2010-04-20 08:47:22

by Mike Frysinger

Subject: [PATCH] make capabilities support optional

The new code using libcap is quite minor, so rather than always reqiure
libcap support, make it a normal --enable type flag. Current default
behavior is retained -- if libcap is found, it is enabled, else it is
disabled like every nfs-utils version in the past.

Signed-off-by: Mike Frysinger <[email protected]>
---
aclocal/libcap.m4 | 18 +++++++++++++-----
support/nsm/file.c | 4 ++++
2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/aclocal/libcap.m4 b/aclocal/libcap.m4
index eabe507..68a624c 100644
--- a/aclocal/libcap.m4
+++ b/aclocal/libcap.m4
@@ -5,11 +5,19 @@ AC_DEFUN([AC_LIBCAP], [
dnl look for prctl
AC_CHECK_FUNC([prctl], , )

- dnl look for the library; do not add to LIBS if found
- AC_CHECK_LIB([cap], [cap_get_proc], [LIBCAP=-lcap], ,)
- AC_SUBST(LIBCAP)
+ AC_ARG_ENABLE([caps],
+ [AS_HELP_STRING([--disable-caps], [Disable capabilities support])])
+
+ LIBCAP=
+
+ if test "x$enable_caps" != "xno" ; then
+ dnl look for the library; do not add to LIBS if found
+ AC_CHECK_LIB([cap], [cap_get_proc], [LIBCAP=-lcap], ,)

- AC_CHECK_HEADERS([sys/capability.h], ,
- [AC_MSG_ERROR([libcap headers not found.])])
+ AC_CHECK_HEADERS([sys/capability.h], ,
+ [test "x$enable_caps" = "xyes" && AC_MSG_ERROR([libcap headers not found.])])
+ fi
+
+ AC_SUBST(LIBCAP)

])dnl
diff --git a/support/nsm/file.c b/support/nsm/file.c
index d469219..f4baeb9 100644
--- a/support/nsm/file.c
+++ b/support/nsm/file.c
@@ -67,7 +67,9 @@
#endif

#include <sys/types.h>
+#ifdef HAVE_SYS_CAPABILITY_H
#include <sys/capability.h>
+#endif
#include <sys/prctl.h>
#include <sys/stat.h>

@@ -347,6 +349,7 @@ nsm_is_default_parentdir(void)
static _Bool
nsm_clear_capabilities(void)
{
+#ifdef HAVE_SYS_CAPABILITY_H
cap_t caps;

caps = cap_from_text("cap_net_bind_service=ep");
@@ -362,6 +365,7 @@ nsm_clear_capabilities(void)
}

(void)cap_free(caps);
+#endif
return true;
}

--
1.7.0.2

2010-04-23 17:00:47

by Steve Dickson

Subject: Re: [PATCH] make capabilities support optional

On 04/20/2010 04:46 AM, Mike Frysinger wrote:
> The new code using libcap is quite minor, so rather than always reqiure
> libcap support, make it a normal --enable type flag. Current default
> behavior is retained -- if libcap is found, it is enabled, else it is
> disabled like every nfs-utils version in the past.
>
> Signed-off-by: Mike Frysinger <[email protected]>
>
Committed...

steved.