# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: henrik@henriknordstrom.net-20091015142822-\ # is615u5fl72d5vt3 # target_branch: http://www.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: 7003f761ebaefca2b4e2fd090f186cfb0ec0357e # timestamp: 2009-10-15 20:21:24 +0200 # base_revision_id: squid3@treenet.co.nz-20091015121532-\ # hhwys6416uxebd9y # # Begin patch === modified file 'configure.in' --- configure.in 2009-10-15 10:12:38 +0000 +++ configure.in 2009-10-15 14:28:22 +0000 @@ -2763,7 +2763,7 @@ fi ],[AC_MSG_RESULT(yes)]) if test "x$use_caps" = "xyes"; then - dnl Check for libcap1 breakage or libcap2 fixed (assume broken unless found working) + dnl Check for libcap1 header breakage or libcap2 fixed (assume broken unless found working) libcap_broken=1 AC_CHECK_HEADERS(sys/capability.h) AC_CACHE_CHECK([for operational libcap2], $libcap_broken, @@ -2773,6 +2773,7 @@ ]])],[libcap_broken=0],[]) ) AC_DEFINE_UNQUOTED([LIBCAP_BROKEN],$libcap_broken,[if libcap2 is available and not clashing with libc]) + AC_CHECK_LIB(cap, cap_get_proc) fi AC_CHECK_TYPE(mtyp_t,AC_DEFINE(HAVE_MTYP_T,1,[mtyp_t is defined by the system headers]),,[#include === modified file 'src/tools.cc' --- src/tools.cc 2009-08-28 01:44:26 +0000 +++ src/tools.cc 2009-10-15 14:24:33 +0000 @@ -1240,51 +1240,41 @@ restoreCapabilities(int keep) { /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */ -#if defined(_SQUID_LINUX_) - -#if HAVE_SYS_CAPABILITY_H -#ifndef _LINUX_CAPABILITY_VERSION_1 -#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION -#endif - cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head)); - cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap)); - - head->version = _LINUX_CAPABILITY_VERSION_1; - - if (capget(head, cap) != 0) { - debugs(50, DBG_IMPORTANT, "Can't get current capabilities"); - } else if (head->version != _LINUX_CAPABILITY_VERSION_1) { - debugs(50, DBG_IMPORTANT, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")"); +#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H + cap_t caps; + if (keep) + caps = cap_get_proc(); + else + caps = cap_init(); + if (!caps) { + IpInterceptor.StopTransparency("Can't get current capabilities"); } else { - - head->pid = 0; - - cap->inheritable = 0; - cap->effective = (1 << CAP_NET_BIND_SERVICE); - - if (IpInterceptor.TransparentActive()) { - cap->effective |= (1 << CAP_NET_ADMIN); +#define PUSH_CAP(cap) cap_list[ncaps++] = (cap) + int ncaps = 0; + int rc = 0; + cap_value_t cap_list[10]; + PUSH_CAP(CAP_NET_BIND_SERVICE); + + if (IpInterceptor.TransparentActive()) { + PUSH_CAP(CAP_NET_ADMIN); #if LINUX_TPROXY2 - cap->effective |= (1 << CAP_NET_BROADCAST); + PUSH_CAP(CAP_NET_BROADCAST); #endif - } - - if (!keep) - cap->permitted &= cap->effective; - - if (capset(head, cap) != 0) { + } +#undef PUSH_CAP + + cap_clear_flag(caps, CAP_EFFECTIVE); + rc |= cap_set_flag(caps, CAP_EFFECTIVE, ncaps, cap_list, CAP_SET); + rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET); + + if (rc || cap_set_proc(caps) != 0) { IpInterceptor.StopTransparency("Error enabling needed capabilities."); } + cap_free(caps); } - - xfree(head); - xfree(cap); - #else IpInterceptor.StopTransparency("Missing needed capability support."); #endif /* HAVE_SYS_CAPABILITY_H */ - -#endif /* !defined(_SQUID_LINUX_) */ } void * # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWduZKS4ABHffgEQwee///39v /2q////+YAf98llXqgAGd3O2GiQAAwkkChNR7U9GqM09JtMqPU9qj1PRpGI9Rk0ANB6mgBzCaA0B o0YRoMRpiZMTQYRoGQDJgJKQDTRpTTamgAAGjQAAaAADRkAxTRCj0nqA3qQbU0AAAAGgAGnqPUAH MJoDQGjRhGgxGmJkxNBhGgZAMmAkkBGgBAmTSNNqU20aKPU9NpqnpNHiZE0A9TbKjyXkn8xVSzOo 6nuY29xwpyJqc4QM6dfBXF6U3PALME7+yiygZHhYJ6GFAZOydW+/qhJBCOT4sE63ILSZnlhQfIiO rm+MtaEbipK8/U+Z8+ujzoF8y4g4ciAkUoXkPMgYOJLLXM4IMFZZKMXCy+LORYBB7SuZyL0Il75E ICDp4WDDvnrOPrEValQtaNatSpCNt54PN41VtS2WHA7zHj/2nM+Gkz7WaFCCr0K5SjhJycwMMIzT 3KF3Vi15a6qJ7dBlLhLczYCmVbNeLJxzyFNSShC+ZTDESO+q+5wDEzUZMUdKjOw7ZGXYorvDob1G 2PF+rT+n6s3T9HSiN7mWhRxV8L9gMeCCYg5JZL1dAKxAyX6LI0Qj4SZbiDgFaCOVBkFnvYa7g5zu oRHDPzKtD2BeZhPfkPMjzyJJ6EnhowkWFetKqWUc7YI2ltKCIjGJri+NJI4BghToa8ZMPJzefxrJ kanJVYOoyZhzJmDouttZAmOv6yoYJrJJ0ZpjEKGmVr2VjZhqjSbfBltSKFEI4QSQCncJE1PUZivx HOGZXnwlgeOh8EnYI36GsoMXrDLTCDtk9FMV9C9IWJaPImv5VvSsWy4XAglalQgUuSqMATIZliwM Ax96xm+ImclQtSeBtP2URxgWimYHUb77R0rGiTbAFclB8TTNyhKSelWCfF9K0qcSBWWjy8lgSNbY oLC8rBeXQeqWygVLFk9kRwHDx6ueCiwojwUXsPCY8KiCWLy7gjEwDItMRxecgKOLmJFzDaBO7LJs dpURwGW5hBn2hwWKUFeYuaoYxLx5E1vtsYxIlqjzlhz/YThcktwseEMa7UsHX/cLAyN2uhq1TWg9 7G0sle60xILpzE8NxoRVMq3OaDpQ0JkYcDMxLdwq54NiP5xkFzHBZJWl5BMXhkVDwTXguOiW5Nhd gNZTBWvYsNyelIj3pMVlTEdtZYVESRkPTtfNeWEiEHl1eFcLkrbXoS0H36sCZOo2pYkUslQeeTmW ivmwRKMmRFJ+KLUlH3wPWIyWBox84WDIXQMjH7WDoIkjC14HOGKBnBQtQwzIc1R8EeA3R5EcEJDh 5A3QRUg2TbdnWke3D9Y2EEgiElelHKgb8c5R5pnwMmFIzCHR90KeiodVBh301TSFBJS6VDy9Ng3P tkUDHmeelp1JXawakJEmWCG4UH/6ozoAaasmms0NFu/+cSeeJeQWcvtvRv0mXaYXXdB/b098F4kS zvNO/e8GY4bNnZgOXUeZJ7nsAwOT1b0wWmKZlJ55TUSEeo5jzn0Baep1J6y/Ju0nHsW/YCyBH53c RFZlSB2ggszUiWP4IqBQy3LpkKY6zgbzaUHDH5AviYBrRzFE/5Liew96EZhs/unOJGBoXFpENB6/ rDcmDuLhHc53FxH4s9kxDuVDmNX0zLyo27ZOPfRBYbj4jFXu88XuoqPv1w4PfkdBvPoZIHnMRFQV aTFZBSSHHOWGo+RQcVftlickWgn4xIr0gvFeten/a7NdFFON/jmGzU+OOgpOti3jWZmjIL/QrBjF QAvheZR7DwUGndbiVdB1OQfwe5McpemMckHcXAIet4mSIWlDXmj8uezxAeVGzmFrzQlMczXpBQCJ ML28TluDacS0FyNDyHIiUmCwSqIjJYEXzEL7q1Z1ONmFqUnpZ3u5Rp1FkKZ8SbHtJhUHbrdkEYLb t+bm7DWa0MQTDk3+BHautbgXLZ0obmPSg5kiKOztbv9fqR1CoIQyD2VBs9ovUBExddG4bt/cSHnQ kFPVsF0pBsDY0CN81DsQexl5TkHoSo8EdeX78dQG6QIn5r0sEHnBRQXS4AqL6FgSv8ZervQaiMEk bkr8kVRRyOBYHp3lCR9yO2UDBxFgegMxfViBbJpAM0hrvICIoICgYjS1t5ARIQiVZJ7DH5jnCZkh hVoN+9BaFzVpkkPJJB2jhO6VBmAnN4j9DiCPrFHuiKx+F7IcxtMSL0lZ4xuBwN6WNaKgLtl/iVZW DFqFgeZat9MUHOrJ3FbDjqYe8Ch8zQ6zy2VExIzFVttQaK3WyFqOsvWsZJ6tU94hFwn6lZcxcwIn ADXhMKmCThRWNIvQcltF7E+BUDDTCX6cLkyGRWkDKSVCB62TMNWjXMHEYgchIsdKuLS8HjiqY5IX pF7S8rCciQ5l6hPOlw7AiuYVRqt5wgHlNOdvz2loFgs5/egfASK3BRkrBwdwt3Xj3IPEUbP2V2x5 hYfgt4K9L8FxxBZZi9vFIJiqM1f3LqVcpgZHE7MnnAlEQEQ7bVSBwJ9AOHPV5iuf4u5IpwoSG3Ml JcA=