SQUID_AUTO_LIB(cap,[Linux capabilities],[LIBCAP])
SQUID_CHECK_LIB_WORKS(cap,[
SQUID_STATE_SAVE(squid_libcap_state)
- CXXFLAGS="$LIBCAP_CFLAGS $CXXFLAGS"
- LDFLAGS="$LIBCAP_PATH $LDFLAGS"
- PKG_CHECK_MODULES([LIBCAP],[libcap >= 2.09],[],[
- # cap_clear_flag is the most recent libcap function we require
- AC_CHECK_LIB([cap],[cap_clear_flag],[LIBCAP_LIBS="$LIBCAP_LIBS -lcap"])
- ])
+ PKG_CHECK_MODULES([LIBCAP],[libcap >= 2.09],[:],[:])
+ CPPFLAGS="$LIBCAP_CFLAGS $CPPFLAGS"
+ LIBS="$LIBCAP_PATH $LIBCAP_LIBS $LIBS"
SQUID_CHECK_FUNCTIONAL_LIBCAP2
AC_MSG_NOTICE([libcap headers are ok: $squid_cv_sys_capability_works])
AS_IF([test "x$squid_cv_sys_capability_works" = "xno"],[LIBCAP_LIBS=""])
SQUID_STATE_ROLLBACK(squid_libcap_state)
-
- AS_IF([test "x$LIBCAP_LIBS" != "x"],[
- AC_DEFINE(USE_LIBCAP,1,[Linux capabilities library support])
- ])
])
dnl Check for needed libraries
PREDEFINED = __cplusplus \
FOLLOW_X_FORWARDED_FOR \
FORW_VIA_DB \
+ HAVE_LIBCAP \
HAVE_LIBGNUTLS \
ICAP_CLIENT \
HAVE_LIBHEIMDAL_KRB5 \
USE_IDENT \
USE_IPV6 \
USE_KQUEUE \
- USE_LIBCAP \
USE_LOADABLE_MODULES \
USE_OPENSSL \
USE_POLL \
*head = nullptr;
}
-#if SO_MARK && USE_LIBCAP
+#if HAVE_LIBCAP && SO_MARK
static void
dump_acl_nfmark(StoreEntry * entry, const char *name, acl_nfmark * head)
delete *head;
*head = nullptr;
}
-#endif /* SO_MARK */
+#endif /* HAVE_LIBCAP && SO_MARK */
static void
dump_acl_b_size_t(StoreEntry * entry, const char *name, AclSizeLimit * head)
NAME: tcp_outgoing_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK&&USE_LIBCAP
+IFDEF: HAVE_LIBCAP&&SO_MARK
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToServer
DOC_START
NAME: mark_client_packet clientside_mark
TYPE: acl_nfmark
-IFDEF: SO_MARK&&USE_LIBCAP
+IFDEF: HAVE_LIBCAP&&SO_MARK
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfmarkToClient
DOC_START
NAME: mark_client_connection
TYPE: acl_nfmark
-IFDEF: SO_MARK&&USE_LIBCAP
+IFDEF: HAVE_LIBCAP&&SO_MARK
DEFAULT: none
LOC: Ip::Qos::TheConfig.nfConnmarkToClient
DOC_START
define["FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic"
define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest"
+ define["HAVE_LIBCAP&&SO_MARK"]="--with-cap and Packet MARK (Linux)"
define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl"
define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()"
define["ICAP_CLIENT"]="--enable-icap-client"
- define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)"
define["SQUID_SNMP"]="--enable-snmp"
define["USE_ADAPTATION"]="--enable-ecap or --enable-icap-client"
define["USE_AUTH"]="--enable-auth"
exit(EXIT_FAILURE);
}
-#if USE_LIBCAP
+#if HAVE_LIBCAP
// Drop remaining capabilities (if installed as non-setuid setcap cap_net_raw=ep).
// If pinger binary was installed setuid root, setuid() above already dropped all
// capabilities, and this is no-op.
// Work out TOS or mark. Default to TOS for backwards compatibility
if (!(mark || tos)) {
if (strncmp(token, "mark",4) == 0) {
-#if SO_MARK && USE_LIBCAP
+#if HAVE_LIBCAP && SO_MARK
mark = true;
// Assume preserve is true. We don't set at initialisation as this affects isHitNfmarkActive()
#if USE_LIBNETFILTERCONNTRACK
debugs(3, DBG_IMPORTANT, "WARNING: Squid not compiled with Netfilter conntrack library. "
<< "Netfilter mark preservation not available.");
#endif // USE_LIBNETFILTERCONNTRACK
-#elif SO_MARK // SO_MARK && USE_LIBCAP
- throw TextException(ToSBuf("Invalid parameter 'mark' in qos_flows option. ",
- "Linux Netfilter marking not available on this platform."), Here());
-#else // SO_MARK && USE_LIBCAP
+
+#else // HAVE_LIBCAP && SO_MARK
throw TextException(ToSBuf("Invalid parameter 'mark' in qos_flows option. ",
"Linux Netfilter marking not available on this platform."), Here());
-#endif // SO_MARK && USE_LIBCAP
+#endif
} else if (strncmp(token, "tos",3) == 0) {
preserveMissTos = true;
tos = true;
int
Ip::Qos::setSockNfmark(const int fd, nfmark_t mark)
{
-#if SO_MARK && USE_LIBCAP
+#if HAVE_LIBCAP && SO_MARK
debugs(50, 3, "for FD " << fd << " to " << mark);
const int x = setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(nfmark_t));
if (x < 0) {
debugs(50, 2, "setsockopt(SO_MARK) on " << fd << ": " << xstrerr(xerrno));
}
return x;
-#elif USE_LIBCAP
+#elif HAVE_LIBCAP
(void)mark;
(void)fd;
debugs(50, DBG_IMPORTANT, "WARNING: setsockopt(SO_MARK) not supported on this platform");
#else
(void)mark;
(void)fd;
- debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (netfilter marking requires build with LIBCAP)");
+ debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (requires build --with-cap)");
return -1;
#endif
}
void
keepCapabilities(void)
{
-#if USE_LIBCAP && HAVE_PRCTL && defined(PR_SET_KEEPCAPS)
-
+#if HAVE_LIBCAP && HAVE_PRCTL && defined(PR_SET_KEEPCAPS)
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
Ip::Interceptor.StopTransparency("capability setting has failed.");
}
static void
restoreCapabilities(bool keep)
{
- /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */
-#if USE_LIBCAP
+#if HAVE_LIBCAP
cap_t caps;
if (keep)
caps = cap_get_proc();
cap_free(caps);
}
#elif _SQUID_LINUX_
- (void)keep;
+ /* Linux requires syscap support from libcap. */
Ip::Interceptor.StopTransparency("Missing needed capability support.");
+ (void)keep;
#else
+ /* Non-Linux transparent proxy works with or without libcap support. */
(void)keep;
-#endif /* HAVE_SYS_CAPABILITY_H */
+#endif
}
pid_t
projects / thirdparty / squid.git / commitdiff
