need capabilities in order to change uid/gid.

Capabilities dropping is still performed prior to any daemonization or
spawning of threads, so the interaction of capabilities with threads and
child processes should be straight forward to analyze.

We also call drop_capabilities() prior to activating any global query
modules, so any threads spawned by those modules should see the same,
minimal set of privileges and capabilities that the main thread and
worker threads will see during runtime.

This commit moves the call to conf_activate_modules() out of the
set_config() function and into main() so that global query modules are
activated after privilege dropping has occurred.

This makes the global query modules match the zone query modules a
little better. The zone query modules are activated later, after
privilege dropping has occurred.

This ensures that if a global query module launches its own threads at
startup, those threads are spawned from a main thread that has already
performed privilege dropping.

fixes #560

FNV64 replaced by SipHash

See merge request !860

Mark Karpilovskij authored 7 years ago and Daniel Salzman committed 7 years ago

Solved Issue A from the security audit

Test fix csk roll

See merge request !859