From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 25 Jun 2013 07:03:00 +0000 (+0200)
Subject: capabilities: CAP_CHOWN might be required by many plugins opening UNIX sockets
X-Git-Tag: 5.1.0dr1~32^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1091edede8b8308bccd3f0d356ab77d70cb97559;p=thirdparty%2Fstrongswan.git

capabilities: CAP_CHOWN might be required by many plugins opening UNIX sockets

But as the sockets will be created with the user/group of the running
process this might not be required as no change may be needed.
---

diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 4d018dbeff..d6e652d598 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,6 +98,12 @@ plugin_t *duplicheck_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) notify socket */
+		DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index a1e4351ebd..48b3d94db7 100644
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,6 +92,12 @@ plugin_t *error_notify_plugin_create()
 {
 	private_error_notify_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) notify socket */
+		DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 677985c578..e7697dc4f0 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -179,6 +179,12 @@ plugin_t *ha_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 6fee2bf3b1..a32a2a4350 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,6 +269,12 @@ plugin_t *load_tester_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 319d72753b..89bdad92e4 100644
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,6 +92,12 @@ plugin_t *lookip_plugin_create()
 {
 	private_lookip_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 0c240cf7f1..d13b82216a 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -739,6 +739,12 @@ plugin_t *smp_plugin_create()
 	private_smp_t *this;
 	mode_t old;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 4e47a120d6..6c4687f4a3 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,6 +91,12 @@ plugin_t *stroke_plugin_create()
 {
 	private_stroke_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) stroke socket */
+		DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 5ba3e1449f..4f397d76e8 100644
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,6 +92,12 @@ plugin_t *whitelist_plugin_create()
 {
 	private_whitelist_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {