Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Henrik Nordstrom 
tis 2009-10-27 klockan 14:46 +1300 skrev Amos Jeffries:

 I would like the patch to be updated with said function test logic to
 auto-disable libcap2, modulo a fatal death on the --with-* case.  Then for
 it to go back in :)

OK. I'll give it a shot. Will make TPROXY require libcap-2.09 or later.

At what version was libcap fixed for the issue we test in the magic
sys/capability.h test case? Comment says libcap2 fixed, so I guess we no
longer need this?

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Amos Jeffries 

Henrik Nordstrom wrote:

tis 2009-10-27 klockan 14:46 +1300 skrev Amos Jeffries:


I would like the patch to be updated with said function test logic to
auto-disable libcap2, modulo a fatal death on the --with-* case.  Then for
it to go back in :)


OK. I'll give it a shot. Will make TPROXY require libcap-2.09 or later.

At what version was libcap fixed for the issue we test in the magic
sys/capability.h test case? Comment says libcap2 fixed, so I guess we no
longer need this?

Regards
Henrik



Not entirely sure what version. I think the Gentoo 2.15 or 2.16 is 
fixed. My Ubuntu 2.11 is broken by the test results of last build I ran.


I think we need to keep the magic voodoo for a while longer.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Henrik Nordstrom 
ons 2009-10-28 klockan 01:35 +1300 skrev Amos Jeffries:

 Not entirely sure what version. I think the Gentoo 2.15 or 2.16 is 
 fixed. My Ubuntu 2.11 is broken by the test results of last build I ran.

Ok.

The configure test was broken however, always reporting failure...

 I think we need to keep the magic voodoo for a while longer.

It's still there.

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Amos Jeffries 
On Tue, 27 Oct 2009 15:08:24 +0100, Henrik Nordstrom
hen...@henriknordstrom.net wrote:
 ons 2009-10-28 klockan 01:35 +1300 skrev Amos Jeffries:
 
 Not entirely sure what version. I think the Gentoo 2.15 or 2.16 is 
 fixed. My Ubuntu 2.11 is broken by the test results of last build I
ran.
 
 Ok.
 
 The configure test was broken however, always reporting failure...

Strange. That was the change the Gentoo people are all enjoying at the
moment.

Amos

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Henrik Nordstrom 
tis 2009-10-27 klockan 14:46 +1300 skrev Amos Jeffries:

 I would like the patch to be updated with said function test logic to
 auto-disable libcap2, modulo a fatal death on the --with-* case.  Then for
 it to go back in :)

Done.

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-27 Thread Henrik Nordstrom 
ons 2009-10-28 klockan 10:32 +1300 skrev Amos Jeffries:

  The configure test was broken however, always reporting failure...
 
 Strange. That was the change the Gentoo people are all enjoying at the
 moment.

Well, I think most are silently happy with the workaround enabled even
if not strictly needed.

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-26 Thread Amos Jeffries 

Alexander Huemer wrote:

Amos Jeffries wrote:

On Tue, 20 Oct 2009 01:04:26 +0200, Henrik Nordstrom
hen...@henriknordstrom.net wrote:
  

mån 2009-10-19 klockan 12:10 +1300 skrev Amos Jeffries:



Um, is that function libcap2 specific?
  

Not sure when it was added. Checking... seems to be 2.09. Added to the
git repository Sat Mar 29 21:40:06 2008 -0700.

There is also a libcap-ng project these days, with yet another API..


The other was mentioned as a possible requirement as well. I have not
spent any time seeing whether its worth it or not to support libcap-ng. Do
you know enough about them both to pick?

  
It may be related to the LIBCAP_BROKEN identifier or another such test 
for the specific function may be worth adding...
  

I rather have one code base than two here.. either libcap is used or it
is not. Using libcap if found working or raw syscalls if not does not
sound like a good idea to me.

But maybe we can require a reasonably current libcap-2 for TPROXY
support? It requires a custom kernel anyway on the systems with too old
libcap implementations I think.


We can do that yes. I think I would also rather do it too. It paves the
way for a clean deprecation cycle now that TPROXYv4 kernels are effectively
mainstream:

 3.0: (2008-2010) TPROXYv2 with libcap + libcap2
 3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
 3.2: (2011?) support TPROXYv4 with libcap2

Amos

  

i guess this fix went into squid 3.1.0.14 ... ?
the gentoo package for that version just appeared in the portage tree
and i installed it.
no more warning messages in dmesg. good job!
will this find it's way into squid 3.0 too ?
or can i wait for 3.2 ? i did not find a planned release date.

regards
-alex


The Gentoo hack fix is the only thing included so far (must be what you 
see in 3.1.0.14) and will also be in 3.0.STABLE20 when that comes out.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-26 Thread Henrik Nordstrom 
tis 2009-10-20 klockan 12:52 +1300 skrev Amos Jeffries:

 We can do that yes. I think I would also rather do it too. It paves the
 way for a clean deprecation cycle now that TPROXYv4 kernels are effectively
 mainstream:
 
  3.0: (2008-2010) TPROXYv2 with libcap + libcap2
  3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
  3.2: (2011?) support TPROXYv4 with libcap2

So you want me to add the patch back on trunk?

Means we must update libcap on several of the build farm members,
including the master, or disable TPROXY in the build tests..

I guess I could add some configure magics to look for the missing
function and automatically disable..

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-26 Thread Amos Jeffries 
On Tue, 27 Oct 2009 02:13:03 +0100, Henrik Nordstrom
hen...@henriknordstrom.net wrote:
 tis 2009-10-20 klockan 12:52 +1300 skrev Amos Jeffries:
 
 We can do that yes. I think I would also rather do it too. It paves the
 way for a clean deprecation cycle now that TPROXYv4 kernels are
 effectively
 mainstream:
 
  3.0: (2008-2010) TPROXYv2 with libcap + libcap2
  3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
  3.2: (2011?) support TPROXYv4 with libcap2
 
 So you want me to add the patch back on trunk?
 
 Means we must update libcap on several of the build farm members,
 including the master, or disable TPROXY in the build tests..
 
 I guess I could add some configure magics to look for the missing
 function and automatically disable..

Yes please.

I would like the patch to be updated with said function test logic to
auto-disable libcap2, modulo a fatal death on the --with-* case.  Then for
it to go back in :)

Amos

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-23 Thread Alexander Huemer 
Amos Jeffries wrote:
 On Tue, 20 Oct 2009 01:04:26 +0200, Henrik Nordstrom
 hen...@henriknordstrom.net wrote:
   
 mån 2009-10-19 klockan 12:10 +1300 skrev Amos Jeffries:

 
 Um, is that function libcap2 specific?
   
 Not sure when it was added. Checking... seems to be 2.09. Added to the
 git repository Sat Mar 29 21:40:06 2008 -0700.

 There is also a libcap-ng project these days, with yet another API..
 

 The other was mentioned as a possible requirement as well. I have not
 spent any time seeing whether its worth it or not to support libcap-ng. Do
 you know enough about them both to pick?

   
 It may be related to the LIBCAP_BROKEN identifier or another such test 
 for the specific function may be worth adding...
   
 I rather have one code base than two here.. either libcap is used or it
 is not. Using libcap if found working or raw syscalls if not does not
 sound like a good idea to me.

 But maybe we can require a reasonably current libcap-2 for TPROXY
 support? It requires a custom kernel anyway on the systems with too old
 libcap implementations I think.
 

 We can do that yes. I think I would also rather do it too. It paves the
 way for a clean deprecation cycle now that TPROXYv4 kernels are effectively
 mainstream:

  3.0: (2008-2010) TPROXYv2 with libcap + libcap2
  3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
  3.2: (2011?) support TPROXYv4 with libcap2

 Amos

   
i guess this fix went into squid 3.1.0.14 ... ?
the gentoo package for that version just appeared in the portage tree
and i installed it.
no more warning messages in dmesg. good job!
will this find it's way into squid 3.0 too ?
or can i wait for 3.2 ? i did not find a planned release date.

regards
-alex

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-19 Thread Amos Jeffries 
On Tue, 20 Oct 2009 01:04:26 +0200, Henrik Nordstrom
hen...@henriknordstrom.net wrote:
 mån 2009-10-19 klockan 12:10 +1300 skrev Amos Jeffries:
 
 Um, is that function libcap2 specific?
 
 Not sure when it was added. Checking... seems to be 2.09. Added to the
 git repository Sat Mar 29 21:40:06 2008 -0700.
 
 There is also a libcap-ng project these days, with yet another API..

The other was mentioned as a possible requirement as well. I have not
spent any time seeing whether its worth it or not to support libcap-ng. Do
you know enough about them both to pick?

 
 It may be related to the LIBCAP_BROKEN identifier or another such test 
 for the specific function may be worth adding...
 
 I rather have one code base than two here.. either libcap is used or it
 is not. Using libcap if found working or raw syscalls if not does not
 sound like a good idea to me.
 
 But maybe we can require a reasonably current libcap-2 for TPROXY
 support? It requires a custom kernel anyway on the systems with too old
 libcap implementations I think.

We can do that yes. I think I would also rather do it too. It paves the
way for a clean deprecation cycle now that TPROXYv4 kernels are effectively
mainstream:

 3.0: (2008-2010) TPROXYv2 with libcap + libcap2
 3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
 3.2: (2011?) support TPROXYv4 with libcap2

Amos

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-18 Thread Henrik Nordstrom 
fre 2009-10-16 klockan 02:04 +0200 skrev Henrik Nordstrom:
 fre 2009-10-16 klockan 11:03 +1300 skrev Amos Jeffries:
 
  /* NP: keep these two if-endif separate. Non-Linux work perfectly well 
 
 Sorry.. thought I had fixed that already..
 
  +#define PUSH_CAP(cap) cap_list[ncaps++] = (cap)
  
  I can just see that converting to: 
  CAP_NET_ADMIN_ist[nCAP_NET_ADMINs++]=(CAP_NET_ADMIN) ...
 
 Nope.. preprocessor is tokens based. But as this macro is farily simple
 now it can just as well be expanded. I think the plan was to eventually
 C++ encapsulate these details, but that's overkill here.
 
 Updated patch attaced.


Crap. libcap on centos is not usable.

Regards
Henrik

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-18 Thread Amos Jeffries 

Henrik Nordstrom wrote:

fre 2009-10-16 klockan 02:04 +0200 skrev Henrik Nordstrom:

fre 2009-10-16 klockan 11:03 +1300 skrev Amos Jeffries:

/* NP: keep these two if-endif separate. Non-Linux work perfectly well 

Sorry.. thought I had fixed that already..


+#define PUSH_CAP(cap) cap_list[ncaps++] = (cap)

I can just see that converting to: 
CAP_NET_ADMIN_ist[nCAP_NET_ADMINs++]=(CAP_NET_ADMIN) ...

Nope.. preprocessor is tokens based. But as this macro is farily simple
now it can just as well be expanded. I think the plan was to eventually
C++ encapsulate these details, but that's overkill here.

Updated patch attaced.



Crap. libcap on centos is not usable.

Regards
Henrik



Um, is that function libcap2 specific?

It may be related to the LIBCAP_BROKEN identifier or another such test 
for the specific function may be worth adding...


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-15 Thread Amos Jeffries 

Henrik Nordstrom wrote:

The kernel interface, while some aspects of it is much simpler is also
not really meant to be called directly by applications.

The attached patch approximates the same functionality using libcap.
Differs slightly in how it sets the permitted capabilities to be kept on
uid change (explicit instead of masked), but end result is the same as
setting the capabilities won't work if these were not allowed.



/* NP: keep these two if-endif separate. Non-Linux work perfectly well 
without Linux syscap support. */

-#if defined(_SQUID_LINUX_)
-
-#if HAVE_SYS_CAPABILITY_H

The above was done so that interception does not get disabled on FreeBSD 
which now has some TPROXY support.



+#define PUSH_CAP(cap) cap_list[ncaps++] = (cap)

I can just see that converting to: 
CAP_NET_ADMIN_ist[nCAP_NET_ADMINs++]=(CAP_NET_ADMIN) ...


Otherwise good.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14

Re: [MERGE] Use libcap instead of direct linux capability syscalls

2009-10-15 Thread Henrik Nordstrom 
fre 2009-10-16 klockan 11:03 +1300 skrev Amos Jeffries:

 /* NP: keep these two if-endif separate. Non-Linux work perfectly well 

Sorry.. thought I had fixed that already..

 +#define PUSH_CAP(cap) cap_list[ncaps++] = (cap)
 
 I can just see that converting to: 
 CAP_NET_ADMIN_ist[nCAP_NET_ADMINs++]=(CAP_NET_ADMIN) ...

Nope.. preprocessor is tokens based. But as this macro is farily simple
now it can just as well be expanded. I think the plan was to eventually
C++ encapsulate these details, but that's overkill here.

Updated patch attaced.

Regards
Henrik
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: hen...@henriknordstrom.net-20091015235726-\
#   tjj24dnri2arionc
# target_branch: http://www.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: e0544b31cc7e7f4f877a1b5939e6cfe26d60bc6f
# timestamp: 2009-10-16 01:58:06 +0200
# base_revision_id: squ...@treenet.co.nz-20091015121532-\
#   hhwys6416uxebd9y
# 
# Begin patch
=== modified file 'configure.in'
--- configure.in	2009-10-15 10:12:38 +
+++ configure.in	2009-10-15 14:28:22 +
@@ -2763,7 +2763,7 @@
   fi
 ],[AC_MSG_RESULT(yes)])
 if test x$use_caps = xyes; then
-  dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working)
+  dnl Check for libcap1 header breakage or libcap2 fixed (assume broken unless found working)
   libcap_broken=1
   AC_CHECK_HEADERS(sys/capability.h)
   AC_CACHE_CHECK([for operational libcap2], $libcap_broken,
@@ -2773,6 +2773,7 @@
]])],[libcap_broken=0],[])
   )
   AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc])
+  AC_CHECK_LIB(cap, cap_get_proc)
 fi
 
 AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include sys/types.h

=== modified file 'src/tools.cc'
--- src/tools.cc	2009-08-28 01:44:26 +
+++ src/tools.cc	2009-10-15 23:57:26 +
@@ -1241,50 +1241,40 @@
 {
 /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */
 #if defined(_SQUID_LINUX_)
-
 #if HAVE_SYS_CAPABILITY_H
-#ifndef _LINUX_CAPABILITY_VERSION_1
-#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
-#endif
-cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));
-cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));
-
-head-version = _LINUX_CAPABILITY_VERSION_1;
-
-if (capget(head, cap) != 0) {
-debugs(50, DBG_IMPORTANT, Can't get current capabilities);
-} else if (head-version != _LINUX_CAPABILITY_VERSION_1) {
-debugs(50, DBG_IMPORTANT, Invalid capability version   head-version   (expected   _LINUX_CAPABILITY_VERSION_1  ));
+cap_t caps;
+if (keep)
+	caps = cap_get_proc();
+else
+	caps = cap_init();
+if (!caps) {
+	IpInterceptor.StopTransparency(Can't get current capabilities);
 } else {
-
-head-pid = 0;
-
-cap-inheritable = 0;
-cap-effective = (1  CAP_NET_BIND_SERVICE);
-
-if (IpInterceptor.TransparentActive()) {
-cap-effective |= (1  CAP_NET_ADMIN);
+	int ncaps = 0;
+	int rc = 0;
+	cap_value_t cap_list[10];
+	cap_list[ncaps++] = CAP_NET_BIND_SERVICE;
+
+	if (IpInterceptor.TransparentActive()) {
+	cap_list[ncaps++] = CAP_NET_ADMIN;
 #if LINUX_TPROXY2
-cap-effective |= (1  CAP_NET_BROADCAST);
+	cap_list[ncaps++] = CAP_NET_BROADCAST;
 #endif
-}
-
-if (!keep)
-cap-permitted = cap-effective;
-
-if (capset(head, cap) != 0) {
+	}
+
+	cap_clear_flag(caps, CAP_EFFECTIVE);
+	rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET);
+	rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);
+
+if (rc || cap_set_proc(caps) != 0) {
 IpInterceptor.StopTransparency(Error enabling needed capabilities.);
 }
+	cap_free(caps);
 }
-
-xfree(head);
-xfree(cap);
-
 #else
 IpInterceptor.StopTransparency(Missing needed capability support.);
 #endif /* HAVE_SYS_CAPABILITY_H */
-
-#endif /* !defined(_SQUID_LINUX_) */
+#endif /* _SQUID_LINUX_ */
 }
 
 void *

# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWeXFlV4ABjxfgEQwef///39v
/2q+YAnPj1q+owJFAC6wnTU1lAAoAMkTQSeRPUzQnpPakeiaaPU00GgAaaBo0aAA4yZNGgNG
mIyNDEMCaNMQYjQYQAGHGTJo0Bo0xGRoYhgTRpiDEaDCAAwYlSPFBiNMnkmAhpiYgDRoMAmjJkMJ
gikRojRpqniPSaaTKbFMyMQ1PTJqNEeiD1NBtQP1BJIBNNNAhCek1MaNJpH6oGRmoyMTR6mT1Hpp
PCjhAcBA/KxRq1hVPG4pZm3lBsotwW7hoeBiSZwQhH0/L5PH/kbyD/uLuplZbxN2y1f8fZogkkyC
aYHcL90IFWcSSwYKsiE+LyjBhNwLMnJqM1M9XJ8pp0hqwfSU6dKQuYVSv7m9a9R6u/J5/hu0DwLV
RcnDIAkUnMqGQkxuEOu/zzGEwQUAhFxmfXGk80CefYwUo9wwYQBxOcXyfCzqxcymxgpzi5iJF2EY
0U55YbSigl3BGUOeSjOVXxhd+FvrRBZasfyxaKQCJ8BskUW8K+C2l+leb4cJr4W3P2YqIV4EazdE
8uc3g5hmBhATdqv1zKZMU1u7PYqz7dBuGAPCEUqgRrsCOo6uAXo6SLqriqnF9gpXSmR5HTRV9R1w
70c8uFh1Rvee+vka9RAroY78lh1wpyiWupjVyVseZEn8VOsFimsDmAQ1hiiWNDJGbAgPJC0F+0TW
++nIjzgwJ/15qUHGK6ew0DchuHpVdSHu9mKHqu83NkJSlKUv4q17+o3uk1RctUCnrgZzP+b7Ub71