capabilities: CAP_CHOWN might be required by many plugins opening UNIX sockets

But as the sockets will be created with the user/group of the running
process this might not be required as no change may be needed.

diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 4d018dbeff2649d819e129bf79cbf541da472e40..d6e652d5984c9964e73d818c69b07cd51577d4b2 100644 (file)
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,6 +98,12 @@ plugin_t *duplicheck_plugin_create()
                return NULL;
        }
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) notify socket */
+               DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index a1e4351ebd99aaf3544e640f20cdd64f56fa2cbe..48b3d94db707658c3c32ed74ee43a6361fe818c5 100644 (file)
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,6 +92,12 @@ plugin_t *error_notify_plugin_create()
 {
        private_error_notify_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) notify socket */
+               DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 677985c578c6a5d90de6a90a1bf7a27d5cc1d7b0..e7697dc4f0ef346b32b68f83f5d9dee58d571df1 100644 (file)
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -179,6 +179,12 @@ plugin_t *ha_plugin_create()
                return NULL;
        }
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) control socket */
+               DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 6fee2bf3b193560eca71ef90332a865981a69095..a32a2a43502c7d824bef7a038dda1a7efaf1d881 100644 (file)
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,6 +269,12 @@ plugin_t *load_tester_plugin_create()
                return NULL;
        }
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) control socket */
+               DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 319d72753bf766894ad4c0540f1d3e9e40cc9d3d..89bdad92e492f52541b36c884d1ab41d327d284f 100644 (file)
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,6 +92,12 @@ plugin_t *lookip_plugin_create()
 {
        private_lookip_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) control socket */
+               DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 0c240cf7f15ab6fc1b6021acb9a8c169d913ccdd..d13b82216ab65c5e700204359de306f4e84ae316 100644 (file)
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -739,6 +739,12 @@ plugin_t *smp_plugin_create()
        private_smp_t *this;
        mode_t old;
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) control socket */
+               DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 4e47a120d6969a790b9dfa25379af3076f86a354..6c4687f4a36c8af19b97d014200fbaa2695ee33d 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,6 +91,12 @@ plugin_t *stroke_plugin_create()
 {
        private_stroke_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) stroke socket */
+               DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 5ba3e1449ff00d8761a836a639bede6729ac5670..4f397d76e80623b5ac8236143a036a0f6c8a16eb 100644 (file)
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,6 +92,12 @@ plugin_t *whitelist_plugin_create()
 {
        private_whitelist_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       {       /* required to chown(2) control socket */
+               DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {