From: Tobias Brunner Date: Thu, 21 Nov 2013 16:12:21 +0000 (+0100) Subject: agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket X-Git-Tag: 5.1.2rc1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54ca25800cba9e348d174ffefe0e0b878ea9d7db;p=thirdparty%2Fstrongswan.git agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket This is also required if charon-cmd is used with capability dropping. --- diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c index f474dad60d..ebebde2c0d 100644 --- a/src/charon-nm/nm/nm_backend.c +++ b/src/charon-nm/nm/nm_backend.c @@ -22,10 +22,6 @@ #include #include -#ifndef CAP_DAC_OVERRIDE -#define CAP_DAC_OVERRIDE 1 -#endif - typedef struct nm_backend_t nm_backend_t; /** @@ -143,14 +139,6 @@ static bool nm_backend_init() return FALSE; } - /* bypass file permissions to read from users ssh-agent */ - if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE)) - { - DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability"); - nm_backend_deinit(); - return FALSE; - } - lib->processor->queue_job(lib->processor, (job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this, NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL)); diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c index 322ded48cf..dc6adc4570 100644 --- a/src/libstrongswan/plugins/agent/agent_plugin.c +++ b/src/libstrongswan/plugins/agent/agent_plugin.c @@ -63,6 +63,13 @@ plugin_t *agent_plugin_create() { private_agent_plugin_t *this; + /* required to connect to ssh-agent socket */ + if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE)) + { + DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability"); + return NULL; + } + INIT(this, .public = { .plugin = { @@ -75,4 +82,3 @@ plugin_t *agent_plugin_create() return &this->public.plugin; } - diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 8a3fb150a5..c2e82a9f16 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) } return &this->public; } - diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h index fe11a4dfc2..20c18554ba 100644 --- a/src/libstrongswan/utils/capabilities.h +++ b/src/libstrongswan/utils/capabilities.h @@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t; #ifndef CAP_NET_RAW # define CAP_NET_RAW 13 #endif +#ifndef CAP_DAC_OVERRIDE +# define CAP_DAC_OVERRIDE 1 +#endif /** * POSIX capability dropping abstraction layer.