This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] configure: improve libaudit & libcap configure handling
- From: Mike Frysinger <vapier at gentoo dot org>
- To: libc-alpha at sourceware dot org
- Date: Wed, 30 Mar 2016 17:12:33 -0400
- Subject: [PATCH] configure: improve libaudit & libcap configure handling
- Authentication-results: sourceware.org; auth=none
The configure logic currently tests+enables libcap only when selinux
support is also enabled. This doesn't make sense in the current code
base as pt_chown uses libcap for priv control independent of selinux.
It also autoprobes both features and enables things when the libs are
installed even if the builder would rather it not. Add explicit flags
so people can turn them on/off as desired.
2016-03-30 Mike Frysinger <vapier@gentoo.org>
* configure.ac (AC_ARG_WITH([libcap]), AC_ARG_WITH([libaudit])):
New configure flags. Split logic out of have_selinux checks.
* configure: Regenerated.
* nscd/connections.c (finish_drop_privileges): Add HAVE_SELINUX
to the #if defined symbol list.
---
configure | 40 ++++++++++++++++++++++++++++++++++++----
configure.ac | 36 +++++++++++++++++++++++++++++-------
nscd/connections.c | 4 ++--
3 files changed, 67 insertions(+), 13 deletions(-)
diff --git a/configure b/configure
index 8fe5937..f34f07a 100755
--- a/configure
+++ b/configure
@@ -612,9 +612,9 @@ libc_extra_cppflags
libc_extra_cflags
libc_cv_cxx_thread_local
CPPUNDEFS
-have_selinux
have_libcap
have_libaudit
+have_selinux
LIBGD
libc_cv_cc_loop_to_function
libc_cv_cc_submachine
@@ -748,6 +748,8 @@ with_gd_lib
with_fp
with_binutils
with_selinux
+with_libcap
+with_libaudit
with_headers
with_default_link
enable_sanity_checks
@@ -1454,6 +1456,8 @@ Optional Packages:
--with-fp if using floating-point hardware [default=yes]
--with-binutils=PATH specify location of binutils (as and ld)
--with-selinux if building with SELinux support
+ --with-libcap if building with libcap support
+ --with-libaudit if building with audit support
--with-headers=PATH location of system headers to use (for example
/usr/src/linux/include) [default=compiler default]
--with-default-link do not use explicit linker scripts
@@ -3303,6 +3307,22 @@ else
fi
+# Check whether --with-libcap was given.
+if test "${with_libcap+set}" = set; then :
+ withval=$with_libcap; with_libcap=$withval
+else
+ with_libcap=auto
+fi
+
+
+# Check whether --with-libaudit was given.
+if test "${with_libaudit+set}" = set; then :
+ withval=$with_libaudit; with_libaudit=$withval
+else
+ with_libaudit=auto
+fi
+
+
# Check whether --with-headers was given.
if test "${with_headers+set}" = set; then :
@@ -6086,8 +6106,13 @@ if test "x$have_selinux" = xyes; then
$as_echo "#define HAVE_SELINUX 1" >>confdefs.h
+fi
+
- # See if we have the libaudit library
+# See if we have the libaudit library.
+if test "x$with_libaudit" = xno; then
+ have_libaudit=no
+else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_avc_message in -laudit" >&5
$as_echo_n "checking for audit_log_user_avc_message in -laudit... " >&6; }
if ${ac_cv_lib_audit_audit_log_user_avc_message+:} false; then :
@@ -6134,10 +6159,16 @@ fi
$as_echo "#define HAVE_LIBAUDIT 1" >>confdefs.h
+ elif test "x$with_libaudit" = xyes; then
+ as_fn_error $? "auditing explicitly required, but audit library not found" "$LINENO" 5
fi
+fi
- # See if we have the libcap library
+# See if we have the libcap library.
+if test "x$with_libcap" = xno; then
+ have_libcap=no
+else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5
$as_echo_n "checking for cap_init in -lcap... " >&6; }
if ${ac_cv_lib_cap_cap_init+:} false; then :
@@ -6184,8 +6215,9 @@ fi
$as_echo "#define HAVE_LIBCAP 1" >>confdefs.h
+ elif test "x$with_libcap" = xyes; then
+ as_fn_error $? "libcap explicitly required, but libcap not found" "$LINENO" 5
fi
-
fi
diff --git a/configure.ac b/configure.ac
index 3c766b7..20c9b42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -143,6 +143,16 @@ AC_ARG_WITH([selinux],
[if building with SELinux support]),
[with_selinux=$withval],
[with_selinux=auto])
+AC_ARG_WITH([libcap],
+ AC_HELP_STRING([--with-libcap],
+ [if building with libcap support]),
+ [with_libcap=$withval],
+ [with_libcap=auto])
+AC_ARG_WITH([libaudit],
+ AC_HELP_STRING([--with-libaudit],
+ [if building with audit support]),
+ [with_libaudit=$withval],
+ [with_libaudit=auto])
AC_ARG_WITH([headers],
AC_HELP_STRING([--with-headers=PATH],
@@ -1546,23 +1556,35 @@ fi
# Check if we're building with SELinux support.
if test "x$have_selinux" = xyes; then
AC_DEFINE(HAVE_SELINUX, 1, [SELinux support])
+fi
+AC_SUBST(have_selinux)
- # See if we have the libaudit library
+# See if we have the libaudit library.
+if test "x$with_libaudit" = xno; then
+ have_libaudit=no
+else
AC_CHECK_LIB(audit, audit_log_user_avc_message,
have_libaudit=yes, have_libaudit=no)
if test "x$have_libaudit" = xyes; then
- AC_DEFINE(HAVE_LIBAUDIT, 1, [SELinux libaudit support])
+ AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support])
+ elif test "x$with_libaudit" = xyes; then
+ AC_MSG_ERROR([auditing explicitly required, but audit library not found])
fi
- AC_SUBST(have_libaudit)
+fi
+AC_SUBST(have_libaudit)
- # See if we have the libcap library
+# See if we have the libcap library.
+if test "x$with_libcap" = xno; then
+ have_libcap=no
+else
AC_CHECK_LIB(cap, cap_init, have_libcap=yes, have_libcap=no)
if test "x$have_libcap" = xyes; then
- AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
+ AC_DEFINE(HAVE_LIBCAP, 1, [libcap support])
+ elif test "x$with_libcap" = xyes; then
+ AC_MSG_ERROR([libcap explicitly required, but libcap not found])
fi
- AC_SUBST(have_libcap)
fi
-AC_SUBST(have_selinux)
+AC_SUBST(have_libcap)
CPPUNDEFS=
dnl Check for silly hacked compilers predefining _FORTIFY_SOURCE.
diff --git a/nscd/connections.c b/nscd/connections.c
index f3b16f7..cf2c41c 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -2590,7 +2590,7 @@ begin_drop_privileges (void)
static void
finish_drop_privileges (void)
{
-#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
+#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
/* We need to preserve the capabilities to connect to the audit daemon. */
cap_t new_caps = preserve_capabilities ();
#endif
@@ -2622,7 +2622,7 @@ finish_drop_privileges (void)
do_exit (4, errno, "setuid");
}
-#if defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
+#if defined HAVE_SELINUX && defined HAVE_LIBAUDIT && defined HAVE_LIBCAP
/* Remove the temporary capabilities. */
install_real_capabilities (new_caps);
#endif
--
2.7.4