capabilities: Only plugins that require CAP_NET_ADMIN demand it

The daemon as such does not require this capability.

diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index bc0407dc1c7793a2d9e0411bd02b8b14b26f8ace..1ad80693a915087b83958d4fe8a98069f0c5dee4 100644 (file)
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,10 +33,6 @@
 #include <processing/jobs/start_action_job.h>
 #include <threading/mutex.h>
 
-#ifndef CAP_NET_ADMIN
-#define CAP_NET_ADMIN 12
-#endif
-
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
@@ -624,12 +620,6 @@ bool libcharon_init(const char *name)
 
        this = daemon_create(name);
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
-       {
-               dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
-               return FALSE;
-       }
-
        /* for uncritical pseudo random numbers */
        srandom(time(NULL) + getpid());
 

diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index d5f3bc248b2d1b92023cac8f6c17a7b40ee96dbd..bac3c1c45e5d65d4f21044a9124855e3e37bd407 100644 (file)
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,6 +102,13 @@ plugin_t *kernel_libipsec_plugin_create()
 {
        private_kernel_libipsec_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       {       /* required to create TUN devices */
+               DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+                        "capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 0eb00dadfbf69dc6dd6c33cf909eb9ba5b5d14a6..2db03d85431266c6c6e76395aec4fdecadc28d0f 100644 (file)
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -65,6 +65,13 @@ plugin_t *kernel_netlink_plugin_create()
 {
        private_kernel_netlink_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       {       /* required to bind/use XFRM sockets / create routing tables */
+               DBG1(DBG_KNL, "kernel-netlink plugin requires CAP_NET_ADMIN "
+                        "capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 894175402beb2e7c476d0fa6caf88344d4c69ef0..d2c00b0f27a39745fb4dbf95253f6c14c1a22336 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,6 +62,12 @@ plugin_t *kernel_pfkey_plugin_create()
 {
        private_kernel_pfkey_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       {       /* required to open PF_KEY sockets */
+               DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index b9e5b9b1a1988c156bca008a7ee0751718a4acb1..ebcca46db9edfd1d1a0bd2bca356cf99207f934b 100644 (file)
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -32,6 +32,10 @@ typedef struct capabilities_t capabilities_t;
 # include <linux/capability.h>
 #endif
 
+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN 12
+#endif
+
 /**
  * POSIX capability dropping abstraction layer.
  */