From 88674be66567d3c7db91e717cd5972655e2e2488 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 15 Oct 2008 05:00:57 +0000
Subject: [PATCH] 2464.   [port]          linux: check that a capability is
 present before 			trying to set it. [RT #18135]

---
 CHANGES             |  3 +++
 bin/named/unix/os.c | 26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index aeadf4df33..313ae5c9e9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2464.	[port]		linux: check that a capability is present before
+			trying to set it. [RT #18135]
+
 2463.   [port]          linux: POSIX doesn't include the IPv6 Advanced Socket
 			API and glibc hides parts of the IPv6 Advanced Socket
 			API as a result.  This is stupid as it breaks how the
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 171b20dde1..09a503fdb1 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.84 2008/05/06 01:30:26 each Exp $ */
+/* $Id: os.c,v 1.85 2008/10/15 05:00:57 marka Exp $ */
 
 /*! \file */
 
@@ -194,16 +194,20 @@ linux_setcaps(cap_t caps) {
 #define SET_CAP(flag) \
 	do { \
 		capval = (flag); \
-		err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
-		if (err == -1) { \
-			isc__strerror(errno, strbuf, sizeof(strbuf)); \
-			ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
-		} \
-		\
-		err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
-		if (err == -1) { \
-			isc__strerror(errno, strbuf, sizeof(strbuf)); \
-			ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
+		cap_flag_value_t curval; \
+		err = cap_get_flag(cap_get_proc(), capval, CAP_PERMITTED, &curval); \
+		if (err != -1 && curval) { \
+			err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
+			if (err == -1) { \
+				isc__strerror(errno, strbuf, sizeof(strbuf)); \
+				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
+			} \
+			\
+			err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
+			if (err == -1) { \
+				isc__strerror(errno, strbuf, sizeof(strbuf)); \
+				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
+			} \
 		} \
 	} while (0)
 #define INIT_CAP \