The kernel interface, while some aspects of it is much simpler is also not really meant to be called directly by applications.
The attached patch approximates the same functionality using libcap. Differs slightly in how it sets the permitted capabilities to be kept on uid change (explicit instead of masked), but end result is the same as setting the capabilities won't work if these were not allowed.
# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: hen...@henriknordstrom.net-20091015142822-\ # is615u5fl72d5vt3 # target_branch: http://www.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: 7003f761ebaefca2b4e2fd090f186cfb0ec0357e # timestamp: 2009-10-15 20:21:24 +0200 # base_revision_id: squ...@treenet.co.nz-20091015121532-\ # hhwys6416uxebd9y # # Begin patch === modified file 'configure.in' --- configure.in 2009-10-15 10:12:38 +0000 +++ configure.in 2009-10-15 14:28:22 +0000 @@ -2763,7 +2763,7 @@ fi ],[AC_MSG_RESULT(yes)]) if test "x$use_caps" = "xyes"; then - dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working) + dnl Check for libcap1 header breakage or libcap2 fixed (assume broken unless found working) libcap_broken=1 AC_CHECK_HEADERS(sys/capability.h) AC_CACHE_CHECK([for operational libcap2], $libcap_broken, @@ -2773,6 +2773,7 @@ ]])],[libcap_broken=0],[]) ) AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc]) + AC_CHECK_LIB(cap, cap_get_proc) fi AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include <sys/types.h> === modified file 'src/tools.cc' --- src/tools.cc 2009-08-28 01:44:26 +0000 +++ src/tools.cc 2009-10-15 14:24:33 +0000 @@ -1240,51 +1240,41 @@ restoreCapabilities(int keep) { /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */ -#if defined(_SQUID_LINUX_) - -#if HAVE_SYS_CAPABILITY_H -#ifndef _LINUX_CAPABILITY_VERSION_1 -#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION -#endif - cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head)); - cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap)); - - head->version = _LINUX_CAPABILITY_VERSION_1; - - if (capget(head, cap) != 0) { - debugs(50, DBG_IMPORTANT, "Can't get current capabilities"); - } else if (head->version != _LINUX_CAPABILITY_VERSION_1) { - debugs(50, DBG_IMPORTANT, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")"); +#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H + cap_t caps; + if (keep) + caps = cap_get_proc(); + else + caps = cap_init(); + if (!caps) { + IpInterceptor.StopTransparency("Can't get current capabilities"); } else { - - head->pid = 0; - - cap->inheritable = 0; - cap->effective = (1 << CAP_NET_BIND_SERVICE); - - if (IpInterceptor.TransparentActive()) { - cap->effective |= (1 << CAP_NET_ADMIN); +#define PUSH_CAP(cap) cap_list[ncaps++] = (cap) + int ncaps = 0; + int rc = 0; + cap_value_t cap_list[10]; + PUSH_CAP(CAP_NET_BIND_SERVICE); + + if (IpInterceptor.TransparentActive()) { + PUSH_CAP(CAP_NET_ADMIN); #if LINUX_TPROXY2 - cap->effective |= (1 << CAP_NET_BROADCAST); + PUSH_CAP(CAP_NET_BROADCAST); #endif - } - - if (!keep) - cap->permitted &= cap->effective; - - if (capset(head, cap) != 0) { + } +#undef PUSH_CAP + + cap_clear_flag(caps, CAP_EFFECTIVE); + rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET); + rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET); + + if (rc || cap_set_proc(caps) != 0) { IpInterceptor.StopTransparency("Error enabling needed capabilities."); } + cap_free(caps); } - - xfree(head); - xfree(cap); - #else IpInterceptor.StopTransparency("Missing needed capability support."); #endif /* HAVE_SYS_CAPABILITY_H */ - -#endif /* !defined(_SQUID_LINUX_) */ } void * # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWduZKS4ABHffgEQwee///39v /2q////+YAf98llXqgAGd3O2GiQAAwkkChNR7U9GqM09JtMqPU9qj1PRpGI9Rk0ANB6mgBzCaA0B o0YRoMRpiZMTQYRoGQDJgJKQDTRpTTamgAAGjQAAaAADRkAxTRCj0nqA3qQbU0AAAAGgAGnqPUAH MJoDQGjRhGgxGmJkxNBhGgZAMmAkkBGgBAmTSNNqU20aKPU9NpqnpNHiZE0A9TbKjyXkn8xVSzOo 6nuY29xwpyJqc4QM6dfBXF6U3PALME7+yiygZHhYJ6GFAZOydW+/qhJBCOT4sE63ILSZnlhQfIiO rm+MtaEbipK8/U+Z8+ujzoF8y4g4ciAkUoXkPMgYOJLLXM4IMFZZKMXCy+LORYBB7SuZyL0Il75E ICDp4WDDvnrOPrEValQtaNatSpCNt54PN41VtS2WHA7zHj/2nM+Gkz7WaFCCr0K5SjhJycwMMIzT 3KF3Vi15a6qJ7dBlLhLczYCmVbNeLJxzyFNSShC+ZTDESO+q+5wDEzUZMUdKjOw7ZGXYorvDob1G 2PF+rT+n6s3T9HSiN7mWhRxV8L9gMeCCYg5JZL1dAKxAyX6LI0Qj4SZbiDgFaCOVBkFnvYa7g5zu oRHDPzKtD2BeZhPfkPMjzyJJ6EnhowkWFetKqWUc7YI2ltKCIjGJri+NJI4BghToa8ZMPJzefxrJ kanJVYOoyZhzJmDouttZAmOv6yoYJrJJ0ZpjEKGmVr2VjZhqjSbfBltSKFEI4QSQCncJE1PUZivx HOGZXnwlgeOh8EnYI36GsoMXrDLTCDtk9FMV9C9IWJaPImv5VvSsWy4XAglalQgUuSqMATIZliwM Ax96xm+ImclQtSeBtP2URxgWimYHUb77R0rGiTbAFclB8TTNyhKSelWCfF9K0qcSBWWjy8lgSNbY oLC8rBeXQeqWygVLFk9kRwHDx6ueCiwojwUXsPCY8KiCWLy7gjEwDItMRxecgKOLmJFzDaBO7LJs dpURwGW5hBn2hwWKUFeYuaoYxLx5E1vtsYxIlqjzlhz/YThcktwseEMa7UsHX/cLAyN2uhq1TWg9 7G0sle60xILpzE8NxoRVMq3OaDpQ0JkYcDMxLdwq54NiP5xkFzHBZJWl5BMXhkVDwTXguOiW5Nhd gNZTBWvYsNyelIj3pMVlTEdtZYVESRkPTtfNeWEiEHl1eFcLkrbXoS0H36sCZOo2pYkUslQeeTmW ivmwRKMmRFJ+KLUlH3wPWIyWBox84WDIXQMjH7WDoIkjC14HOGKBnBQtQwzIc1R8EeA3R5EcEJDh 5A3QRUg2TbdnWke3D9Y2EEgiElelHKgb8c5R5pnwMmFIzCHR90KeiodVBh301TSFBJS6VDy9Ng3P tkUDHmeelp1JXawakJEmWCG4UH/6ozoAaasmms0NFu/+cSeeJeQWcvtvRv0mXaYXXdB/b098F4kS zvNO/e8GY4bNnZgOXUeZJ7nsAwOT1b0wWmKZlJ55TUSEeo5jzn0Baep1J6y/Ju0nHsW/YCyBH53c RFZlSB2ggszUiWP4IqBQy3LpkKY6zgbzaUHDH5AviYBrRzFE/5Liew96EZhs/unOJGBoXFpENB6/ rDcmDuLhHc53FxH4s9kxDuVDmNX0zLyo27ZOPfRBYbj4jFXu88XuoqPv1w4PfkdBvPoZIHnMRFQV aTFZBSSHHOWGo+RQcVftlickWgn4xIr0gvFeten/a7NdFFON/jmGzU+OOgpOti3jWZmjIL/QrBjF QAvheZR7DwUGndbiVdB1OQfwe5McpemMckHcXAIet4mSIWlDXmj8uezxAeVGzmFrzQlMczXpBQCJ ML28TluDacS0FyNDyHIiUmCwSqIjJYEXzEL7q1Z1ONmFqUnpZ3u5Rp1FkKZ8SbHtJhUHbrdkEYLb t+bm7DWa0MQTDk3+BHautbgXLZ0obmPSg5kiKOztbv9fqR1CoIQyD2VBs9ovUBExddG4bt/cSHnQ kFPVsF0pBsDY0CN81DsQexl5TkHoSo8EdeX78dQG6QIn5r0sEHnBRQXS4AqL6FgSv8ZervQaiMEk bkr8kVRRyOBYHp3lCR9yO2UDBxFgegMxfViBbJpAM0hrvICIoICgYjS1t5ARIQiVZJ7DH5jnCZkh hVoN+9BaFzVpkkPJJB2jhO6VBmAnN4j9DiCPrFHuiKx+F7IcxtMSL0lZ4xuBwN6WNaKgLtl/iVZW DFqFgeZat9MUHOrJ3FbDjqYe8Ch8zQ6zy2VExIzFVttQaK3WyFqOsvWsZJ6tU94hFwn6lZcxcwIn ADXhMKmCThRWNIvQcltF7E+BUDDTCX6cLkyGRWkDKSVCB62TMNWjXMHEYgchIsdKuLS8HjiqY5IX pF7S8rCciQ5l6hPOlw7AiuYVRqt5wgHlNOdvz2loFgs5/egfASK3BRkrBwdwt3Xj3IPEUbP2V2x5 hYfgt4K9L8FxxBZZi9vFIJiqM1f3LqVcpgZHE7MnnAlEQEQ7bVSBwJ9AOHPV5iuf4u5IpwoSG3Ml JcA=
