From: Amos Jeffries Date: Thu, 7 Mar 2024 09:55:50 +0000 (+0000) Subject: Maintenance: update --with-cap detection (#1718) X-Git-Tag: SQUID_7_0_1~180 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4106ed2554ddf040141628e8dde7f65dfd6dfa5c;p=thirdparty%2Fsquid.git Maintenance: update --with-cap detection (#1718) --- diff --git a/configure.ac b/configure.ac index 6d75c0e852..6202dfafdf 100644 --- a/configure.ac +++ b/configure.ac @@ -2019,20 +2019,13 @@ AC_FUNC_ALLOCA SQUID_AUTO_LIB(cap,[Linux capabilities],[LIBCAP]) SQUID_CHECK_LIB_WORKS(cap,[ SQUID_STATE_SAVE(squid_libcap_state) - CXXFLAGS="$LIBCAP_CFLAGS $CXXFLAGS" - LDFLAGS="$LIBCAP_PATH $LDFLAGS" - PKG_CHECK_MODULES([LIBCAP],[libcap >= 2.09],[],[ - # cap_clear_flag is the most recent libcap function we require - AC_CHECK_LIB([cap],[cap_clear_flag],[LIBCAP_LIBS="$LIBCAP_LIBS -lcap"]) - ]) + PKG_CHECK_MODULES([LIBCAP],[libcap >= 2.09],[:],[:]) + CPPFLAGS="$LIBCAP_CFLAGS $CPPFLAGS" + LIBS="$LIBCAP_PATH $LIBCAP_LIBS $LIBS" SQUID_CHECK_FUNCTIONAL_LIBCAP2 AC_MSG_NOTICE([libcap headers are ok: $squid_cv_sys_capability_works]) AS_IF([test "x$squid_cv_sys_capability_works" = "xno"],[LIBCAP_LIBS=""]) SQUID_STATE_ROLLBACK(squid_libcap_state) - - AS_IF([test "x$LIBCAP_LIBS" != "x"],[ - AC_DEFINE(USE_LIBCAP,1,[Linux capabilities library support]) - ]) ]) dnl Check for needed libraries diff --git a/squid.dox b/squid.dox index f76f802945..6f6fce508f 100644 --- a/squid.dox +++ b/squid.dox @@ -2066,6 +2066,7 @@ INCLUDE_FILE_PATTERNS = PREDEFINED = __cplusplus \ FOLLOW_X_FORWARDED_FOR \ FORW_VIA_DB \ + HAVE_LIBCAP \ HAVE_LIBGNUTLS \ ICAP_CLIENT \ HAVE_LIBHEIMDAL_KRB5 \ @@ -2090,7 +2091,6 @@ PREDEFINED = __cplusplus \ USE_IDENT \ USE_IPV6 \ USE_KQUEUE \ - USE_LIBCAP \ USE_LOADABLE_MODULES \ USE_OPENSSL \ USE_POLL \ diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 3bc6c1871d..f8f8757ccc 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -1676,7 +1676,7 @@ free_acl_tos(acl_tos ** head) *head = nullptr; } -#if SO_MARK && USE_LIBCAP +#if HAVE_LIBCAP && SO_MARK static void dump_acl_nfmark(StoreEntry * entry, const char *name, acl_nfmark * head) @@ -1719,7 +1719,7 @@ free_acl_nfmark(acl_nfmark ** head) delete *head; *head = nullptr; } -#endif /* SO_MARK */ +#endif /* HAVE_LIBCAP && SO_MARK */ static void dump_acl_b_size_t(StoreEntry * entry, const char *name, AclSizeLimit * head) diff --git a/src/cf.data.pre b/src/cf.data.pre index 51bb2d5a85..15fe637ec0 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2714,7 +2714,7 @@ DOC_END NAME: tcp_outgoing_mark TYPE: acl_nfmark -IFDEF: SO_MARK&&USE_LIBCAP +IFDEF: HAVE_LIBCAP&&SO_MARK DEFAULT: none LOC: Ip::Qos::TheConfig.nfmarkToServer DOC_START @@ -2736,7 +2736,7 @@ DOC_END NAME: mark_client_packet clientside_mark TYPE: acl_nfmark -IFDEF: SO_MARK&&USE_LIBCAP +IFDEF: HAVE_LIBCAP&&SO_MARK DEFAULT: none LOC: Ip::Qos::TheConfig.nfmarkToClient DOC_START @@ -2762,7 +2762,7 @@ DOC_END NAME: mark_client_connection TYPE: acl_nfmark -IFDEF: SO_MARK&&USE_LIBCAP +IFDEF: HAVE_LIBCAP&&SO_MARK DEFAULT: none LOC: Ip::Qos::TheConfig.nfConnmarkToClient DOC_START diff --git a/src/cf_gen_defines b/src/cf_gen_defines index 283c3e6ecc..46a8dbd2c1 100644 --- a/src/cf_gen_defines +++ b/src/cf_gen_defines @@ -26,10 +26,10 @@ BEGIN { define["FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools" define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic" define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest" + define["HAVE_LIBCAP&&SO_MARK"]="--with-cap and Packet MARK (Linux)" define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl" define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()" define["ICAP_CLIENT"]="--enable-icap-client" - define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)" define["SQUID_SNMP"]="--enable-snmp" define["USE_ADAPTATION"]="--enable-ecap or --enable-icap-client" define["USE_AUTH"]="--enable-auth" diff --git a/src/icmp/pinger.cc b/src/icmp/pinger.cc index 951c177332..6d0952e2b9 100644 --- a/src/icmp/pinger.cc +++ b/src/icmp/pinger.cc @@ -164,7 +164,7 @@ main(int, char **) exit(EXIT_FAILURE); } -#if USE_LIBCAP +#if HAVE_LIBCAP // Drop remaining capabilities (if installed as non-setuid setcap cap_net_raw=ep). // If pinger binary was installed setuid root, setuid() above already dropped all // capabilities, and this is no-op. diff --git a/src/ip/QosConfig.cc b/src/ip/QosConfig.cc index ad32975f6b..aede0c613b 100644 --- a/src/ip/QosConfig.cc +++ b/src/ip/QosConfig.cc @@ -315,7 +315,7 @@ Ip::Qos::Config::parseConfigLine() // Work out TOS or mark. Default to TOS for backwards compatibility if (!(mark || tos)) { if (strncmp(token, "mark",4) == 0) { -#if SO_MARK && USE_LIBCAP +#if HAVE_LIBCAP && SO_MARK mark = true; // Assume preserve is true. We don't set at initialisation as this affects isHitNfmarkActive() #if USE_LIBNETFILTERCONNTRACK @@ -325,13 +325,11 @@ Ip::Qos::Config::parseConfigLine() debugs(3, DBG_IMPORTANT, "WARNING: Squid not compiled with Netfilter conntrack library. " << "Netfilter mark preservation not available."); #endif // USE_LIBNETFILTERCONNTRACK -#elif SO_MARK // SO_MARK && USE_LIBCAP - throw TextException(ToSBuf("Invalid parameter 'mark' in qos_flows option. ", - "Linux Netfilter marking not available on this platform."), Here()); -#else // SO_MARK && USE_LIBCAP + +#else // HAVE_LIBCAP && SO_MARK throw TextException(ToSBuf("Invalid parameter 'mark' in qos_flows option. ", "Linux Netfilter marking not available on this platform."), Here()); -#endif // SO_MARK && USE_LIBCAP +#endif } else if (strncmp(token, "tos",3) == 0) { preserveMissTos = true; tos = true; @@ -563,7 +561,7 @@ Ip::Qos::setSockTos(const Comm::ConnectionPointer &conn, tos_t tos) int Ip::Qos::setSockNfmark(const int fd, nfmark_t mark) { -#if SO_MARK && USE_LIBCAP +#if HAVE_LIBCAP && SO_MARK debugs(50, 3, "for FD " << fd << " to " << mark); const int x = setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(nfmark_t)); if (x < 0) { @@ -571,7 +569,7 @@ Ip::Qos::setSockNfmark(const int fd, nfmark_t mark) debugs(50, 2, "setsockopt(SO_MARK) on " << fd << ": " << xstrerr(xerrno)); } return x; -#elif USE_LIBCAP +#elif HAVE_LIBCAP (void)mark; (void)fd; debugs(50, DBG_IMPORTANT, "WARNING: setsockopt(SO_MARK) not supported on this platform"); @@ -579,7 +577,7 @@ Ip::Qos::setSockNfmark(const int fd, nfmark_t mark) #else (void)mark; (void)fd; - debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (netfilter marking requires build with LIBCAP)"); + debugs(50, DBG_IMPORTANT, "WARNING: Netfilter marking disabled (requires build --with-cap)"); return -1; #endif } diff --git a/src/tools.cc b/src/tools.cc index 2c1e340c6b..ae3eb0a5d8 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -1121,8 +1121,7 @@ strwordquote(MemBuf * mb, const char *str) void keepCapabilities(void) { -#if USE_LIBCAP && HAVE_PRCTL && defined(PR_SET_KEEPCAPS) - +#if HAVE_LIBCAP && HAVE_PRCTL && defined(PR_SET_KEEPCAPS) if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { Ip::Interceptor.StopTransparency("capability setting has failed."); } @@ -1132,8 +1131,7 @@ keepCapabilities(void) static void restoreCapabilities(bool keep) { - /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */ -#if USE_LIBCAP +#if HAVE_LIBCAP cap_t caps; if (keep) caps = cap_get_proc(); @@ -1169,11 +1167,13 @@ restoreCapabilities(bool keep) cap_free(caps); } #elif _SQUID_LINUX_ - (void)keep; + /* Linux requires syscap support from libcap. */ Ip::Interceptor.StopTransparency("Missing needed capability support."); + (void)keep; #else + /* Non-Linux transparent proxy works with or without libcap support. */ (void)keep; -#endif /* HAVE_SYS_CAPABILITY_H */ +#endif } pid_t