capabilities: Some plugins don't actually require capabilities at runtime

diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index 31195e25b31df9572f150622e08c5e14ba234f6a..c36c60d28c6b4e5e51e3f9f7b6611141d325bc23 100644 (file)
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -107,13 +107,14 @@ plugin_t *dhcp_plugin_create()
 {
        private_dhcp_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+       if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
        {       /* required to bind DHCP socket (port 68) */
                DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
                return NULL;
        }
        else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-       {       /* required to open DHCP receive socket (AF_PACKET) */
+       {       /* required to open DHCP receive socket (AF_PACKET). according to
+                * capabilities(7) it is also required to use the socket */
                DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index d6e652d5984c9964e73d818c69b07cd51577d4b2..6b8609ebc4c97ad62dd77a600d2ca6eaf5aaaca8 100644 (file)
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,7 +98,7 @@ plugin_t *duplicheck_plugin_create()
                return NULL;
        }
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) notify socket */
                DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index 48b3d94db707658c3c32ed74ee43a6361fe818c5..9ee3ed69f51bf021e97ff2d5640e1cd8eaadb131 100644 (file)
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,7 +92,7 @@ plugin_t *error_notify_plugin_create()
 {
        private_error_notify_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) notify socket */
                DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index d31defca451ae44e4bad1506f4d8093d58ac9959..4b74da3b930558d135c3178797f249779eb33929 100644 (file)
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -93,7 +93,8 @@ plugin_t *farp_plugin_create()
        private_farp_plugin_t *this;
 
        if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-       {       /* required to open ARP socket (AF_PACKET) */
+       {       /* required to open ARP socket (AF_PACKET). according to capabilities(7)
+                * it is also require to use the socket */
                DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index e7697dc4f0ef346b32b68f83f5d9dee58d571df1..5d4cc618487dbe599307ff785c3b24210e8bbdc7 100644 (file)
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -180,7 +180,8 @@ plugin_t *ha_plugin_create()
        }
 
        if (!lib->caps->keep(lib->caps, CAP_CHOWN))
-       {       /* required to chown(2) control socket */
+       {       /* required to chown(2) control socket, ha_kernel also needs it at
+                * runtime */
                DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index bac3c1c45e5d65d4f21044a9124855e3e37bd407..56f5262176a9f861b47353a77716bb31e8757613 100644 (file)
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,7 +102,7 @@ plugin_t *kernel_libipsec_plugin_create()
 {
        private_kernel_libipsec_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
        {       /* required to create TUN devices */
                DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
                         "capability");

diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index a32a2a43502c7d824bef7a038dda1a7efaf1d881..7f2d425fd36eacfbf4b3570ffad91c600526d29c 100644 (file)
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,7 +269,7 @@ plugin_t *load_tester_plugin_create()
                return NULL;
        }
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 89bdad92e492f52541b36c884d1ab41d327d284f..4466ad99fd22f6c955f754bf0fc8bc42ecf7b007 100644 (file)
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,7 +92,7 @@ plugin_t *lookip_plugin_create()
 {
        private_lookip_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 1236088196f433984c9a61a0ba31bd9a54f56d6d..a92e571de1ee6257b70db945b68d622c12849b01 100644 (file)
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -741,7 +741,7 @@ plugin_t *smp_plugin_create()
        private_smp_t *this;
        mode_t old;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 54380eda0026e6c8a8211f010eeb4a3e8a894614..4139afe5a107ebc3d728b19ecfbe4029d7c27995 100644 (file)
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -736,7 +736,7 @@ socket_default_socket_t *socket_default_socket_create()
 
        if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
        {
-               if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+               if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
                {
                        /* required to bind ports < 1024 */
                        DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "

diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 6c4687f4a36c8af19b97d014200fbaa2695ee33d..767bdc64bd779bcaa51c71e4dcd4193d9cb41d05 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,7 +91,7 @@ plugin_t *stroke_plugin_create()
 {
        private_stroke_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) stroke socket */
                DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 4f397d76e80623b5ac8236143a036a0f6c8a16eb..e51f02c056158259f3e64e3b99e490d949635984 100644 (file)
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,7 +92,7 @@ plugin_t *whitelist_plugin_create()
 {
        private_whitelist_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index d2c00b0f27a39745fb4dbf95253f6c14c1a22336..61d576547d57fb16c2810b9e8cec2fefdb6993df 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,7 +62,7 @@ plugin_t *kernel_pfkey_plugin_create()
 {
        private_kernel_pfkey_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
        {       /* required to open PF_KEY sockets */
                DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
                return NULL;