Make libcap dependency condition on EVEREST_ENABLE_USER_AND_CAPABILIT…

…IES cmake parameter. ON by default

Signed-off-by: Kai-Uwe Hermann <[email protected]>

CMakeLists.txt

@@ -20,6 +20,7 @@ option(EVEREST_ENABLE_PY_SUPPORT "Enable everestpy for Python modules" ON)
 option(EVEREST_ENABLE_RS_SUPPORT "Enable everestrs for Rust modules" OFF)
 option(EVEREST_ENABLE_ADMIN_PANEL_BACKEND "Enable everest admin panel backend" ON)
 option(EVEREST_INSTALL_ADMIN_PANEL "Download and install everest admin panel" ON)
+option(EVEREST_ENABLE_USER_AND_CAPABILITIES "Enable user and capabilities support using libcap" ON)
 
 # make own cmake modules available
 list(INSERT CMAKE_MODULE_PATH 0 "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
@@ -33,12 +34,14 @@ find_package(Boost
     REQUIRED
 )
 
-find_package(PkgConfig REQUIRED)
-pkg_check_modules(libcap
-    REQUIRED
-    IMPORTED_TARGET
-    libcap
-)
+if (EVEREST_ENABLE_USER_AND_CAPABILITIES)
+    find_package(PkgConfig REQUIRED)
+    pkg_check_modules(libcap
+        REQUIRED
+        IMPORTED_TARGET
+        libcap
+    )
+endif ()
 
 if(NOT DISABLE_EDM)
     evc_setup_edm()

src/CMakeLists.txt

@@ -9,7 +9,6 @@ target_link_libraries(manager
     PRIVATE
         everest::framework
         Boost::program_options
-        PkgConfig::libcap
 )
 
 if (EVEREST_ENABLE_ADMIN_PANEL_BACKEND)
@@ -23,6 +22,14 @@ if (EVEREST_ENABLE_ADMIN_PANEL_BACKEND)
     add_subdirectory(controller)
 endif ()
 
+if (EVEREST_ENABLE_USER_AND_CAPABILITIES)
+    target_compile_definitions(manager PRIVATE ENABLE_USER_AND_CAPABILITIES)
+    target_link_libraries(manager
+        PRIVATE
+            PkgConfig::libcap
+    )
+endif ()
+
 target_compile_options(manager PRIVATE ${COMPILER_WARNING_OPTIONS})
 
 target_compile_features(manager PRIVATE cxx_std_17)

src/system_unix.cpp

@@ -7,11 +7,15 @@
 #include <stdexcept>
 
 #include <fcntl.h>
+#ifdef ENABLE_USER_AND_CAPABILITIES
 #include <grp.h>
 #include <linux/securebits.h>
+#endif
 #include <pwd.h>
 #include <signal.h>
+#ifdef ENABLE_USER_AND_CAPABILITIES
 #include <sys/capability.h>
+#endif
 #include <sys/prctl.h>
 #include <unistd.h>
 
@@ -21,6 +25,7 @@ namespace Everest::system {
 
 const auto PARENT_DIED_SIGNAL = SIGTERM;
 
+#ifdef ENABLE_USER_AND_CAPABILITIES
 struct GetPasswdEntryResult {
     explicit GetPasswdEntryResult(const std::string& error_) : error(error_) {
     }
@@ -60,13 +65,18 @@ static GetPasswdEntryResult get_passwd_entry(const std::string& user_name) {
 
     return GetPasswdEntryResult(entry->pw_uid, entry->pw_gid, std::vector<gid_t>(groups, groups + ngroups));
 }
+#endif
 
 bool keep_caps() {
+#ifdef ENABLE_USER_AND_CAPABILITIES
     return (0 == cap_set_secbits(SECBIT_KEEP_CAPS));
+#else
+    return true;
+#endif
 }
 
 std::string set_caps(const std::vector<std::string>& capabilities) {
-
+#ifdef ENABLE_USER_AND_CAPABILITIES
     std::vector<cap_value_t> capability_values;
     capability_values.resize(capabilities.size());
 
@@ -97,13 +107,13 @@ std::string set_caps(const std::vector<std::string>& capabilities) {
             return "Failed to add capabilities to ambient set";
         }
     }
-
+#endif
     return {};
 }
 
 std::string set_real_user(const std::string& user_name) {
     // Set special capabilities if required by module
-
+#ifdef ENABLE_USER_AND_CAPABILITIES
     const auto entry = get_passwd_entry(user_name);
 
     if (not entry) {
@@ -124,7 +134,7 @@ std::string set_real_user(const std::string& user_name) {
     if (set_uid_failed) {
         return "setuid failed";
     }
-
+#endif
     return {};
 }
 
@@ -160,6 +170,7 @@ pid_t SubProcess::check_child_executed() {
 }
 
 std::string set_user_and_capabilities(const std::string& run_as_user, const std::vector<std::string>& capabilities) {
+#ifdef ENABLE_USER_AND_CAPABILITIES
     if (not capabilities.empty()) {
         // we need to keep caps, otherwise, we'll loose all our capabilities (except inherited)
         if (system::keep_caps() == false) {
@@ -183,7 +194,7 @@ std::string set_user_and_capabilities(const std::string& run_as_user, const std:
             return fmt::format("Failed to set capabilities: {}", error);
         }
     }
-
+#endif
     return {};
 }