check_capability: explicitly target recent linux implementations

There are several, incompatible, capabilities implementations, all
exposed through `<sys/capability.h>`. Currently only Linux's V3
function and capability sets are supported.

This patch guards against using Linux-specific functions & capabilities
on other implementations, while structring the code to allow adding
support for them.

diff --git a/src/ceph.c b/src/ceph.c
index e9bb960..8cda764 100644 (file)
--- a/src/ceph.c
+++ b/src/ceph.c
@@ -1577,7 +1577,7 @@ static int ceph_init(void)
 {
     int ret;
 
-#ifdef HAVE_SYS_CAPABILITY_H
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_DAC_OVERRIDE)
   if (check_capability (CAP_DAC_OVERRIDE) != 0)
   {
     if (getuid () == 0)

diff --git a/src/daemon/common.c b/src/daemon/common.c
index 3e2db15..7656191 100644 (file)
--- a/src/daemon/common.c
+++ b/src/daemon/common.c
@@ -1676,6 +1676,7 @@ void strarray_free (char **array, size_t array_len) /* {{{ */
 #ifdef HAVE_SYS_CAPABILITY_H
 int check_capability (int capability) /* {{{ */
 {
+#ifdef _LINUX_CAPABILITY_VERSION_3
        struct __user_cap_header_struct cap_header_data;
        cap_user_header_t cap_header = &cap_header_data;
        struct __user_cap_data_struct cap_data_data;
@@ -1693,5 +1694,10 @@ int check_capability (int capability) /* {{{ */
                return (-1);
        else
                return (0);
+#else
+       WARNING ("check_capability: unsupported capability implementation. "
+           "Some plugin(s) may require elevated privileges to work properly.");
+       return (0);
+#endif /* _LINUX_CAPABILITY_VERSION_3 */
 } /* }}} int check_capability */
-#endif
+#endif /* HAVE_SYS_CAPABILITY_H */

diff --git a/src/dns.c b/src/dns.c
index be6d0dc..5312839 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
@@ -351,7 +351,7 @@ static int dns_init (void)
 
        listen_thread_init = 1;
 
-#ifdef HAVE_SYS_CAPABILITY_H
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW)
        if (check_capability (CAP_NET_RAW) != 0)
        {
                if (getuid () == 0)

diff --git a/src/exec.c b/src/exec.c
index c51465b..1a14293 100644 (file)
--- a/src/exec.c
+++ b/src/exec.c
@@ -810,7 +810,7 @@ static int exec_init (void) /* {{{ */
 
   sigaction (SIGCHLD, &sa, NULL);
 
-#ifdef HAVE_SYS_CAPABILITY_H
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_SETUID) && defined(CAP_SETGID)
   if ((check_capability (CAP_SETUID) != 0) ||
       (check_capability (CAP_SETGID) != 0))
   {

diff --git a/src/iptables.c b/src/iptables.c
index 66dbab7..c0854b3 100644 (file)
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -505,7 +505,7 @@ static int iptables_shutdown (void)
 
 static int iptables_init (void)
 {
-#ifdef HAVE_SYS_CAPABILITY_H
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_ADMIN)
     if (check_capability (CAP_NET_ADMIN) != 0)
     {
         if (getuid () == 0)

diff --git a/src/ping.c b/src/ping.c
index 9b5d5ca..7b28ed3 100644 (file)
--- a/src/ping.c
+++ b/src/ping.c
@@ -452,7 +452,7 @@ static int ping_init (void) /* {{{ */
         "Will use a timeout of %gs.", ping_timeout);
   }
 
-#ifdef HAVE_SYS_CAPABILITY_H
+#if defined(HAVE_SYS_CAPABILITY_H) && defined(CAP_NET_RAW)
   if (check_capability (CAP_NET_RAW) != 0)
   {
     if (getuid () == 0)

diff --git a/src/turbostat.c b/src/turbostat.c
index 6e0405d..a1faac4 100644 (file)
--- a/src/turbostat.c
+++ b/src/turbostat.c
@@ -1480,13 +1480,13 @@ check_permissions(void)
        if (getuid() == 0) {
                /* We have everything we need */
                return 0;
-#ifndef HAVE_SYS_CAPABILITY_H
+#if !defined(HAVE_SYS_CAPABILITY_H) && !defined(CAP_SYS_RAWIO)
        } else {
                ERROR("turbostat plugin: Initialization failed: this plugin "
                      "requires collectd to run as root");
                return -1;
        }
-#else /* HAVE_SYS_CAPABILITY_H */
+#else /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */
        }
 
        if (check_capability(CAP_SYS_RAWIO) != 0) {
@@ -1511,7 +1511,7 @@ check_permissions(void)
                      "collectd a special capability (CAP_SYS_RAWIO) and read "
                       "access to /dev/cpu/*/msr (see previous warnings)");
        return ret;
-#endif /* HAVE_SYS_CAPABILITY_H */
+#endif /* HAVE_SYS_CAPABILITY_H && CAP_SYS_RAWIO */
 }
 
 static int