In this post, we will work towards building libcapability from capsicum-core building under linux.
As a word of warning, this may not be the cleanest, most professional way of getting things building. In general, you shouldn’t do things like this ^_^
Since we are using the linux version, there are a few changes that need to be made. Namely,
we don’t have
cap_enter defined in libc, which the configure autoconf file looks for. To
get around this, we will grab the capsicum header from the capsicum-test
project, convert it into C code from C++, and place it in a system include location.
First, grab the repositories:
We cloned my fork of the capsicum-test repository, as the pull request to fix compilation issues I was having hasn’t been reviewed and merged yet. Additionally, the convert-to-c branch has an updated capsicum.h that will compile as C code.
Update 14Feb2014 10:54:38 - The linux.cc compilation issue mentioned previously has been fixed in the google repository. I’ve got a pull request in regarding the C++ to C conversion.
Next, let’s place the header file someplace accessible:
Now we need the code in a few different ways. For the impatient, output of
is available here.
First, update configure.ac to stop checking for
cap_enter in libc. Remove this line:
AC_CHECK_LIB([c], [cap_enter], , [exit -1])
Now we can generate the configure script:
Next, in libcapability.h, add an include statement for capsicum.h someplace. I chose line 24:
Now we need to define the
__DECONST macro in libcapability.c - this macro can probably come
from someplace sensible, but I couldn’t find it. Here’s the code I added (after the includes):
Next, we need to restructure (pun intended) some declarations in libcapability_sandbox_api.h -
each struct declaration ending with
__packed should be changed like so:
With that step complete, we need to update the include path for procdesc.h. In libcapability_host.h,
change the include of
Note that I’m assuming the APIs are compatible between the Linux procdesc and the BSD version. Here’s hoping!
With these changes in place, trying to run make yields one more error:
I’m currently trying to track down an sbuf implementation for Linux. In the meantime, check out the BSD manpage for it!