From 1f973c6f610a565ccbc1eb15fa52a0b35c0b1aa9 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 19 Aug 2009 17:48:13 +1200
Subject: [PATCH] Author: Alin Nastac <mrness@gentoo.org> Cleanup: deprecate
 ugly hack for sys/capability.h

Shuffle libcap v1 hack into libcompat for linux-only

  Needed once to prevent build clashes between libc and sys/capabilility.h
  headers. As of libcap2 that is no longer the case and from 2.26 in fact
  prevents a clean build.

Add detection for libcap to enable the hack only if actually needed.

Add --disable-caps option

  Gentoo requires this to pull in libcap dependencies via --enable-caps
  which is a non-operation.

  Using it to disable libcap usage will explicitly prevent TPROXY which
  depends on it from operating while netfilter NAT support remains.

  NP: The TPROXY v2 configure tests will not even run with caps disabled.
---
 compat/os/linux.h                  | 18 ++++++++++++
 configure.in                       | 46 ++++++++++++++++++++++++++----
 doc/release-notes/release-3.1.html |  5 ++++
 doc/release-notes/release-3.1.sgml |  5 ++++
 include/squid_types.h              |  3 ++
 src/tools.cc                       | 11 -------
 6 files changed, 72 insertions(+), 16 deletions(-)

diff --git a/compat/os/linux.h b/compat/os/linux.h
index 947de9870a..21f6663b4b 100644
--- a/compat/os/linux.h
+++ b/compat/os/linux.h
@@ -27,5 +27,23 @@
 #endif
 
 
+/*
+ * sys/capability.h is only needed in Linux apparently.
+ *
+ * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+ */
+#if HAVE_SYS_CAPABILITY_H
+
+#if LIBCAP_BROKEN
+#undef _POSIX_SOURCE
+#define _LINUX_TYPES_H
+#define _LINUX_FS_H
+typedef uint32_t __u32;
+#endif
+
+#include <sys/capability.h>
+#endif /* HAVE_SYS_CAPABILITY_H */
+
+
 #endif /* _SQUID_LINUX_ */
 #endif /* SQUID_OS_LINUX_H */
diff --git a/configure.in b/configure.in
index c03e2f7a66..2aa329ba1a 100644
--- a/configure.in
+++ b/configure.in
@@ -2091,6 +2091,7 @@ AC_CHECK_HEADERS( \
 	libc.h \
 	libgen.h \
 	limits.h \
+	linux/types.h \
 	machine/byte_swap.h \
 	malloc.h \
 	math.h \
@@ -2154,8 +2155,7 @@ AC_CHECK_HEADERS( \
 	inttypes.h \
 	grp.h \
 	db.h \
-	db_185.h \
-	sys/capability.h
+	db_185.h
 )
 
 AC_CHECK_HEADERS(
@@ -2422,6 +2422,29 @@ AC_CHECK_TYPE(socklen_t,AC_DEFINE(HAVE_SOCKLEN_T,1,[socklen_t is defined by the
 #include <stddef.h>
 #endif])
 
+dnl Check for libcap header (assume its not broken unless 
+use_caps=yes
+AC_ARG_ENABLE(caps, AS_HELP_STRING([--disable-caps],[disable usage of Linux capabilities library to control privileges]),
+[ if test "x$enableval" = "xyes" ; then
+    AC_MSG_RESULT(forced yes)
+  else
+    AC_MSG_RESULT(no)
+    use_caps=no
+  fi
+],[AC_MSG_RESULT(yes)])
+if test "x$use_caps" = "xyes"; then
+  dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working)
+  libcap_broken=1
+  AC_CHECK_HEADERS(sys/capability.h)
+  AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/capability.h>]], [[
+                    capget(NULL, NULL);
+                    capset(NULL, NULL);
+                   ]])],[libcap_broken=0],[])
+  )
+  AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+fi
+
 AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include <sys/types.h>
 #include <sys/ipc.h>
 #include <sys/msg.h>])
@@ -3150,16 +3173,24 @@ if test "$LINUX_NETFILTER" ; then
         AC_DEFINE(LINUX_NETFILTER, 0)
     fi
     AC_MSG_RESULT($LINUX_NETFILTER)
-fi 
+fi
 if test "$LINUX_NETFILTER" = "no" ; then
     AC_MSG_WARN([Cannot find necessary Linux kernel (Netfilter) header files])
     AC_MSG_WARN([Linux Transparent and Intercepting Proxy support WILL NOT be enabled])
     sleep 10
 fi
+dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
+if test "$LINUX_NETFILTER" = "yes" && test "$use_caps" != "yes" ; then
+    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
+    AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
+    AC_MSG_WARN([Reduced support to Interception Proxy])
+    sleep 10
+fi
 
 dnl Linux Netfilter/TPROXYv2 support requires some specific header files
-dnl Shamelessly copied from shamelessly copied from above
-if test "$LINUX_TPROXY2" ; then
+dnl Shamelessly copied from above
+if test "$LINUX_TPROXY2"; then
+  if test "$use_caps" = "yes"; then
     AC_MSG_CHECKING(if TPROXYv2 header files are installed)
     # hold on to your hats...
     if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
@@ -3177,6 +3208,11 @@ if test "$LINUX_TPROXY2" ; then
         AC_MSG_WARN([Or select the '--enable-linux-netfilter' option instead for Netfilter support.])
         sleep 10
     fi
+  else
+    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY v2])
+    AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
+    sleep 10
+  fi
 fi
 
 AC_ARG_ENABLE(gnuregex,
diff --git a/doc/release-notes/release-3.1.html b/doc/release-notes/release-3.1.html
index 80b46cf0f1..73a5501094 100644
--- a/doc/release-notes/release-3.1.html
+++ b/doc/release-notes/release-3.1.html
@@ -1704,6 +1704,11 @@ proxies.</P>
 <P>Disable error page localization for visitors.</P>
 <P>error_directory option is required if this option is used.</P>
 
+<DT><B>--disable-caps</B><DD>
+<P>Build without libcap support. The default is to auto-detect system capabilities
+and enable support when possible.</P>
+<P>NOTE: Disabling this or building without libcap support will break TPROXY support.</P>
+
 <DT><B>--disable-ipv6</B><DD>
 <P>Build without IPv6 support. The default is to auto-detect system capabilities
 and build with IPv6 when possible.</P>
diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index 85fcc29fa3..eebf54d64c 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -1455,6 +1455,11 @@ This section gives an account of those changes in three categories:
 	<p>Disable error page localization for visitors.
 	<p>error_directory option is required if this option is used.
 
+	<tag>--disable-caps</tag>
+	<p>Build without libcap support. The default is to auto-detect system capabilities
+	   and enable support when possible.
+	<p>NOTE: Disabling this or building without libcap support will break TPROXY support.
+
 	<tag>--disable-ipv6</tag>
 	<p>Build without IPv6 support. The default is to auto-detect system capabilities
 	   and build with IPv6 when possible.
diff --git a/include/squid_types.h b/include/squid_types.h
index e7d92c76f4..0b4a60529e 100644
--- a/include/squid_types.h
+++ b/include/squid_types.h
@@ -60,6 +60,9 @@
 #if HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#if HAVE_LINUX_TYPES_H
+#include <linux/types.h>
+#endif
 #if STDC_HEADERS
 #include <stdlib.h>
 #include <stddef.h>
diff --git a/src/tools.cc b/src/tools.cc
index e83e5159a4..311f007fc3 100644
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -41,17 +41,6 @@
 #include "SquidTime.h"
 #include "ip/IpIntercept.h"
 
-#ifdef _SQUID_LINUX_
-#if HAVE_SYS_CAPABILITY_H
-#undef _POSIX_SOURCE
-/* Ugly glue to get around linux header madness colliding with glibc */
-#define _LINUX_TYPES_H
-#define _LINUX_FS_H
-typedef uint32_t __u32;
-#include <sys/capability.h>
-#endif
-#endif
-
 #if HAVE_SYS_PRCTL_H
 #include <sys/prctl.h>
 #endif
-- 
2.47.3