From patchwork Wed Mar 30 21:12:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Frysinger X-Patchwork-Id: 11569 X-Patchwork-Delegate: vapier@gentoo.org Received: (qmail 60591 invoked by alias); 30 Mar 2016 21:12:47 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 60577 invoked by uid 89); 30 Mar 2016 21:12:46 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.9 required=5.0 tests=BAYES_00, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 spammy=Packages, 6086, 8, 60868, priv X-HELO: smtp.gentoo.org From: Mike Frysinger To: libc-alpha@sourceware.org Subject: [PATCH] configure: improve libaudit & libcap configure handling Date: Wed, 30 Mar 2016 17:12:33 -0400 Message-Id: <1459372353-9265-1-git-send-email-vapier@gentoo.org> The configure logic currently tests+enables libcap only when selinux support is also enabled. This doesn't make sense in the current code base as pt_chown uses libcap for priv control independent of selinux. It also autoprobes both features and enables things when the libs are installed even if the builder would rather it not. Add explicit flags so people can turn them on/off as desired. 2016-03-30 Mike Frysinger * configure.ac (AC_ARG_WITH([libcap]), AC_ARG_WITH([libaudit])): New configure flags. Split logic out of have_selinux checks. * configure: Regenerated. * nscd/connections.c (finish_drop_privileges): Add HAVE_SELINUX to the #if defined symbol list. --- configure | 40 ++++++++++++++++++++++++++++++++++++---- configure.ac | 36 +++++++++++++++++++++++++++++------- nscd/connections.c | 4 ++-- 3 files changed, 67 insertions(+), 13 deletions(-) diff --git a/configure b/configure index 8fe5937..f34f07a 100755 --- a/configure +++ b/configure @@ -612,9 +612,9 @@ libc_extra_cppflags libc_extra_cflags libc_cv_cxx_thread_local CPPUNDEFS -have_selinux have_libcap have_libaudit +have_selinux LIBGD libc_cv_cc_loop_to_function libc_cv_cc_submachine @@ -748,6 +748,8 @@ with_gd_lib with_fp with_binutils with_selinux +with_libcap +with_libaudit with_headers with_default_link enable_sanity_checks @@ -1454,6 +1456,8 @@ Optional Packages: --with-fp if using floating-point hardware [default=yes] --with-binutils=PATH specify location of binutils (as and ld) --with-selinux if building with SELinux support + --with-libcap if building with libcap support + --with-libaudit if building with audit support --with-headers=PATH location of system headers to use (for example /usr/src/linux/include) [default=compiler default] --with-default-link do not use explicit linker scripts @@ -3303,6 +3307,22 @@ else fi +# Check whether --with-libcap was given. +if test "${with_libcap+set}" = set; then : + withval=$with_libcap; with_libcap=$withval +else + with_libcap=auto +fi + + +# Check whether --with-libaudit was given. +if test "${with_libaudit+set}" = set; then : + withval=$with_libaudit; with_libaudit=$withval +else + with_libaudit=auto +fi + + # Check whether --with-headers was given. if test "${with_headers+set}" = set; then : @@ -6086,8 +6106,13 @@ if test "x$have_selinux" = xyes; then $as_echo "#define HAVE_SELINUX 1" >>confdefs.h +fi + - # See if we have the libaudit library +# See if we have the libaudit library. +if test "x$with_libaudit" = xno; then + have_libaudit=no +else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_avc_message in -laudit" >&5 $as_echo_n "checking for audit_log_user_avc_message in -laudit... " >&6; } if ${ac_cv_lib_audit_audit_log_user_avc_message+:} false; then : @@ -6134,10 +6159,16 @@ fi $as_echo "#define HAVE_LIBAUDIT 1" >>confdefs.h + elif test "x$with_libaudit" = xyes; then + as_fn_error $? "auditing explicitly required, but audit library not found" "$LINENO" 5 fi +fi - # See if we have the libcap library +# See if we have the libcap library. +if test "x$with_libcap" = xno; then + have_libcap=no +else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5 $as_echo_n "checking for cap_init in -lcap... " >&6; } if ${ac_cv_lib_cap_cap_init+:} false; then : @@ -6184,8 +6215,9 @@ fi $as_echo "#define HAVE_LIBCAP 1" >>confdefs.h + elif test "x$with_libcap" = xyes; then + as_fn_error $? "libcap explicitly required, but libcap not found" "$LINENO" 5 fi - fi diff --git a/configure.ac b/configure.ac index 3c766b7..20c9b42 100644 --- a/configure.ac +++ b/configure.ac @@ -143,6 +143,16 @@ AC_ARG_WITH([selinux], [if building with SELinux support]), [with_selinux=$withval], [with_selinux=auto]) +AC_ARG_WITH([libcap], + AC_HELP_STRING([--with-libcap], + [if building with libcap support]), + [with_libcap=$withval], + [with_libcap=auto]) +AC_ARG_WITH([libaudit], + AC_HELP_STRING([--with-libaudit], + [if building with audit support]), + [with_libaudit=$withval], + [with_libaudit=auto]) AC_ARG_WITH([headers], AC_HELP_STRING([--with-headers=PATH], @@ -1546,23 +1556,35 @@ fi # Check if we're building with SELinux support. if test "x$have_selinux" = xyes; then AC_DEFINE(HAVE_SELINUX, 1, [SELinux support]) +fi +AC_SUBST(have_selinux) - # See if we have the libaudit library +# See if we have the libaudit library. +if test "x$with_libaudit" = xno; then + have_libaudit=no +else AC_CHECK_LIB(audit, audit_log_user_avc_message, have_libaudit=yes, have_libaudit=no) if test "x$have_libaudit" = xyes; then - AC_DEFINE(HAVE_LIBAUDIT, 1, [SELinux libaudit support]) + AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support]) + elif test "x$with_libaudit" = xyes; then + AC_MSG_ERROR([auditing explicitly required, but audit library not found]) fi - AC_SUBST(have_libaudit) +fi +AC_SUBST(have_libaudit) - # See if we have the libcap library +# See if we have the libcap library. +if test "x$with_libcap" = xno; then + have_libcap=no +else AC_CHECK_LIB(cap, cap_init, have_libcap=yes, have_libcap=no) if test "x$have_libcap" = xyes; then - AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) + AC_DEFINE(HAVE_LIBCAP, 1, [libcap support]) + elif test "x$with_libcap" = xyes; then + AC_MSG_ERROR([libcap explicitly required, but libcap not found]) fi - AC_SUBST(have_libcap) fi -AC_SUBST(have_selinux) +AC_SUBST(have_libcap) CPPUNDEFS= dnl Check for silly hacked compilers predefining _FORTIFY_SOURCE. diff --git a/nscd/connections.c b/nscd/connections.c index f3b16f7..cf2c41c 100644 --- a/nscd/connections.c +++ b/nscd/connections.c @@ -2590,7 +2590,7 @@ begin_drop_privileges (void) static void finish_drop_privileges (void) { -#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP +#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP /* We need to preserve the capabilities to connect to the audit daemon. */ cap_t new_caps = preserve_capabilities (); #endif @@ -2622,7 +2622,7 @@ finish_drop_privileges (void) do_exit (4, errno, "setuid"); } -#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP +#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP /* Remove the temporary capabilities. */ install_real_capabilities (new_caps); #endif