Improved the capabilities feature detection.

Previously included file sys/capability.h mentioned in capset(2) man page,
belongs to the libcap-dev package, which may not be installed on some Linux
systems when compiling nginx.  This prevented the capabilities feature from
being detected and compiled on that systems.

Now linux/capability.h system header is included instead.  Since capset()
declaration is located in sys/capability.h, now capset() syscall is defined
explicitly in code using the SYS_capset constant, similarly to other
Linux-specific features in nginx.

auto/os/linux

@@ -174,7 +174,8 @@ ngx_feature_test="if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) return 1"
 ngx_feature="capabilities"
 ngx_feature_name="NGX_HAVE_CAPABILITIES"
 ngx_feature_run=no
-ngx_feature_incs="#include <sys/capability.h>"
+ngx_feature_incs="#include <linux/capability.h>
+                  #include <sys/syscall.h>"
 ngx_feature_path=
 ngx_feature_libs=
 ngx_feature_test="struct __user_cap_data_struct    data;
@@ -184,7 +185,7 @@ ngx_feature_test="struct __user_cap_data_struct    data;
                   data.effective = CAP_TO_MASK(CAP_NET_RAW);
                   data.permitted = 0;
 
-                  (void) capset(&header, &data)"
+                  (void) SYS_capset"
 . auto/feature
 
 

src/os/unix/ngx_linux_config.h

@@ -100,7 +100,7 @@ typedef struct iocb  ngx_aiocb_t;
 
 
 #if (NGX_HAVE_CAPABILITIES)
-#include <sys/capability.h>
+#include <linux/capability.h>
 #endif
 
 

src/os/unix/ngx_process_cycle.c

@@ -869,7 +869,7 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
             data.effective = CAP_TO_MASK(CAP_NET_RAW);
             data.permitted = data.effective;
 
-            if (capset(&header, &data) == -1) {
+            if (syscall(SYS_capset, &header, &data) == -1) {
                 ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
                               "capset() failed");
                 /* fatal */