[lxc-devel] [PATCH 11/21] Don't hard depend on capability.h and libcap
Serge Hallyn
serge.hallyn at canonical.com
Thu Jan 3 18:03:51 UTC 2013
Quoting Stéphane Graber (stgraber at ubuntu.com):
> In the effort to make LXC work with non-standard Linux distros, this change
> allows for the user to build LXC without capability support.
>
> This effectively will cause LXC not to link against libcap and will turn all
> the _cap_ functions into no-ops.
I don't like this for upstream. It's fine as a quick hack to
make it work, but lxc.caps and, particularly, dropping CAP_SYS_BOOT
if the kernel doesn't support per-pidns reboot, are supposed to
work. (I realize the android you are working with has a new enough
kernel for per-pidns reboot, but that won't apply to everyone who
doesn't have libcap installed)
Is there really no libcap for android? (I guess not - just checked
google play - but I'm surprised since the libcap maintainer is at
google) It seems like it should not be hard to build it. Perhaps even
a spare copy under src/libcap, only compiled if the system doesn't
provide it, and setting HAVE_PRIVATE_CAPABILITY_H. Or a separate
libcap.apk.
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/caps.c | 6 +++++-
> src/lxc/caps.h | 24 ++++++++++++++++++++++++
> src/lxc/conf.c | 11 ++++++++++-
> src/lxc/start.c | 15 ++++++++++++++-
> 4 files changed, 53 insertions(+), 3 deletions(-)
>
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 94c134d..53c552b 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -27,13 +27,16 @@
> #include <stdlib.h>
> #include <limits.h>
> #include <sys/prctl.h>
> -#include <sys/capability.h>
> #include <errno.h>
>
> +#include "config.h"
> #include "log.h"
>
> lxc_log_define(lxc_caps, lxc);
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +
> int lxc_caps_reset(void)
> {
> cap_t cap = cap_init();
> @@ -258,3 +261,4 @@ int lxc_caps_check(void)
>
> return 1;
> }
> +#endif
> diff --git a/src/lxc/caps.h b/src/lxc/caps.h
> index 88cf09e..9b86215 100644
> --- a/src/lxc/caps.h
> +++ b/src/lxc/caps.h
> @@ -20,9 +20,12 @@
> * License along with this library; if not, write to the Free Software
> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> */
> +#include "config.h"
> +
> #ifndef _caps_h
> #define _caps_h
>
> +#if HAVE_SYS_CAPABILITY_H
> extern int lxc_caps_reset(void);
> extern int lxc_caps_down(void);
> extern int lxc_caps_up(void);
> @@ -30,6 +33,27 @@ extern int lxc_caps_init(void);
> extern int lxc_caps_check(void);
>
> extern int lxc_caps_last_cap(void);
> +#else
> +static inline int lxc_caps_reset(void) {
> + return 0;
> +}
> +static inline int lxc_caps_down(void) {
> + return 0;
> +}
> +static inline int lxc_caps_up(void) {
> + return 0;
> +}
> +static inline int lxc_caps_init(void) {
> + return 0;
> +}
> +static inline int lxc_caps_check(void) {
> + return 0;
> +}
> +
> +static inline int lxc_caps_last_cap(void) {
> + return 0;
> +}
> +#endif
>
> #define lxc_priv(__lxc_function) \
> ({ \
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 49bba2a..25b75d7 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -48,7 +48,6 @@
> #include <sys/mount.h>
> #include <sys/mman.h>
> #include <sys/prctl.h>
> -#include <sys/capability.h>
> #include <sys/personality.h>
>
> #include <arpa/inet.h>
> @@ -71,6 +70,10 @@
> #include <apparmor.h>
> #endif
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +
> #include "lxcseccomp.h"
>
> lxc_log_define(lxc_conf, lxc);
> @@ -104,6 +107,7 @@ lxc_log_define(lxc_conf, lxc);
> #define MS_STRICTATIME (1 << 24)
> #endif
>
> +#if HAVE_SYS_CAPABILITY_H
> #ifndef CAP_SETFCAP
> #define CAP_SETFCAP 31
> #endif
> @@ -115,6 +119,7 @@ lxc_log_define(lxc_conf, lxc);
> #ifndef CAP_MAC_ADMIN
> #define CAP_MAC_ADMIN 33
> #endif
> +#endif
>
> #ifndef PR_CAPBSET_DROP
> #define PR_CAPBSET_DROP 24
> @@ -199,6 +204,7 @@ static struct mount_opt mount_opt[] = {
> { NULL, 0, 0 },
> };
>
> +#if HAVE_SYS_CAPABILITY_H
> static struct caps_opt caps_opt[] = {
> { "chown", CAP_CHOWN },
> { "dac_override", CAP_DAC_OVERRIDE },
> @@ -245,6 +251,9 @@ static struct caps_opt caps_opt[] = {
> { "wake_alarm", CAP_WAKE_ALARM },
> #endif
> };
> +#else
> +static struct caps_opt caps_opt[] = {};
> +#endif
>
> static int run_buffer(char *buffer)
> {
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 3452022..271764e 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -41,12 +41,15 @@
> #include <sys/socket.h>
> #include <sys/prctl.h>
> #include <sys/types.h>
> -#include <sys/capability.h>
> #include <sys/wait.h>
> #include <sys/un.h>
> #include <sys/poll.h>
> #include <sys/syscall.h>
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +
> #ifdef HAVE_SYS_SIGNALFD_H
> # include <sys/signalfd.h>
> #else
> @@ -339,10 +342,14 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
> }
>
> if (handler->conf->need_utmp_watch) {
> + #if HAVE_SYS_CAPABILITY_H
> if (lxc_utmp_mainloop_add(&descr, handler)) {
> ERROR("failed to add utmp handler to mainloop");
> goto out_mainloop_open;
> }
> + #else
> + DEBUG("Can't start utmp handler as capabilities aren't supported\n");
> + #endif
> }
>
> return lxc_mainloop(&descr);
> @@ -553,6 +560,7 @@ static int do_start(void *data)
> if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE))
> return -1;
>
> + #if HAVE_SYS_CAPABILITY_H
> if (handler->conf->need_utmp_watch) {
> if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
> SYSERROR("failed to remove CAP_SYS_BOOT capability");
> @@ -560,6 +568,7 @@ static int do_start(void *data)
> }
> DEBUG("Dropped cap_sys_boot\n");
> }
> + #endif
>
> /* Setup the container, ip, names, utsname, ... */
> if (lxc_setup(handler->name, handler->conf)) {
> @@ -752,7 +761,11 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
> handler->data = data;
>
> if (must_drop_cap_sys_boot()) {
> + #if HAVE_SYS_CAPABILITY_H
> DEBUG("Dropping cap_sys_boot\n");
> + #else
> + DEBUG("Can't drop cap_sys_boot as capabilities aren't supported\n");
> + #endif
> } else {
> DEBUG("Not dropping cap_sys_boot or watching utmp\n");
> handler->conf->need_utmp_watch = 0;
> --
> 1.8.0
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122712
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list