static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
{
exit(SS_RC_INITIALIZATION_FAILED);
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
exit(SS_RC_INITIALIZATION_FAILED);
}
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
}
lib->plugins->status(lib->plugins, LEVEL_CTRL);
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
goto deinit;
}
/* bypass file permissions to read from users ssh-agent */
- if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE))
+ if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
{
DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
nm_backend_deinit();
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
if (pidfile)
{
ignore_result(fchown(fileno(pidfile),
- charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)));
+ lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)));
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
}
goto deinit;
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
goto deinit;
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
#endif
#ifdef ANDROID
- charon->caps->set_uid(charon->caps, AID_VPN);
+ lib->caps->set_uid(lib->caps, AID_VPN);
#endif
return TRUE;
}
if (pidfile)
{
ignore_result(fchown(fileno(pidfile),
- charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)));
+ lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)));
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
}
goto deinit;
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting charon");
goto deinit;
DESTROY_IF(this->public.xauth);
DESTROY_IF(this->public.backends);
DESTROY_IF(this->public.socket);
- DESTROY_IF(this->public.caps);
/* rehook library logging, shutdown logging */
dbg = dbg_old;
.ref = 1,
);
charon = &this->public;
- this->public.caps = capabilities_create();
this->public.controller = controller_create();
this->public.eap = eap_manager_create();
this->public.xauth = xauth_manager_create();
this = daemon_create(name);
- if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
+ if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
{
dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
return FALSE;
#include <config/backend_manager.h>
#include <sa/eap/eap_manager.h>
#include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
#ifdef ME
#include <sa/ikev2/connect_manager.h>
mediation_manager_t *mediation_manager;
#endif /* ME */
- /**
- * POSIX capability dropping
- */
- capabilities_t *caps;
-
/**
* Name of the binary that uses the library (used for settings etc.)
*/
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
strerror(errno));
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
strerror(errno));
}
umask(old);
}
- if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
strerror(errno));
{
while (enumerator->enumerate(enumerator, NULL, &file, NULL))
{
- if (chown(file, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(file, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
strerror(errno));
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
strerror(errno));
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
strerror(errno));
return NULL;
}
umask(old);
- if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
}
return FALSE;
}
umask(old);
- if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
strerror(errno));
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
strerror(errno));
xauth_pam_plugin_t *this;
/* required for PAM authentication */
- if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
+ if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
{
DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
return NULL;
}
return !this->integrity_failed;
}
-
this->public.creds->destroy(this->public.creds);
this->public.encoding->destroy(this->public.encoding);
this->public.crypto->destroy(this->public.crypto);
+ this->public.caps->destroy(this->public.caps);
this->public.proposal->destroy(this->public.proposal);
this->public.fetcher->destroy(this->public.fetcher);
this->public.resolver->destroy(this->public.resolver);
this->public.settings = settings_create(settings);
this->public.hosts = host_resolver_create();
this->public.proposal = proposal_keywords_create();
+ this->public.caps = capabilities_create();
this->public.crypto = crypto_factory_create();
this->public.creds = credential_factory_create();
this->public.credmgr = credential_manager_create();
#include "credentials/credential_manager.h"
#include "credentials/cred_encoding.h"
#include "utils/chunk.h"
+#include "utils/capabilities.h"
#include "utils/integrity_checker.h"
#include "utils/leak_detective.h"
#include "utils/settings.h"
*/
proposal_keywords_t *proposal;
+ /**
+ * POSIX capability dropping
+ */
+ capabilities_t *caps;
+
/**
* crypto algorithm registry and factory
*/
#ifndef CAPABILITIES_H_
#define CAPABILITIES_H_
+typedef struct capabilities_t capabilities_t;
+
#include <library.h>
#ifdef HAVE_SYS_CAPABILITY_H
# include <sys/capability.h>
# include <linux/capability.h>
#endif
-typedef struct capabilities_t capabilities_t;
-
/**
* POSIX capability dropping abstraction layer.
*/
projects / thirdparty / strongswan.git / commitdiff
