Re: [MERGE] Use libcap instead of direct linux capability syscalls

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 20 Oct 2009 12:52:22 +1300

On Tue, 20 Oct 2009 01:04:26 +0200, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> mån 2009-10-19 klockan 12:10 +1300 skrev Amos Jeffries:
>
>> Um, is that function libcap2 specific?
>
> Not sure when it was added. Checking... seems to be 2.09. Added to the
> git repository Sat Mar 29 21:40:06 2008 -0700.
>
> There is also a libcap-ng project these days, with yet another API..

The other was mentioned as a possible requirement as well. I have not
spent any time seeing whether its worth it or not to support libcap-ng. Do
you know enough about them both to pick?

>
>> It may be related to the LIBCAP_BROKEN identifier or another such test
>> for the specific function may be worth adding...
>
> I rather have one code base than two here.. either libcap is used or it
> is not. Using libcap if found working or raw syscalls if not does not
> sound like a good idea to me.
>
> But maybe we can require a reasonably current libcap-2 for TPROXY
> support? It requires a custom kernel anyway on the systems with too old
> libcap implementations I think.

We can do that yes. I think I would also rather do it too. It paves the
way for a clean deprecation cycle now that TPROXYv4 kernels are effectively
mainstream:

 3.0: (2008-2010) TPROXYv2 with libcap + libcap2
 3.1: (2010-2012) support TPROXYv2 + TPROXYv4 with libcap2
 3.2: (2011?) support TPROXYv4 with libcap2

Amos
Received on Mon Oct 19 2009 - 23:52:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 27 2009 - 12:00:05 MDT