From 9b414a38fadb41c9ea056ed5d284ab5098251a37 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 23 Oct 2025 23:40:59 +0900 Subject: [PATCH] tree-wide: drop unused libcap dependencies --- .github/workflows/build-test.sh | 1 - README | 1 - TODO | 4 ---- docs/MINIMAL_BUILDS.md | 4 +--- meson.build | 5 +---- src/basic/capability-util.h | 5 +---- src/basic/meson.build | 3 +-- src/libsystemd/libsystemd.pc.in | 1 - src/libudev/libudev.pc.in | 1 - src/shared/meson.build | 1 - src/systemctl/meson.build | 1 - src/test/meson.build | 10 ++-------- src/test/test-capability-list.c | 24 ------------------------ tools/oss-fuzz.sh | 4 ++-- 14 files changed, 8 insertions(+), 57 deletions(-) diff --git a/.github/workflows/build-test.sh b/.github/workflows/build-test.sh index 15f8a54d910..bc233673900 100755 --- a/.github/workflows/build-test.sh +++ b/.github/workflows/build-test.sh @@ -30,7 +30,6 @@ PACKAGES=( libarchive-dev libblkid-dev libbpf-dev - libcap-dev libcurl4-gnutls-dev libfdisk-dev libfido2-dev diff --git a/README b/README index eea3a55fbb8..2e3acdd9070 100644 --- a/README +++ b/README @@ -212,7 +212,6 @@ REQUIREMENTS: glibc >= 2.31 libxcrypt or glibc (<= 2.38 built with --enable-crypt) - libcap libmount >= 2.30 (from util-linux) (util-linux *must* be built without --enable-libmount-support-mtab) libseccomp >= 2.3.1 (optional) diff --git a/TODO b/TODO index 5f973951887..9410eed2d78 100644 --- a/TODO +++ b/TODO @@ -1640,10 +1640,6 @@ Features: work for ECDSA keys since their signatures contain a random component, but will work for RSA and Ed25519 keys. -* drop dependency on libcap, replace by direct syscalls based on - CapabilityQuintet we already have. (This likely allows us to drop libcap - dep in the base OS image) - * userdbd: implement an additional varlink service socket that provides the host user db in restricted form, then allow this to be bind mounted into sandboxed environments that want the host database in minimal form. All diff --git a/docs/MINIMAL_BUILDS.md b/docs/MINIMAL_BUILDS.md index 1fc85e7b37c..3226b812f70 100644 --- a/docs/MINIMAL_BUILDS.md +++ b/docs/MINIMAL_BUILDS.md @@ -20,8 +20,6 @@ If such modularity is required that goes beyond what we support in the configure For example: if all you want is the tmpfiles tool, then build systemd normally, and list only /usr/bin/systemd-tmpfiles in the .spec file for your RPM package. This is simple to do, allows you to pick exactly what you need, but requires a larger number of build dependencies (but not runtime dependencies). -2. If you want to reduce the build time dependencies (though only dbus and libcap are needed as build time deps) and you know the specific component you are interested in doesn't need it, then create a dummy .pc file for that dependency (i.e. basically empty), and configure systemd with PKG_CONFIG_PATH set to the path of these dummy .pc files. Then, build only the few bits you need with "make foobar", where foobar is the file you need. +2. If you want to reduce the build time dependencies (though only dbus is needed as build time deps) and you know the specific component you are interested in doesn't need it, then create a dummy .pc file for that dependency (i.e. basically empty), and configure systemd with PKG_CONFIG_PATH set to the path of these dummy .pc files. Then, build only the few bits you need with "make foobar", where foobar is the file you need. We are open to merging patches for the build system that make more "fringe" components of systemd optional. However, please be aware that in order to keep the complexity of our build system small and its readability high, and to make our lives easier, we will not accept patches that make the minimal core components optional, i.e. systemd itself, journald and udevd. - -Note that the .pc file trick mentioned above currently doesn't work for libcap, since libcap doesn't provide a .pc file. We invite you to go ahead and post a patch to libcap upstream to get this corrected. We'll happily change our build system to look for that .pc file then. (a .pc file has been sent to upstream by Bryan Kadzban). diff --git a/meson.build b/meson.build index 80ea425259f..ef84bd2512e 100644 --- a/meson.build +++ b/meson.build @@ -692,7 +692,6 @@ conf.set('GPERF_LEN_TYPE', gperf_len_type, foreach header : [ 'crypt.h', - 'sys/capability.h', ] if not cc.has_header(header) @@ -1001,7 +1000,6 @@ threads = dependency('threads') librt = cc.find_library('rt') libm = cc.find_library('m') libdl = cc.find_library('dl') -libcap = dependency('libcap') # On some architectures, libatomic is required. But on some installations, # it is found, but actual linking fails. So let's try to use it opportunistically. @@ -2141,8 +2139,7 @@ if static_libsystemd != 'false' install_tag: 'libsystemd', install_dir : libdir, pic : static_libsystemd_pic, - dependencies : [libcap, - libdl, + dependencies : [libdl, libgcrypt_cflags, liblz4_cflags, libm, diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h index 64c555110ce..3088fdb79ff 100644 --- a/src/basic/capability-util.h +++ b/src/basic/capability-util.h @@ -1,7 +1,7 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once -#include /* IWYU pragma: export */ +#include /* IWYU pragma: export */ #include "basic-forward.h" @@ -59,9 +59,6 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities); int drop_capability(unsigned cap); int keep_capability(unsigned cap); -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(cap_t, cap_free, NULL); -#define _cleanup_cap_free_ _cleanup_(cap_freep) - static inline uint64_t all_capabilities(void) { return UINT64_MAX >> (63 - cap_last_cap()); } diff --git a/src/basic/meson.build b/src/basic/meson.build index 79af468381f..3ae3517a269 100644 --- a/src/basic/meson.build +++ b/src/basic/meson.build @@ -202,8 +202,7 @@ libbasic_static = static_library( fundamental_sources, include_directories : basic_includes, implicit_include_directories : false, - dependencies : [libcap, - libdl, + dependencies : [libdl, libgcrypt_cflags, liblz4_cflags, libm, diff --git a/src/libsystemd/libsystemd.pc.in b/src/libsystemd/libsystemd.pc.in index 8932eee8a31..3a43ef60710 100644 --- a/src/libsystemd/libsystemd.pc.in +++ b/src/libsystemd/libsystemd.pc.in @@ -18,4 +18,3 @@ URL: {{PROJECT_URL}} Version: {{PROJECT_VERSION}} Libs: -L${libdir} -lsystemd Cflags: -I${includedir} -Requires.private: libcap diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in index a3f9f7b4f4d..6541bcb1ab6 100644 --- a/src/libudev/libudev.pc.in +++ b/src/libudev/libudev.pc.in @@ -18,4 +18,3 @@ Version: {{PROJECT_VERSION}} Libs: -L${libdir} -ludev Libs.private: -lrt -pthread Cflags: -I${includedir} -Requires.private: libcap diff --git a/src/shared/meson.build b/src/shared/meson.build index b2f8f61f237..09dd6ded0f0 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -361,7 +361,6 @@ libshared_deps = [threads, libacl_cflags, libaudit_cflags, libblkid_cflags, - libcap, libcrypt, libdl, libgcrypt_cflags, diff --git a/src/systemctl/meson.build b/src/systemctl/meson.build index 21d57269eba..04af155cdcb 100644 --- a/src/systemctl/meson.build +++ b/src/systemctl/meson.build @@ -56,7 +56,6 @@ executables += [ 'extract' : systemctl_extract_sources, 'link_with' : systemctl_link_with, 'dependencies' : [ - libcap, liblz4_cflags, libxz_cflags, libzstd_cflags, diff --git a/src/test/meson.build b/src/test/meson.build index 0b69fc8b9f6..a1f16ae1a1c 100644 --- a/src/test/meson.build +++ b/src/test/meson.build @@ -69,6 +69,8 @@ simple_tests += files( 'test-bus-unit-util.c', 'test-bus-util.c', 'test-calendarspec.c', + 'test-capability-list.c', + 'test-capability-util.c', 'test-cgroup-setup.c', 'test-cgroup-util.c', 'test-chase.c', @@ -255,14 +257,6 @@ executables += [ 'sources' : files('test-btrfs-physical-offset.c'), 'type' : 'manual', }, - test_template + { - 'sources' : files('test-capability-list.c'), - 'dependencies' : libcap, - }, - test_template + { - 'sources' : files('test-capability-util.c'), - 'dependencies' : libcap, - }, test_template + { 'sources' : files('test-chase-manual.c'), 'type' : 'manual', diff --git a/src/test/test-capability-list.c b/src/test/test-capability-list.c index c57b57acf82..9996196426c 100644 --- a/src/test/test-capability-list.c +++ b/src/test/test-capability-list.c @@ -11,11 +11,6 @@ #include "strv.h" #include "tests.h" -static inline void cap_free_charpp(char **p) { - if (*p) - cap_free(*p); -} - /* verify the capability parser */ TEST(cap_list) { assert_se(!capability_to_name(-1)); @@ -48,25 +43,6 @@ TEST(cap_list) { assert_se(capability_from_name("63") == -EINVAL); assert_se(capability_from_name("64") == -EINVAL); assert_se(capability_from_name("-1") == -EINVAL); - - for (unsigned i = 0; i < capability_list_length(); i++) { - _cleanup_(cap_free_charpp) char *a = NULL; - const char *b; - unsigned u; - - assert_se(a = cap_to_name(i)); - - /* quit the loop as soon as libcap starts returning - * numeric ids, formatted as strings */ - if (safe_atou(a, &u) >= 0) - break; - - assert_se(b = capability_to_name(i)); - - printf("%s vs. %s\n", a, b); - - assert_se(strcasecmp(a, b) == 0); - } } static void test_capability_set_one(uint64_t c, const char *t) { diff --git a/tools/oss-fuzz.sh b/tools/oss-fuzz.sh index 6df95afcfe4..39300b28dbf 100755 --- a/tools/oss-fuzz.sh +++ b/tools/oss-fuzz.sh @@ -42,11 +42,11 @@ else apt-get update apt-get install -y gperf m4 gettext python3-pip \ - libcap-dev libmount-dev \ + libmount-dev \ pkg-config wget python3-jinja2 zipmerge zstd if [[ "$ARCHITECTURE" == i386 ]]; then - apt-get install -y pkg-config:i386 libcap-dev:i386 libmount-dev:i386 + apt-get install -y pkg-config:i386 libmount-dev:i386 fi pip3 install -r .github/workflows/requirements.txt --require-hashes -- 2.47.3