[nginx] Improved the capabilities feature detection.

Roman Arutyunyan arut at nginx.com
Tue Dec 19 16:04:55 UTC 2017 

details:   http://hg.nginx.org/nginx/rev/56923e8e01a5
branches:  
changeset: 7175:56923e8e01a5
user:      Roman Arutyunyan <arut at nginx.com>
date:      Mon Dec 18 21:09:39 2017 +0300
description:
Improved the capabilities feature detection.

Previously included file sys/capability.h mentioned in capset(2) man page,
belongs to the libcap-dev package, which may not be installed on some Linux
systems when compiling nginx.  This prevented the capabilities feature from
being detected and compiled on that systems.

Now linux/capability.h system header is included instead.  Since capset()
declaration is located in sys/capability.h, now capset() syscall is defined
explicitly in code using the SYS_capset constant, similarly to other
Linux-specific features in nginx.

diffstat:

 auto/os/linux                   |  5 +++--
 src/os/unix/ngx_linux_config.h  |  2 +-
 src/os/unix/ngx_process_cycle.c |  2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diffs (46 lines):

diff -r 84e53e4735a4 -r 56923e8e01a5 auto/os/linux
--- a/auto/os/linux	Wed Dec 13 20:40:53 2017 +0300
+++ b/auto/os/linux	Mon Dec 18 21:09:39 2017 +0300
@@ -174,7 +174,8 @@ ngx_feature_test="if (prctl(PR_SET_KEEPC
 ngx_feature="capabilities"
 ngx_feature_name="NGX_HAVE_CAPABILITIES"
 ngx_feature_run=no
-ngx_feature_incs="#include <sys/capability.h>"
+ngx_feature_incs="#include <linux/capability.h>
+                  #include <sys/syscall.h>"
 ngx_feature_path=
 ngx_feature_libs=
 ngx_feature_test="struct __user_cap_data_struct    data;
@@ -184,7 +185,7 @@ ngx_feature_test="struct __user_cap_data
                   data.effective = CAP_TO_MASK(CAP_NET_RAW);
                   data.permitted = 0;
 
-                  (void) capset(&header, &data)"
+                  (void) SYS_capset"
 . auto/feature
 
 
diff -r 84e53e4735a4 -r 56923e8e01a5 src/os/unix/ngx_linux_config.h
--- a/src/os/unix/ngx_linux_config.h	Wed Dec 13 20:40:53 2017 +0300
+++ b/src/os/unix/ngx_linux_config.h	Mon Dec 18 21:09:39 2017 +0300
@@ -100,7 +100,7 @@ typedef struct iocb  ngx_aiocb_t;
 
 
 #if (NGX_HAVE_CAPABILITIES)
-#include <sys/capability.h>
+#include <linux/capability.h>
 #endif
 
 
diff -r 84e53e4735a4 -r 56923e8e01a5 src/os/unix/ngx_process_cycle.c
--- a/src/os/unix/ngx_process_cycle.c	Wed Dec 13 20:40:53 2017 +0300
+++ b/src/os/unix/ngx_process_cycle.c	Mon Dec 18 21:09:39 2017 +0300
@@ -869,7 +869,7 @@ ngx_worker_process_init(ngx_cycle_t *cyc
             data.effective = CAP_TO_MASK(CAP_NET_RAW);
             data.permitted = data.effective;
 
-            if (capset(&header, &data) == -1) {
+            if (syscall(SYS_capset, &header, &data) == -1) {
                 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
                               "capset() failed");
                 /* fatal */

More information about the nginx-devel mailing list