On 01/08/2013 01:20 PM, Serge Hallyn wrote: > Quoting Stéphane Graber (stgra...@ubuntu.com): >> In the effort to make LXC work with non-standard Linux distros, this change >> allows for the user to build LXC without capability support through a new >> --disable-capabilities option to configure. >> >> This effectively will cause LXC not to link against libcap and will turn all >> the _cap_ functions into no-ops. >> >> Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> > > Only one comment - perhaps the msg " > Can't start utmp handler as capabilities aren't supported" should read > "not starting utmp handler as cap_sys_boot cannot be dropped without > capabilities support"? > > > Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
Changed the wording and pushed. Thanks.
>> ---
>> configure.ac | 27 +++++++++++++++++----------
>> src/lxc/caps.c | 6 +++++-
>> src/lxc/caps.h | 24 ++++++++++++++++++++++++
>> src/lxc/conf.c | 11 ++++++++++-
>> src/lxc/start.c | 15 ++++++++++++++-
>> 5 files changed, 70 insertions(+), 13 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index ea98f02..22b45cd 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -180,17 +180,24 @@ AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h
>> linux/genetlink.h],
>> AC_MSG_ERROR([Please install the Linux kernel
>> headers.]),
>> [#include <sys/socket.h>])
>>
>> +# Allow disabling libcap support
>> +AC_ARG_ENABLE([capabilities],
>> + [AC_HELP_STRING([--disable-capabilities], [disable kernel
>> capabilities])],
>> + [], [enable_capabilities=yes])
>> +
>> # Check for libcap support
>> -AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the
>> libcap development files.]),
>> -[#include <sys/types.h>
>> -#include <sys/capability.h>])
>> -AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
>> -AC_MSG_CHECKING([linux capabilities])
>> -if test "x$caplib" = "xyes" ; then
>> - CAP_LIBS="-lcap"
>> - AC_MSG_RESULT([$CAP_LIBS])
>> +if test "x$enable_capabilities" = "xyes"; then
>> + AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
>> + AC_MSG_CHECKING([linux capabilities])
>> + if test "x$caplib" = "xyes" ; then
>> + CAP_LIBS="-lcap"
>> + AC_MSG_RESULT([$CAP_LIBS])
>> + else
>> + AC_MSG_RESULT([no])
>> + AC_MSG_ERROR([You are missing libcap support. If you really
>> want to build without kernel capabilities, use --disable-capabilities])
>> + fi
>> else
>> - AC_MSG_ERROR([not found])
>> + CAP_LIBS=""
>> fi
>> AC_SUBST([CAP_LIBS])
>>
>> @@ -214,7 +221,7 @@ AM_CONDITIONAL([IS_BIONIC], [test "x$is_bionic" =
>> "xyes"])
>> AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])
>>
>> # Check for some headers
>> -AC_CHECK_HEADERS([sys/signalfd.h pty.h])
>> +AC_CHECK_HEADERS([sys/signalfd.h pty.h sys/capability.h])
>>
>> # Check for some functions
>> AC_CHECK_FUNCS([getline fgetln openpty])
>> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
>> index 94c134d..53c552b 100644
>> --- a/src/lxc/caps.c
>> +++ b/src/lxc/caps.c
>> @@ -27,13 +27,16 @@
>> #include <stdlib.h>
>> #include <limits.h>
>> #include <sys/prctl.h>
>> -#include <sys/capability.h>
>> #include <errno.h>
>>
>> +#include "config.h"
>> #include "log.h"
>>
>> lxc_log_define(lxc_caps, lxc);
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> +#include <sys/capability.h>
>> +
>> int lxc_caps_reset(void)
>> {
>> cap_t cap = cap_init();
>> @@ -258,3 +261,4 @@ int lxc_caps_check(void)
>>
>> return 1;
>> }
>> +#endif
>> diff --git a/src/lxc/caps.h b/src/lxc/caps.h
>> index 88cf09e..dc3fd6f 100644
>> --- a/src/lxc/caps.h
>> +++ b/src/lxc/caps.h
>> @@ -20,9 +20,12 @@
>> * License along with this library; if not, write to the Free Software
>> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
>> */
>> +#include "config.h"
>> +
>> #ifndef _caps_h
>> #define _caps_h
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> extern int lxc_caps_reset(void);
>> extern int lxc_caps_down(void);
>> extern int lxc_caps_up(void);
>> @@ -30,6 +33,27 @@ extern int lxc_caps_init(void);
>> extern int lxc_caps_check(void);
>>
>> extern int lxc_caps_last_cap(void);
>> +#else
>> +static inline int lxc_caps_reset(void) {
>> + return 0;
>> +}
>> +static inline int lxc_caps_down(void) {
>> + return 0;
>> +}
>> +static inline int lxc_caps_up(void) {
>> + return 0;
>> +}
>> +static inline int lxc_caps_init(void) {
>> + return 0;
>> +}
>> +static inline int lxc_caps_check(void) {
>> + return 1;
>> +}
>> +
>> +static inline int lxc_caps_last_cap(void) {
>> + return 0;
>> +}
>> +#endif
>>
>> #define lxc_priv(__lxc_function) \
>> ({ \
>> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
>> index 49bba2a..25b75d7 100644
>> --- a/src/lxc/conf.c
>> +++ b/src/lxc/conf.c
>> @@ -48,7 +48,6 @@
>> #include <sys/mount.h>
>> #include <sys/mman.h>
>> #include <sys/prctl.h>
>> -#include <sys/capability.h>
>> #include <sys/personality.h>
>>
>> #include <arpa/inet.h>
>> @@ -71,6 +70,10 @@
>> #include <apparmor.h>
>> #endif
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> +#include <sys/capability.h>
>> +#endif
>> +
>> #include "lxcseccomp.h"
>>
>> lxc_log_define(lxc_conf, lxc);
>> @@ -104,6 +107,7 @@ lxc_log_define(lxc_conf, lxc);
>> #define MS_STRICTATIME (1 << 24)
>> #endif
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> #ifndef CAP_SETFCAP
>> #define CAP_SETFCAP 31
>> #endif
>> @@ -115,6 +119,7 @@ lxc_log_define(lxc_conf, lxc);
>> #ifndef CAP_MAC_ADMIN
>> #define CAP_MAC_ADMIN 33
>> #endif
>> +#endif
>>
>> #ifndef PR_CAPBSET_DROP
>> #define PR_CAPBSET_DROP 24
>> @@ -199,6 +204,7 @@ static struct mount_opt mount_opt[] = {
>> { NULL, 0, 0 },
>> };
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> static struct caps_opt caps_opt[] = {
>> { "chown", CAP_CHOWN },
>> { "dac_override", CAP_DAC_OVERRIDE },
>> @@ -245,6 +251,9 @@ static struct caps_opt caps_opt[] = {
>> { "wake_alarm", CAP_WAKE_ALARM },
>> #endif
>> };
>> +#else
>> +static struct caps_opt caps_opt[] = {};
>> +#endif
>>
>> static int run_buffer(char *buffer)
>> {
>> diff --git a/src/lxc/start.c b/src/lxc/start.c
>> index 3452022..271764e 100644
>> --- a/src/lxc/start.c
>> +++ b/src/lxc/start.c
>> @@ -41,12 +41,15 @@
>> #include <sys/socket.h>
>> #include <sys/prctl.h>
>> #include <sys/types.h>
>> -#include <sys/capability.h>
>> #include <sys/wait.h>
>> #include <sys/un.h>
>> #include <sys/poll.h>
>> #include <sys/syscall.h>
>>
>> +#if HAVE_SYS_CAPABILITY_H
>> +#include <sys/capability.h>
>> +#endif
>> +
>> #ifdef HAVE_SYS_SIGNALFD_H
>> # include <sys/signalfd.h>
>> #else
>> @@ -339,10 +342,14 @@ int lxc_poll(const char *name, struct lxc_handler
>> *handler)
>> }
>>
>> if (handler->conf->need_utmp_watch) {
>> + #if HAVE_SYS_CAPABILITY_H
>> if (lxc_utmp_mainloop_add(&descr, handler)) {
>> ERROR("failed to add utmp handler to mainloop");
>> goto out_mainloop_open;
>> }
>> + #else
>> + DEBUG("Can't start utmp handler as capabilities aren't
>> supported\n");
>> + #endif
>> }
>>
>> return lxc_mainloop(&descr);
>> @@ -553,6 +560,7 @@ static int do_start(void *data)
>> if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE))
>> return -1;
>>
>> + #if HAVE_SYS_CAPABILITY_H
>> if (handler->conf->need_utmp_watch) {
>> if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
>> SYSERROR("failed to remove CAP_SYS_BOOT capability");
>> @@ -560,6 +568,7 @@ static int do_start(void *data)
>> }
>> DEBUG("Dropped cap_sys_boot\n");
>> }
>> + #endif
>>
>> /* Setup the container, ip, names, utsname, ... */
>> if (lxc_setup(handler->name, handler->conf)) {
>> @@ -752,7 +761,11 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
>> handler->data = data;
>>
>> if (must_drop_cap_sys_boot()) {
>> + #if HAVE_SYS_CAPABILITY_H
>> DEBUG("Dropping cap_sys_boot\n");
>> + #else
>> + DEBUG("Can't drop cap_sys_boot as capabilities aren't
>> supported\n");
>> + #endif
>> } else {
>> DEBUG("Not dropping cap_sys_boot or watching utmp\n");
>> handler->conf->need_utmp_watch = 0;
>> --
>> 1.8.0
>>
>>
>> ------------------------------------------------------------------------------
>> Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
>> and more. Get SQL Server skills now (including 2012) with LearnDevNow -
>> 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>> SALE $99.99 this month only - learn more at:
>> http://p.sf.net/sfu/learnmore_122512
>> _______________________________________________
>> Lxc-devel mailing list
>> Lxc-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
