AM_COND_IF([ENABLE_CAP],
[AC_CHECK_HEADER([sys/capability.h],[],[AC_MSG_ERROR([You must install the libcap development package in order to compile lxc])])
AC_CHECK_LIB(cap,cap_set_proc,[],[AC_MSG_ERROR([You must install the libcap development package in order to compile lxc])])
- AC_SUBST([CAP_LIBS], [-lcap])])
+ # Test whether we support getting file capabilities via cap_get_file().
+ AC_CHECK_LIB(cap,cap_get_file, AC_DEFINE(LIBCAP_SUPPORTS_FILE_CAPABILITIES,1,[Have cap_get_file]),[],[])
+ AC_SUBST([CAP_LIBS], [-lcap])])
# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0
OLD_CFLAGS="$CFLAGS"
bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
{
- /* Android's bionic currently seems to lack support for cap_get_file(). */
- #if IS_BIONIC
- return true;
- #else
+ #if LIBCAP_SUPPORTS_FILE_CAPABILITIES
bool cap_is_set;
cap_t caps;
cap_is_set = lxc_cap_is_set(caps, cap, flag);
cap_free(caps);
return cap_is_set;
+ #else
+ errno = ENODATA;
+ return false;
#endif
}
goto cleanup;
}
- #if HAVE_LIBCAP && !IS_BIONIC
+ #if HAVE_LIBCAP && LIBCAP_SUPPORTS_FILE_CAPABILITIES
/* Check if it has the CAP_SETUID capability. */
if ((cap & CAP_SETUID) &&
lxc_file_cap_is_set(path, CAP_SETUID, CAP_EFFECTIVE) &&
goto cleanup;
}
#else
+ /* If we cannot check for file capabilities we need to give the benefit
+ * of the doubt. Otherwise we might fail even though all the necessary
+ * file capabilities are set.
+ */
DEBUG("Cannot check for file capabilites as full capability support is "
"missing. Manual intervention needed.");
fret = 1;
projects / thirdparty / lxc.git / commitdiff
