[lxc-devel] [PATCH 11/24] Don't hard depend on capability.h and libcap
Serge Hallyn
serge.hallyn at canonical.com
Tue Jan 8 18:20:35 UTC 2013
Quoting Stéphane Graber (stgraber at ubuntu.com):
> In the effort to make LXC work with non-standard Linux distros, this change
> allows for the user to build LXC without capability support through a new
> --disable-capabilities option to configure.
>
> This effectively will cause LXC not to link against libcap and will turn all
> the _cap_ functions into no-ops.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Only one comment - perhaps the msg "
Can't start utmp handler as capabilities aren't supported" should read
"not starting utmp handler as cap_sys_boot cannot be dropped without
capabilities support"?
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> configure.ac | 27 +++++++++++++++++----------
> src/lxc/caps.c | 6 +++++-
> src/lxc/caps.h | 24 ++++++++++++++++++++++++
> src/lxc/conf.c | 11 ++++++++++-
> src/lxc/start.c | 15 ++++++++++++++-
> 5 files changed, 70 insertions(+), 13 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index ea98f02..22b45cd 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -180,17 +180,24 @@ AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h linux/genetlink.h],
> AC_MSG_ERROR([Please install the Linux kernel headers.]),
> [#include <sys/socket.h>])
>
> +# Allow disabling libcap support
> +AC_ARG_ENABLE([capabilities],
> + [AC_HELP_STRING([--disable-capabilities], [disable kernel capabilities])],
> + [], [enable_capabilities=yes])
> +
> # Check for libcap support
> -AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the libcap development files.]),
> -[#include <sys/types.h>
> -#include <sys/capability.h>])
> -AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
> -AC_MSG_CHECKING([linux capabilities])
> -if test "x$caplib" = "xyes" ; then
> - CAP_LIBS="-lcap"
> - AC_MSG_RESULT([$CAP_LIBS])
> +if test "x$enable_capabilities" = "xyes"; then
> + AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
> + AC_MSG_CHECKING([linux capabilities])
> + if test "x$caplib" = "xyes" ; then
> + CAP_LIBS="-lcap"
> + AC_MSG_RESULT([$CAP_LIBS])
> + else
> + AC_MSG_RESULT([no])
> + AC_MSG_ERROR([You are missing libcap support. If you really want to build without kernel capabilities, use --disable-capabilities])
> + fi
> else
> - AC_MSG_ERROR([not found])
> + CAP_LIBS=""
> fi
> AC_SUBST([CAP_LIBS])
>
> @@ -214,7 +221,7 @@ AM_CONDITIONAL([IS_BIONIC], [test "x$is_bionic" = "xyes"])
> AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])
>
> # Check for some headers
> -AC_CHECK_HEADERS([sys/signalfd.h pty.h])
> +AC_CHECK_HEADERS([sys/signalfd.h pty.h sys/capability.h])
>
> # Check for some functions
> AC_CHECK_FUNCS([getline fgetln openpty])
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 94c134d..53c552b 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -27,13 +27,16 @@
> #include <stdlib.h>
> #include <limits.h>
> #include <sys/prctl.h>
> -#include <sys/capability.h>
> #include <errno.h>
>
> +#include "config.h"
> #include "log.h"
>
> lxc_log_define(lxc_caps, lxc);
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +
> int lxc_caps_reset(void)
> {
> cap_t cap = cap_init();
> @@ -258,3 +261,4 @@ int lxc_caps_check(void)
>
> return 1;
> }
> +#endif
> diff --git a/src/lxc/caps.h b/src/lxc/caps.h
> index 88cf09e..dc3fd6f 100644
> --- a/src/lxc/caps.h
> +++ b/src/lxc/caps.h
> @@ -20,9 +20,12 @@
> * License along with this library; if not, write to the Free Software
> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> */
> +#include "config.h"
> +
> #ifndef _caps_h
> #define _caps_h
>
> +#if HAVE_SYS_CAPABILITY_H
> extern int lxc_caps_reset(void);
> extern int lxc_caps_down(void);
> extern int lxc_caps_up(void);
> @@ -30,6 +33,27 @@ extern int lxc_caps_init(void);
> extern int lxc_caps_check(void);
>
> extern int lxc_caps_last_cap(void);
> +#else
> +static inline int lxc_caps_reset(void) {
> + return 0;
> +}
> +static inline int lxc_caps_down(void) {
> + return 0;
> +}
> +static inline int lxc_caps_up(void) {
> + return 0;
> +}
> +static inline int lxc_caps_init(void) {
> + return 0;
> +}
> +static inline int lxc_caps_check(void) {
> + return 1;
> +}
> +
> +static inline int lxc_caps_last_cap(void) {
> + return 0;
> +}
> +#endif
>
> #define lxc_priv(__lxc_function) \
> ({ \
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 49bba2a..25b75d7 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -48,7 +48,6 @@
> #include <sys/mount.h>
> #include <sys/mman.h>
> #include <sys/prctl.h>
> -#include <sys/capability.h>
> #include <sys/personality.h>
>
> #include <arpa/inet.h>
> @@ -71,6 +70,10 @@
> #include <apparmor.h>
> #endif
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +
> #include "lxcseccomp.h"
>
> lxc_log_define(lxc_conf, lxc);
> @@ -104,6 +107,7 @@ lxc_log_define(lxc_conf, lxc);
> #define MS_STRICTATIME (1 << 24)
> #endif
>
> +#if HAVE_SYS_CAPABILITY_H
> #ifndef CAP_SETFCAP
> #define CAP_SETFCAP 31
> #endif
> @@ -115,6 +119,7 @@ lxc_log_define(lxc_conf, lxc);
> #ifndef CAP_MAC_ADMIN
> #define CAP_MAC_ADMIN 33
> #endif
> +#endif
>
> #ifndef PR_CAPBSET_DROP
> #define PR_CAPBSET_DROP 24
> @@ -199,6 +204,7 @@ static struct mount_opt mount_opt[] = {
> { NULL, 0, 0 },
> };
>
> +#if HAVE_SYS_CAPABILITY_H
> static struct caps_opt caps_opt[] = {
> { "chown", CAP_CHOWN },
> { "dac_override", CAP_DAC_OVERRIDE },
> @@ -245,6 +251,9 @@ static struct caps_opt caps_opt[] = {
> { "wake_alarm", CAP_WAKE_ALARM },
> #endif
> };
> +#else
> +static struct caps_opt caps_opt[] = {};
> +#endif
>
> static int run_buffer(char *buffer)
> {
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 3452022..271764e 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -41,12 +41,15 @@
> #include <sys/socket.h>
> #include <sys/prctl.h>
> #include <sys/types.h>
> -#include <sys/capability.h>
> #include <sys/wait.h>
> #include <sys/un.h>
> #include <sys/poll.h>
> #include <sys/syscall.h>
>
> +#if HAVE_SYS_CAPABILITY_H
> +#include <sys/capability.h>
> +#endif
> +
> #ifdef HAVE_SYS_SIGNALFD_H
> # include <sys/signalfd.h>
> #else
> @@ -339,10 +342,14 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
> }
>
> if (handler->conf->need_utmp_watch) {
> + #if HAVE_SYS_CAPABILITY_H
> if (lxc_utmp_mainloop_add(&descr, handler)) {
> ERROR("failed to add utmp handler to mainloop");
> goto out_mainloop_open;
> }
> + #else
> + DEBUG("Can't start utmp handler as capabilities aren't supported\n");
> + #endif
> }
>
> return lxc_mainloop(&descr);
> @@ -553,6 +560,7 @@ static int do_start(void *data)
> if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE))
> return -1;
>
> + #if HAVE_SYS_CAPABILITY_H
> if (handler->conf->need_utmp_watch) {
> if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
> SYSERROR("failed to remove CAP_SYS_BOOT capability");
> @@ -560,6 +568,7 @@ static int do_start(void *data)
> }
> DEBUG("Dropped cap_sys_boot\n");
> }
> + #endif
>
> /* Setup the container, ip, names, utsname, ... */
> if (lxc_setup(handler->name, handler->conf)) {
> @@ -752,7 +761,11 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
> handler->data = data;
>
> if (must_drop_cap_sys_boot()) {
> + #if HAVE_SYS_CAPABILITY_H
> DEBUG("Dropping cap_sys_boot\n");
> + #else
> + DEBUG("Can't drop cap_sys_boot as capabilities aren't supported\n");
> + #endif
> } else {
> DEBUG("Not dropping cap_sys_boot or watching utmp\n");
> handler->conf->need_utmp_watch = 0;
> --
> 1.8.0
>
>
> ------------------------------------------------------------------------------
> Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
> and more. Get SQL Server skills now (including 2012) with LearnDevNow -
> 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only - learn more at:
> http://p.sf.net/sfu/learnmore_122512
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list