configure: add configuration options for libcap-ng

Add configuration option for enabling or disabling linking with
libcap-ng.  Since capabilities are a security feature, the libcapng
option is handled as follows:

    - no option: use libcapng if it's present

    --disable-libcapng: do not use libcapng

    --enable-libcapng: do use libcapng and fail configuration if
                       it's missing

On Linux, not linking with libcapng makes all OVS daemons fail when
--user option is specified.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

diff --git a/INSTALL.md b/INSTALL.md
index 9dac430..906825a 100644 (file)
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -43,6 +43,11 @@ you will need the following software:
     libssl is installed, then Open vSwitch will automatically build
     with support for it.
 
+  - libcap-ng, written by Steve Grubb, is optional but recommended.  It
+    is required to run OVS daemons as a non-root user with dropped root
+    privileges.  If libcap-ng is installed, then Open vSwitch will
+    automatically build with support for it.
+
   - Python 2.7.
 
 On Linux, you may choose to compile the kernel module that comes with

diff --git a/configure.ac b/configure.ac
index fd04929..c828d2c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -92,6 +92,7 @@ OVS_CHECK_COVERAGE
 OVS_CHECK_NDEBUG
 OVS_CHECK_NETLINK
 OVS_CHECK_OPENSSL
+OVS_CHECK_LIBCAPNG
 OVS_CHECK_LOGDIR
 OVS_CHECK_PYTHON
 OVS_CHECK_DOT

diff --git a/lib/automake.mk b/lib/automake.mk
index 5fdd08f..d8c00da 100644 (file)
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -8,6 +8,7 @@
 lib_LTLIBRARIES += lib/libopenvswitch.la
 
 lib_libopenvswitch_la_LIBADD = $(SSL_LIBS)
+lib_libopenvswitch_la_LIBADD += $(CAPNG_LDADD)
 
 if WIN32
 lib_libopenvswitch_la_LIBADD += ${PTHREAD_LIBS}

diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4
index 98e5ce9..d355811 100644 (file)
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@@ -186,6 +186,42 @@ AC_DEFUN([OVS_CHECK_NETLINK],
                 [Define to 1 if Netlink protocol is available.])
    fi])
 
+dnl Checks for libcap-ng.
+AC_DEFUN([OVS_CHECK_LIBCAPNG],
+  [AC_ARG_ENABLE(
+     [libcapng],
+     [AC_HELP_STRING([--disable-libcapng], [Disable Linux capability support])],
+     [case "${enableval}" in
+        (yes) libcapng=true ;;
+        (no)  libcapng=false ;;
+        (*) AC_MSG_ERROR([bad value ${enableval} for --enable-libcapng]) ;;
+      esac],
+     [libcapng=check])
+
+   if test "$libcapng" != false; then
+       AC_CHECK_LIB([cap-ng], [capng_clear], [HAVE_LIBCAPNG=yes])
+
+       if test "$HAVE_LIBCAPNG" != yes; then
+           if test "$libcapng" = true ; then
+                AC_MSG_ERROR([libcap-ng support requested, but not found])
+           fi
+           if test "$libcapng" = check ; then
+                 AC_MSG_WARN([cannot find libcap-ng.
+--user option will not be supported on Linux.
+(you may use --disable-libcapng to suppress this warning). ])
+           fi
+       fi
+   fi
+
+   AC_SUBST([HAVE_LIBCAPNG])
+   AM_CONDITIONAL([HAVE_LIBCAPNG], [test "$HAVE_LIBCAPNG" = yes])
+   if test "$HAVE_LIBCAPNG" = yes; then
+      AC_DEFINE([HAVE_LIBCAPNG], [1],
+                [Define to 1 if libcap-ng is available.])
+      CAPNG_LDADD="-lcap-ng"
+      AC_SUBST([CAPNG_LDADD])
+   fi])
+
 dnl Checks for OpenSSL.
 AC_DEFUN([OVS_CHECK_OPENSSL],
   [AC_ARG_ENABLE(