agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket

This is also required if charon-cmd is used with capability dropping.

src/charon-nm/nm/nm_backend.c

@@ -22,10 +22,6 @@
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
-#ifndef CAP_DAC_OVERRIDE
-#define CAP_DAC_OVERRIDE 1
-#endif
-
 typedef struct nm_backend_t nm_backend_t;
 
 /**
@@ -143,14 +139,6 @@ static bool nm_backend_init()
 		return FALSE;
 	}
 
-	/* bypass file permissions to read from users ssh-agent */
-	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
-	{
-		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
-		nm_backend_deinit();
-		return FALSE;
-	}
-
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
 				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));

src/libstrongswan/plugins/agent/agent_plugin.c

@@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
 {
 	private_agent_plugin_t *this;
 
+	/* required to connect to ssh-agent socket */
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
@@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
 
 	return &this->public.plugin;
 }
-

src/libstrongswan/plugins/agent/agent_private_key.c

@@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 	}
 	return &this->public;
 }
-

src/libstrongswan/utils/capabilities.h

@@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
 #ifndef CAP_NET_RAW
 # define CAP_NET_RAW 13
 #endif
+#ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE 1
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.