Author: Alin Nastac <mrness@gentoo.org>

Cleanup: deprecate ugly hack for sys/capability.h

Needed once to prevent build clashes between libc and sys/capabilility.h
headers. As of libcap2 that is no longer the case and from 2.26 in fact
prevents a clean build.

Add detection for libcap to enable the hack only if actually needed.

Add --disable-caps option to disabke libcap and TPROXY2

diff --git a/configure.in b/configure.in
index 2f697510bab59b31702137344315ed657fbfa9e7..987a9640e1fe09f5bc61ee335eeeb5480812497e 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1961,6 +1961,7 @@ AC_CHECK_HEADERS( \
        ipl.h \
        libc.h \
        limits.h \
+       linux/types.h \
        machine/byte_swap.h \
        malloc.h \
        math.h \
@@ -2019,8 +2020,7 @@ AC_CHECK_HEADERS( \
        inttypes.h \
        grp.h \
        db.h \
-       db_185.h \
-       sys/capability.h
+       db_185.h
 )
 
 AC_CHECK_HEADERS(
@@ -2285,6 +2285,29 @@ AC_CHECK_TYPE(socklen_t,AC_DEFINE(HAVE_SOCKLEN_T,1,[socklen_t is defined by the
 #include <stddef.h>
 #endif])
 
+dnl Check for libcap header (assume its not broken unless 
+use_caps=yes
+AC_ARG_ENABLE(caps, AS_HELP_STRING([--disable-caps],[disable usage of Linux capabilities library to control privileges]),
+[ if test "x$enableval" = "xyes" ; then
+    AC_MSG_RESULT(forced yes)
+  else
+    AC_MSG_RESULT(no)
+    use_caps=no
+  fi
+],[AC_MSG_RESULT(yes)])
+if test "x$use_caps" = "xyes"; then
+  dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working)
+  libcap_broken=1
+  AC_CHECK_HEADERS(sys/capability.h)
+  AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/capability.h>]], [[
+                    capget(NULL, NULL);
+                    capset(NULL, NULL);
+                   ]])],[libcap_broken=0],[])
+  )
+  AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+fi
+
 AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include <sys/types.h>
 #include <sys/ipc.h>
 #include <sys/msg.h>])
@@ -2939,7 +2962,7 @@ if test "$LINUX_NETFILTER" ; then
         AC_DEFINE(LINUX_NETFILTER, 0)
     fi
     AC_MSG_RESULT($LINUX_NETFILTER)
-fi 
+fi
 if test "$LINUX_NETFILTER" = "no" ; then
     echo "WARNING: Cannot find necessary Linux kernel (Netfilter) header files"
     echo "         Linux Transparent Proxy support WILL NOT be enabled"
@@ -2949,6 +2972,7 @@ fi
 dnl Linux Netfilter/TPROXY support requires some specific header files
 dnl Shamelessly copied from shamelessly copied from above
 if test "$LINUX_TPROXY" ; then
+  if test "$use_caps" = "yes"; then
     AC_MSG_CHECKING(if TPROXY header files are installed)
     # hold on to your hats...
     if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
@@ -2959,11 +2983,17 @@ if test "$LINUX_TPROXY" ; then
        AC_DEFINE(LINUX_TPROXY, 0, [Enable real Transparent Proxy support for Netfilter TPROXY.])
     fi
     AC_MSG_RESULT($LINUX_TPROXY)
+  else
+    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY v2])
+    AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
+    LINUX_TPROXY="no"
+  fi
 fi
 if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
     echo "WARNING: Cannot find TPROXY headers, you need to install the"
     echo "tproxy package from:"
     echo " - lynx http://www.balabit.com/downloads/tproxy/"
+    echo "And libcap-dev or libcap2-dev"
     sleep 10
 fi
 

diff --git a/include/squid_types.h b/include/squid_types.h
index 4492d2ebb6f3b301f3a671aded97d440c6a31109..a5f77c467bea1e22c1a3fc50ebe75db0a70f118f 100644 (file)
--- a/include/squid_types.h
+++ b/include/squid_types.h
@@ -60,6 +60,9 @@
 #if HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#if HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>

diff --git a/src/tools.cc b/src/tools.cc
index d97a93a450e4f36c8056ebb663bd984b61d0ab31..1dad7ebbe401725def18986d5ad8586fec7aaa3d 100644 (file)
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -40,16 +40,16 @@
 #include "wordlist.h"
 #include "SquidTime.h"
 
-#ifdef _SQUID_LINUX_
-#if HAVE_SYS_CAPABILITY_H
+#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
+// HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+#if LIBCAP_BROKEN
 #undef _POSIX_SOURCE
-/* Ugly glue to get around linux header madness colliding with glibc */
 #define _LINUX_TYPES_H
 #define _LINUX_FS_H
 typedef uint32_t __u32;
-#include <sys/capability.h>
-#endif
 #endif
+#include <sys/capability.h>
+#endif /* HAVE_SYS_CAPABILITY_H */
 
 #if HAVE_SYS_PRCTL_H
 #include <sys/prctl.h>