Patchwork configure: improve libaudit & libcap configure handling

login
register
mail settings
Submitter Mike Frysinger
Date March 30, 2016, 9:12 p.m.
Message ID <1459372353-9265-1-git-send-email-vapier@gentoo.org>
Download mbox | patch
Permalink /patch/11569/
State New
Delegated to: Mike Frysinger
Headers show

Comments

Mike Frysinger - March 30, 2016, 9:12 p.m.
The configure logic currently tests+enables libcap only when selinux
support is also enabled.  This doesn't make sense in the current code
base as pt_chown uses libcap for priv control independent of selinux.

It also autoprobes both features and enables things when the libs are
installed even if the builder would rather it not.  Add explicit flags
so people can turn them on/off as desired.

2016-03-30  Mike Frysinger  <vapier@gentoo.org>

	* configure.ac (AC_ARG_WITH([libcap]), AC_ARG_WITH([libaudit])):
	New configure flags.  Split logic out of have_selinux checks.
	* configure: Regenerated.
	* nscd/connections.c (finish_drop_privileges): Add HAVE_SELINUX
	to the #if defined symbol list.
---
 configure          | 40 ++++++++++++++++++++++++++++++++++++----
 configure.ac       | 36 +++++++++++++++++++++++++++++-------
 nscd/connections.c |  4 ++--
 3 files changed, 67 insertions(+), 13 deletions(-)
Roland McGrath - March 30, 2016, 10:22 p.m.
Looks OK.

Patch

diff --git a/configure b/configure
index 8fe5937..f34f07a 100755
--- a/configure
+++ b/configure
@@ -612,9 +612,9 @@  libc_extra_cppflags
 libc_extra_cflags
 libc_cv_cxx_thread_local
 CPPUNDEFS
-have_selinux
 have_libcap
 have_libaudit
+have_selinux
 LIBGD
 libc_cv_cc_loop_to_function
 libc_cv_cc_submachine
@@ -748,6 +748,8 @@  with_gd_lib
 with_fp
 with_binutils
 with_selinux
+with_libcap
+with_libaudit
 with_headers
 with_default_link
 enable_sanity_checks
@@ -1454,6 +1456,8 @@  Optional Packages:
   --with-fp               if using floating-point hardware [default=yes]
   --with-binutils=PATH    specify location of binutils (as and ld)
   --with-selinux          if building with SELinux support
+  --with-libcap           if building with libcap support
+  --with-libaudit         if building with audit support
   --with-headers=PATH     location of system headers to use (for example
                           /usr/src/linux/include) [default=compiler default]
   --with-default-link     do not use explicit linker scripts
@@ -3303,6 +3307,22 @@  else
 fi
 
 
+# Check whether --with-libcap was given.
+if test "${with_libcap+set}" = set; then :
+  withval=$with_libcap; with_libcap=$withval
+else
+  with_libcap=auto
+fi
+
+
+# Check whether --with-libaudit was given.
+if test "${with_libaudit+set}" = set; then :
+  withval=$with_libaudit; with_libaudit=$withval
+else
+  with_libaudit=auto
+fi
+
+
 
 # Check whether --with-headers was given.
 if test "${with_headers+set}" = set; then :
@@ -6086,8 +6106,13 @@  if test "x$have_selinux" = xyes; then
 
 $as_echo "#define HAVE_SELINUX 1" >>confdefs.h
 
+fi
+
 
-  # See if we have the libaudit library
+# See if we have the libaudit library.
+if test "x$with_libaudit" = xno; then
+  have_libaudit=no
+else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_avc_message in -laudit" >&5
 $as_echo_n "checking for audit_log_user_avc_message in -laudit... " >&6; }
 if ${ac_cv_lib_audit_audit_log_user_avc_message+:} false; then :
@@ -6134,10 +6159,16 @@  fi
 
 $as_echo "#define HAVE_LIBAUDIT 1" >>confdefs.h
 
+  elif test "x$with_libaudit" = xyes; then
+    as_fn_error $? "auditing explicitly required, but audit library not found" "$LINENO" 5
   fi
+fi
 
 
-  # See if we have the libcap library
+# See if we have the libcap library.
+if test "x$with_libcap" = xno; then
+  have_libcap=no
+else
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5
 $as_echo_n "checking for cap_init in -lcap... " >&6; }
 if ${ac_cv_lib_cap_cap_init+:} false; then :
@@ -6184,8 +6215,9 @@  fi
 
 $as_echo "#define HAVE_LIBCAP 1" >>confdefs.h
 
+  elif test "x$with_libcap" = xyes; then
+    as_fn_error $? "libcap explicitly required, but libcap not found" "$LINENO" 5
   fi
-
 fi
 
 
diff --git a/configure.ac b/configure.ac
index 3c766b7..20c9b42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -143,6 +143,16 @@  AC_ARG_WITH([selinux],
 			   [if building with SELinux support]),
 	    [with_selinux=$withval],
 	    [with_selinux=auto])
+AC_ARG_WITH([libcap],
+	    AC_HELP_STRING([--with-libcap],
+			   [if building with libcap support]),
+	    [with_libcap=$withval],
+	    [with_libcap=auto])
+AC_ARG_WITH([libaudit],
+	    AC_HELP_STRING([--with-libaudit],
+			   [if building with audit support]),
+	    [with_libaudit=$withval],
+	    [with_libaudit=auto])
 
 AC_ARG_WITH([headers],
 	    AC_HELP_STRING([--with-headers=PATH],
@@ -1546,23 +1556,35 @@  fi
 # Check if we're building with SELinux support.
 if test "x$have_selinux" = xyes; then
   AC_DEFINE(HAVE_SELINUX, 1, [SELinux support])
+fi
+AC_SUBST(have_selinux)
 
-  # See if we have the libaudit library
+# See if we have the libaudit library.
+if test "x$with_libaudit" = xno; then
+  have_libaudit=no
+else
   AC_CHECK_LIB(audit, audit_log_user_avc_message,
 	       have_libaudit=yes, have_libaudit=no)
   if test "x$have_libaudit" = xyes; then
-    AC_DEFINE(HAVE_LIBAUDIT, 1, [SELinux libaudit support])
+    AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support])
+  elif test "x$with_libaudit" = xyes; then
+    AC_MSG_ERROR([auditing explicitly required, but audit library not found])
   fi
-  AC_SUBST(have_libaudit)
+fi
+AC_SUBST(have_libaudit)
 
-  # See if we have the libcap library
+# See if we have the libcap library.
+if test "x$with_libcap" = xno; then
+  have_libcap=no
+else
   AC_CHECK_LIB(cap, cap_init, have_libcap=yes, have_libcap=no)
   if test "x$have_libcap" = xyes; then
-    AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+    AC_DEFINE(HAVE_LIBCAP, 1, [libcap support])
+  elif test "x$with_libcap" = xyes; then
+    AC_MSG_ERROR([libcap explicitly required, but libcap not found])
   fi
-  AC_SUBST(have_libcap)
 fi
-AC_SUBST(have_selinux)
+AC_SUBST(have_libcap)
 
 CPPUNDEFS=
 dnl Check for silly hacked compilers predefining _FORTIFY_SOURCE.
diff --git a/nscd/connections.c b/nscd/connections.c
index f3b16f7..cf2c41c 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -2590,7 +2590,7 @@  begin_drop_privileges (void)
 static void
 finish_drop_privileges (void)
 {
-#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
+#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
   /* We need to preserve the capabilities to connect to the audit daemon.  */
   cap_t new_caps = preserve_capabilities ();
 #endif
@@ -2622,7 +2622,7 @@  finish_drop_privileges (void)
       do_exit (4, errno, "setuid");
     }
 
-#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
+#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
   /* Remove the temporary capabilities.  */
   install_real_capabilities (new_caps);
 #endif