From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 24 Jun 2013 16:22:31 +0000 (+0200)
Subject: capabilities: Only plugins that require CAP_NET_ADMIN demand it
X-Git-Tag: 5.1.0dr1~32^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41b8546ac0a8c95496d1812f35eefa696cf8212c;p=thirdparty%2Fstrongswan.git

capabilities: Only plugins that require CAP_NET_ADMIN demand it

The daemon as such does not require this capability.
---

diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index bc0407dc1c..1ad80693a9 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,10 +33,6 @@
 #include <processing/jobs/start_action_job.h>
 #include <threading/mutex.h>
 
-#ifndef CAP_NET_ADMIN
-#define CAP_NET_ADMIN 12
-#endif
-
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
@@ -624,12 +620,6 @@ bool libcharon_init(const char *name)
 
 	this = daemon_create(name);
 
-	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
-	{
-		dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
-		return FALSE;
-	}
-
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
 
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index d5f3bc248b..bac3c1c45e 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,6 +102,13 @@ plugin_t *kernel_libipsec_plugin_create()
 {
 	private_kernel_libipsec_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to create TUN devices */
+		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 0eb00dadfb..2db03d8543 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -65,6 +65,13 @@ plugin_t *kernel_netlink_plugin_create()
 {
 	private_kernel_netlink_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to bind/use XFRM sockets / create routing tables */
+		DBG1(DBG_KNL, "kernel-netlink plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 894175402b..d2c00b0f27 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,6 +62,12 @@ plugin_t *kernel_pfkey_plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to open PF_KEY sockets */
+		DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index b9e5b9b1a1..ebcca46db9 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -32,6 +32,10 @@ typedef struct capabilities_t capabilities_t;
 # include <linux/capability.h>
 #endif
 
+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN 12
+#endif
+
 /**
  * POSIX capability dropping abstraction layer.
  */