From fa5cb3ddd4b1fc73762afa839593901fc58d2e36 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 4 Oct 2009 13:46:38 +1300
Subject: [PATCH] Correct LINUX_CAPABILITY actions on non-Linux

non-Linux should not set transparency OFF, just because they dont have
Linux syscap.

Also kill bad use of goto. Should have been an if-else sequence.
---
 src/tools.cc | 59 +++++++++++++++++++++++++---------------------------
 1 file changed, 28 insertions(+), 31 deletions(-)

diff --git a/src/tools.cc b/src/tools.cc
index ca8d6a8bbc..d97a93a450 100644
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -1356,7 +1356,10 @@ keepCapabilities(void)
 static void
 restoreCapabilities(int keep)
 {
-#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
+/* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */
+#if defined(_SQUID_LINUX_)
+
+#if HAVE_SYS_CAPABILITY_H
 #ifndef _LINUX_CAPABILITY_VERSION_1
 #define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
 #endif
@@ -1366,54 +1369,48 @@ restoreCapabilities(int keep)
     head->version = _LINUX_CAPABILITY_VERSION_1;
 
     if (capget(head, cap) != 0) {
-        debugs(50, 1, "Can't get current capabilities");
-        goto nocap;
+        debugs(50, DBG_IMPORTANT, "Can't get current capabilities");
     }
-
-    if (head->version != _LINUX_CAPABILITY_VERSION_1) {
-        debugs(50, 1, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
-        goto nocap;
+    else if (head->version != _LINUX_CAPABILITY_VERSION_1) {
+        debugs(50, DBG_IMPORTANT, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
     }
+    else {
 
-    head->pid = 0;
-
-    cap->inheritable = 0;
-    cap->effective = (1 << CAP_NET_BIND_SERVICE);
-#if LINUX_TPROXY
-
-    if (need_linux_tproxy)
-        cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST);
-
-#endif
+        head->pid = 0;
 
-    if (!keep)
-        cap->permitted &= cap->effective;
+        cap->inheritable = 0;
+        cap->effective = (1 << CAP_NET_BIND_SERVICE);
 
-    if (capset(head, cap) != 0) {
-        /* Silent failure unless TPROXY is required */
 #if LINUX_TPROXY
-
         if (need_linux_tproxy)
-            debugs(50, 1, "Error enabling needed capabilities. Will continue without tproxy support");
+            cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST);
+#endif
 
-        need_linux_tproxy = 0;
+        if (!keep)
+            cap->permitted &= cap->effective;
 
+        if (capset(head, cap) != 0) {
+            /* Silent failure unless TPROXY is required */
+#if LINUX_TPROXY
+            if (need_linux_tproxy)
+                debugs(50, 1, "Error enabling needed capabilities. Will continue without tproxy support");
+            need_linux_tproxy = 0;
 #endif
-
+        }
     }
 
-nocap:
     xfree(head);
     xfree(cap);
-#else
-#if LINUX_TPROXY
 
+#else /* not HAVE_SYS_CAPABILITY_H */
+
+#if LINUX_TPROXY
     if (need_linux_tproxy)
         debugs(50, 1, "Missing needed capability support. Will continue without tproxy support");
-
     need_linux_tproxy = 0;
-
 #endif
 
-#endif
+#endif /* HAVE_SYS_CAPABILITY_H */
+
+#endif /* !defined(_SQUID_LINUX_) */
 }
-- 
2.47.2