Prepare for using libcap-ng

diff --git a/ChangeLog b/ChangeLog
index a48d5fe4a68ab720189615c20cc2abb91ad2f885..c25b94cb634d125a27432acfa63cb07837f396db 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Mon Jun 29 12:28:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
+
+       Prepare for using libcap-ng
+       * configure.in: Add check for libcap-ng
+       * libvirt.spec.in: Build with libcap-ng on Fedora >= 12
+
 Mon Jun 29 12:01:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
 
        Add HACKING doc to the website

diff --git a/configure.in b/configure.in
index 2c20f5717c43eb21ed18b2fa66d3b1036b25d66f..5b79080d887f6c54e73d80d0f716e4b5f1697038 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -768,6 +768,49 @@ AM_CONDITIONAL([HAVE_NUMACTL], [test "$with_numactl" != "no"])
 AC_SUBST([NUMACTL_CFLAGS])
 AC_SUBST([NUMACTL_LIBS])
 
+
+
+dnl libcap-ng
+AC_ARG_WITH([capng],
+  [  --with-capng         use libcap-ng to reduce libvirtd privileges],
+  [],
+  [with_capng=check])
+
+dnl
+dnl This check looks for 'capng_updatev' since that was
+dnl introduced in 0.4.0 release which need as minimum
+dnl
+CAPNG_CFLAGS=
+CAPNG_LIBS=
+if test "$with_qemu" = "yes" -a "$with_capng" != "no"; then
+  old_cflags="$CFLAGS"
+  old_libs="$LIBS"
+  if test "$with_capng" = "check"; then
+    AC_CHECK_HEADER([cap-ng.h],[],[with_capng=no])
+    AC_CHECK_LIB([cap-ng], [capng_updatev],[],[with_capng=no])
+    if test "$with_capng" != "no"; then
+      with_capng="yes"
+    fi
+  else
+    fail=0
+    AC_CHECK_HEADER([cap-ng.h],[],[fail=1])
+    AC_CHECK_LIB([cap-ng], [capng_updatev],[],[fail=1])
+    test $fail = 1 &&
+      AC_MSG_ERROR([You must install the capng >= 0.4.0 development package in order to compile and run libvirt])
+  fi
+  CFLAGS="$old_cflags"
+  LIBS="$old_libs"
+fi
+if test "$with_capng" = "yes"; then
+  CAPNG_LIBS="-lcap-ng"
+  AC_DEFINE_UNQUOTED([HAVE_CAPNG], 1, [whether capng is available for privilege reduction])
+fi
+AM_CONDITIONAL([HAVE_CAPNG], [test "$with_capng" != "no"])
+AC_SUBST([CAPNG_CFLAGS])
+AC_SUBST([CAPNG_LIBS])
+
+
+
 dnl virsh libraries
 AC_CHECK_HEADERS([readline/readline.h])
 
@@ -1492,6 +1535,11 @@ AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS])
 else
 AC_MSG_NOTICE([ numactl: no])
 fi
+if test "$with_capng" = "yes" ; then
+AC_MSG_NOTICE([   capng: $CAPNG_CFLAGS $CAPNG_LIBS])
+else
+AC_MSG_NOTICE([   capng: no])
+fi
 if test "$with_xen" = "yes" ; then
 AC_MSG_NOTICE([     xen: $XEN_CFLAGS $XEN_LIBS])
 else

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 6ba5405bc2d70d5d214553a4e21db6e3f30bb806..95b61c2a32697ebaeac4da6ded2c344c2bf5397a 100644 (file)
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -7,7 +7,8 @@
 %define with_lxc           0%{!?_without_lxc:1}
 %define with_sasl          0%{!?_without_sasl:1}
 %define with_avahi         0%{!?_without_avahi:1}
-%define with_polkit        0%{!?_without_polkit:1}
+# default to off
+%define with_polkit        0%{!?_without_polkit:0}
 %define with_python        0%{!?_without_python:1}
 %define with_libvirtd      0%{!?_without_libvirtd:1}
 %define with_uml           0%{!?_without_uml:1}
@@ -18,6 +19,8 @@
 %define with_storage_iscsi 0%{!?_without_storage_iscsi:1}
 %define with_storage_disk  0%{!?_without_storage_disk:1}
 %define with_numactl       0%{!?_without_numactl:1}
+# default to off
+%define with_capng         0%{!?_without_capng:0}
 
 # Xen is available only on i386 x86_64 ia64
 %ifnarch i386 i586 i686 x86_64 ia64
@@ -39,6 +42,10 @@
 %define with_xen_proxy 0
 %endif
 
+%if 0%{?fedora} >= 12
+%define with_capng     0%{!?_without_capng:1}
+%endif
+
 #
 # If building on RHEL switch on the specific support
 #
@@ -166,6 +173,9 @@ BuildRequires: parted-devel
 # For QEMU/LXC numa info
 BuildRequires: numactl-devel
 %endif
+%if %{with_capng}
+BuildRequires: capng-devel >= 0.5.0
+%endif
 Obsoletes: libvir
 
 # Fedora build root suckage