Don't hard depend on capability.h and libcap

In the effort to make LXC work with non-standard Linux distros, this change
allows for the user to build LXC without capability support through a new
--disable-capabilities option to configure.

This effectively will cause LXC not to link against libcap and will turn all
the _cap_ functions into no-ops.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/configure.ac b/configure.ac
index 1957687fdbb0a073605f3f51e53745ab8d90fda1..29c5b551e6eac86c029c57be6e622a96409ff663 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -180,17 +180,24 @@ AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h linux/genetlink.h],
                                AC_MSG_ERROR([Please install the Linux kernel headers.]),
                                [#include <sys/socket.h>])
 
+# Allow disabling libcap support
+AC_ARG_ENABLE([capabilities],
+       [AC_HELP_STRING([--disable-capabilities], [disable kernel capabilities])],
+       [], [enable_capabilities=yes])
+
 # Check for libcap support
-AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the libcap development files.]),
-[#include <sys/types.h>
-#include <sys/capability.h>])
-AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
-AC_MSG_CHECKING([linux capabilities])
-if test "x$caplib" = "xyes" ; then
-       CAP_LIBS="-lcap"
-       AC_MSG_RESULT([$CAP_LIBS])
+if test "x$enable_capabilities" = "xyes"; then
+       AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
+       AC_MSG_CHECKING([linux capabilities])
+       if test "x$caplib" = "xyes" ; then
+               CAP_LIBS="-lcap"
+               AC_MSG_RESULT([$CAP_LIBS])
+       else
+               AC_MSG_RESULT([no])
+               AC_MSG_ERROR([You are missing libcap support. If you really want to build without kernel capabilities, use --disable-capabilities])
+       fi
 else
-       AC_MSG_ERROR([not found])
+       CAP_LIBS=""
 fi
 AC_SUBST([CAP_LIBS])
 
@@ -214,7 +221,7 @@ AM_CONDITIONAL([IS_BIONIC], [test "x$is_bionic" = "xyes"])
 AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])
 
 # Check for some headers
-AC_CHECK_HEADERS([sys/signalfd.h pty.h])
+AC_CHECK_HEADERS([sys/signalfd.h pty.h sys/capability.h])
 
 # Check for some functions
 AC_CHECK_FUNCS([openpty])

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 94c134d5334562b784e17815fb90310ea65a8542..53c552be8702294daa59d01889057c765dddb8be 100644 (file)
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -27,13 +27,16 @@
 #include <stdlib.h>
 #include <limits.h>
 #include <sys/prctl.h>
-#include <sys/capability.h>
 #include <errno.h>
 
+#include "config.h"
 #include "log.h"
 
 lxc_log_define(lxc_caps, lxc);
 
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+
 int lxc_caps_reset(void)
 {
        cap_t cap = cap_init();
@@ -258,3 +261,4 @@ int lxc_caps_check(void)
 
        return 1;
 }
+#endif

diff --git a/src/lxc/caps.h b/src/lxc/caps.h
index 88cf09ee52f8fd711ed8f7e93191b8993e23062f..dc3fd6fcf4a1ac9a0b1233f8cdb116fd6428cc10 100644 (file)
--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -20,9 +20,12 @@
  * License along with this library; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
+#include "config.h"
+
 #ifndef _caps_h
 #define _caps_h
 
+#if HAVE_SYS_CAPABILITY_H
 extern int lxc_caps_reset(void);
 extern int lxc_caps_down(void);
 extern int lxc_caps_up(void);
@@ -30,6 +33,27 @@ extern int lxc_caps_init(void);
 extern int lxc_caps_check(void);
 
 extern int lxc_caps_last_cap(void);
+#else
+static inline int lxc_caps_reset(void) {
+        return 0;
+}
+static inline int lxc_caps_down(void) {
+        return 0;
+}
+static inline int lxc_caps_up(void) {
+        return 0;
+}
+static inline int lxc_caps_init(void) {
+        return 0;
+}
+static inline int lxc_caps_check(void) {
+        return 1;
+}
+
+static inline int lxc_caps_last_cap(void) {
+        return 0;
+}
+#endif
 
 #define lxc_priv(__lxc_function)                       \
        ({                                              \

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d69bfe1105eb89884d390f18cb42035007e312ca..a7077f43e3d32910ba50745ed41e9da3472c5f24 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -48,7 +48,6 @@
 #include <sys/mount.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
-#include <sys/capability.h>
 #include <sys/personality.h>
 
 #include <arpa/inet.h>
@@ -71,6 +70,10 @@
 #include <apparmor.h>
 #endif
 
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
 #include "lxcseccomp.h"
 
 lxc_log_define(lxc_conf, lxc);
@@ -104,6 +107,7 @@ lxc_log_define(lxc_conf, lxc);
 #define MS_STRICTATIME (1 << 24)
 #endif
 
+#if HAVE_SYS_CAPABILITY_H
 #ifndef CAP_SETFCAP
 #define CAP_SETFCAP 31
 #endif
@@ -115,6 +119,7 @@ lxc_log_define(lxc_conf, lxc);
 #ifndef CAP_MAC_ADMIN
 #define CAP_MAC_ADMIN 33
 #endif
+#endif
 
 #ifndef PR_CAPBSET_DROP
 #define PR_CAPBSET_DROP 24
@@ -199,6 +204,7 @@ static struct mount_opt mount_opt[] = {
        { NULL,            0, 0              },
 };
 
+#if HAVE_SYS_CAPABILITY_H
 static struct caps_opt caps_opt[] = {
        { "chown",             CAP_CHOWN             },
        { "dac_override",      CAP_DAC_OVERRIDE      },
@@ -245,6 +251,9 @@ static struct caps_opt caps_opt[] = {
        { "wake_alarm",        CAP_WAKE_ALARM        },
 #endif
 };
+#else
+static struct caps_opt caps_opt[] = {};
+#endif
 
 static int run_buffer(char *buffer)
 {

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 34520223529e6022f450421dcb6b993e244f4606..427cc709d4a96bbf655b208aeffea4d32fd78dce 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -41,12 +41,15 @@
 #include <sys/socket.h>
 #include <sys/prctl.h>
 #include <sys/types.h>
-#include <sys/capability.h>
 #include <sys/wait.h>
 #include <sys/un.h>
 #include <sys/poll.h>
 #include <sys/syscall.h>
 
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
+
 #ifdef HAVE_SYS_SIGNALFD_H
 #  include <sys/signalfd.h>
 #else
@@ -339,10 +342,14 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
        }
 
        if (handler->conf->need_utmp_watch) {
+               #if HAVE_SYS_CAPABILITY_H
                if (lxc_utmp_mainloop_add(&descr, handler)) {
                        ERROR("failed to add utmp handler to mainloop");
                        goto out_mainloop_open;
                }
+               #else
+                       DEBUG("not starting utmp handler as cap_sys_boot cannot be dropped without capabilities support\n");
+               #endif
        }
 
        return lxc_mainloop(&descr);
@@ -553,6 +560,7 @@ static int do_start(void *data)
        if (lxc_sync_barrier_parent(handler, LXC_SYNC_CONFIGURE))
                return -1;
 
+       #if HAVE_SYS_CAPABILITY_H
        if (handler->conf->need_utmp_watch) {
                if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
                        SYSERROR("failed to remove CAP_SYS_BOOT capability");
@@ -560,6 +568,7 @@ static int do_start(void *data)
                }
                DEBUG("Dropped cap_sys_boot\n");
        }
+       #endif
 
        /* Setup the container, ip, names, utsname, ... */
        if (lxc_setup(handler->name, handler->conf)) {
@@ -752,7 +761,11 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
        handler->data = data;
 
        if (must_drop_cap_sys_boot()) {
+               #if HAVE_SYS_CAPABILITY_H
                DEBUG("Dropping cap_sys_boot\n");
+               #else
+               DEBUG("Can't drop cap_sys_boot as capabilities aren't supported\n");
+               #endif
        } else {
                DEBUG("Not dropping cap_sys_boot or watching utmp\n");
                handler->conf->need_utmp_watch = 0;