From b5bd96cebc105b0fbcabfe0b5f40cec27665e2c4 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 1 Dec 2008 17:46:44 +1300
Subject: [PATCH] Correct LINUX_CAPABILITY actions on non-Linux

non-Linux should not set transparency OFF, just because they dont have
Linux syscap.

Also kill bad use of goto. Should have been an if-else sequence.
---
 src/tools.cc | 45 ++++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/src/tools.cc b/src/tools.cc
index 3ab469e3cf..494dc7ab6c 100644
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -1254,7 +1254,10 @@ keepCapabilities(void)
 static void
 restoreCapabilities(int keep)
 {
-#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
+/* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */
+#if defined(_SQUID_LINUX_)
+
+#if HAVE_SYS_CAPABILITY_H
 #ifndef _LINUX_CAPABILITY_VERSION_1
 #define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
 #endif
@@ -1264,41 +1267,41 @@ restoreCapabilities(int keep)
     head->version = _LINUX_CAPABILITY_VERSION_1;
 
     if (capget(head, cap) != 0) {
-        debugs(50, 1, "Can't get current capabilities");
-        goto nocap;
+        debugs(50, DBG_IMPORTANT, "Can't get current capabilities");
     }
-
-    if (head->version != _LINUX_CAPABILITY_VERSION_1) {
-        debugs(50, 1, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
-        goto nocap;
+    else if (head->version != _LINUX_CAPABILITY_VERSION_1) {
+        debugs(50, DBG_IMPORTANT, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
     }
+    else {
 
-    head->pid = 0;
+        head->pid = 0;
 
-    cap->inheritable = 0;
-    cap->effective = (1 << CAP_NET_BIND_SERVICE);
+        cap->inheritable = 0;
+        cap->effective = (1 << CAP_NET_BIND_SERVICE);
 
-    if (IPInterceptor.TransparentActive()) {
-        cap->effective |= (1 << CAP_NET_ADMIN);
+        if (IPInterceptor.TransparentActive()) {
+            cap->effective |= (1 << CAP_NET_ADMIN);
 #if LINUX_TPROXY2
-        cap->effective |= (1 << CAP_NET_BROADCAST);
+            cap->effective |= (1 << CAP_NET_BROADCAST);
 #endif
-    }
+        }
 
-    if (!keep)
-        cap->permitted &= cap->effective;
+        if (!keep)
+            cap->permitted &= cap->effective;
 
-    if (capset(head, cap) != 0) {
-        IPInterceptor.StopTransparency("Error enabling needed capabilities.");
+        if (capset(head, cap) != 0) {
+            IPInterceptor.StopTransparency("Error enabling needed capabilities.");
+        }
     }
 
-nocap:
     xfree(head);
     xfree(cap);
 
-#else /* not defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H */
+#else
     IPInterceptor.StopTransparency("Missing needed capability support.");
-#endif
+#endif /* HAVE_SYS_CAPABILITY_H */
+
+#endif /* !defined(_SQUID_LINUX_) */
 }
 
 void *
-- 
2.47.3