From 1a982aef1864326717fd9f2b3b97ac7cdc31af78 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 29 Jun 2009 11:33:13 +0000 Subject: [PATCH] Prepare for using libcap-ng --- ChangeLog | 6 ++++++ configure.in | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ libvirt.spec.in | 12 +++++++++++- 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a48d5fe4a6..c25b94cb63 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Mon Jun 29 12:28:20 BST 2009 Daniel P. Berrange + + Prepare for using libcap-ng + * configure.in: Add check for libcap-ng + * libvirt.spec.in: Build with libcap-ng on Fedora >= 12 + Mon Jun 29 12:01:20 BST 2009 Daniel P. Berrange Add HACKING doc to the website diff --git a/configure.in b/configure.in index 2c20f5717c..5b79080d88 100644 --- a/configure.in +++ b/configure.in @@ -768,6 +768,49 @@ AM_CONDITIONAL([HAVE_NUMACTL], [test "$with_numactl" != "no"]) AC_SUBST([NUMACTL_CFLAGS]) AC_SUBST([NUMACTL_LIBS]) + + +dnl libcap-ng +AC_ARG_WITH([capng], + [ --with-capng use libcap-ng to reduce libvirtd privileges], + [], + [with_capng=check]) + +dnl +dnl This check looks for 'capng_updatev' since that was +dnl introduced in 0.4.0 release which need as minimum +dnl +CAPNG_CFLAGS= +CAPNG_LIBS= +if test "$with_qemu" = "yes" -a "$with_capng" != "no"; then + old_cflags="$CFLAGS" + old_libs="$LIBS" + if test "$with_capng" = "check"; then + AC_CHECK_HEADER([cap-ng.h],[],[with_capng=no]) + AC_CHECK_LIB([cap-ng], [capng_updatev],[],[with_capng=no]) + if test "$with_capng" != "no"; then + with_capng="yes" + fi + else + fail=0 + AC_CHECK_HEADER([cap-ng.h],[],[fail=1]) + AC_CHECK_LIB([cap-ng], [capng_updatev],[],[fail=1]) + test $fail = 1 && + AC_MSG_ERROR([You must install the capng >= 0.4.0 development package in order to compile and run libvirt]) + fi + CFLAGS="$old_cflags" + LIBS="$old_libs" +fi +if test "$with_capng" = "yes"; then + CAPNG_LIBS="-lcap-ng" + AC_DEFINE_UNQUOTED([HAVE_CAPNG], 1, [whether capng is available for privilege reduction]) +fi +AM_CONDITIONAL([HAVE_CAPNG], [test "$with_capng" != "no"]) +AC_SUBST([CAPNG_CFLAGS]) +AC_SUBST([CAPNG_LIBS]) + + + dnl virsh libraries AC_CHECK_HEADERS([readline/readline.h]) @@ -1492,6 +1535,11 @@ AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS]) else AC_MSG_NOTICE([ numactl: no]) fi +if test "$with_capng" = "yes" ; then +AC_MSG_NOTICE([ capng: $CAPNG_CFLAGS $CAPNG_LIBS]) +else +AC_MSG_NOTICE([ capng: no]) +fi if test "$with_xen" = "yes" ; then AC_MSG_NOTICE([ xen: $XEN_CFLAGS $XEN_LIBS]) else diff --git a/libvirt.spec.in b/libvirt.spec.in index 6ba5405bc2..95b61c2a32 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -7,7 +7,8 @@ %define with_lxc 0%{!?_without_lxc:1} %define with_sasl 0%{!?_without_sasl:1} %define with_avahi 0%{!?_without_avahi:1} -%define with_polkit 0%{!?_without_polkit:1} +# default to off +%define with_polkit 0%{!?_without_polkit:0} %define with_python 0%{!?_without_python:1} %define with_libvirtd 0%{!?_without_libvirtd:1} %define with_uml 0%{!?_without_uml:1} @@ -18,6 +19,8 @@ %define with_storage_iscsi 0%{!?_without_storage_iscsi:1} %define with_storage_disk 0%{!?_without_storage_disk:1} %define with_numactl 0%{!?_without_numactl:1} +# default to off +%define with_capng 0%{!?_without_capng:0} # Xen is available only on i386 x86_64 ia64 %ifnarch i386 i586 i686 x86_64 ia64 @@ -39,6 +42,10 @@ %define with_xen_proxy 0 %endif +%if 0%{?fedora} >= 12 +%define with_capng 0%{!?_without_capng:1} +%endif + # # If building on RHEL switch on the specific support # @@ -166,6 +173,9 @@ BuildRequires: parted-devel # For QEMU/LXC numa info BuildRequires: numactl-devel %endif +%if %{with_capng} +BuildRequires: capng-devel >= 0.5.0 +%endif Obsoletes: libvir # Fedora build root suckage