capabilities: Only plugins that require CAP_NET_ADMIN demand it

The daemon as such does not require this capability.
2013-06-24 18:22:31 +02:00 · 2013-06-24 18:22:31 +02:00 · 41b8546ac0
parent a2eb581781
commit 41b8546ac0
5 changed files with 24 additions and 10 deletions
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@ -33,10 +33,6 @@
 #include <processing/jobs/start_action_job.h>
 #include <threading/mutex.h>

-#ifndef CAP_NET_ADMIN
-#define CAP_NET_ADMIN 12
-#endif
-
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
@ -624,12 +620,6 @@ bool libcharon_init(const char *name)

 	this = daemon_create(name);

-	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
-	{
-		dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
-		return FALSE;
-	}
-
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());

--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@ -102,6 +102,13 @@ plugin_t *kernel_libipsec_plugin_create()
 {
 	private_kernel_libipsec_plugin_t *this;

+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to create TUN devices */
+		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@ -65,6 +65,13 @@ plugin_t *kernel_netlink_plugin_create()
 {
 	private_kernel_netlink_plugin_t *this;

+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to bind/use XFRM sockets / create routing tables */
+		DBG1(DBG_KNL, "kernel-netlink plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@ -62,6 +62,12 @@ plugin_t *kernel_pfkey_plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this;

+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to open PF_KEY sockets */
+		DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@ -32,6 +32,10 @@ typedef struct capabilities_t capabilities_t;
 # include <linux/capability.h>
 #endif

+#ifndef CAP_NET_ADMIN
+#define CAP_NET_ADMIN 12
+#endif
+
 /**
 * POSIX capability dropping abstraction layer.
 */