From 54ca25800cba9e348d174ffefe0e0b878ea9d7db Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 21 Nov 2013 17:12:21 +0100
Subject: [PATCH] agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket

This is also required if charon-cmd is used with capability dropping.
---
 src/charon-nm/nm/nm_backend.c                       | 12 ------------
 src/libstrongswan/plugins/agent/agent_plugin.c      |  8 +++++++-
 src/libstrongswan/plugins/agent/agent_private_key.c |  1 -
 src/libstrongswan/utils/capabilities.h              |  3 +++
 4 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index f474dad60..ebebde2c0 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -22,10 +22,6 @@
 #include <daemon.h>
 #include <processing/jobs/callback_job.h>
 
-#ifndef CAP_DAC_OVERRIDE
-#define CAP_DAC_OVERRIDE 1
-#endif
-
 typedef struct nm_backend_t nm_backend_t;
 
 /**
@@ -143,14 +139,6 @@ static bool nm_backend_init()
 		return FALSE;
 	}
 
-	/* bypass file permissions to read from users ssh-agent */
-	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
-	{
-		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
-		nm_backend_deinit();
-		return FALSE;
-	}
-
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
 				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
diff --git a/src/libstrongswan/plugins/agent/agent_plugin.c b/src/libstrongswan/plugins/agent/agent_plugin.c
index 322ded48c..dc6adc457 100644
--- a/src/libstrongswan/plugins/agent/agent_plugin.c
+++ b/src/libstrongswan/plugins/agent/agent_plugin.c
@@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
 {
 	private_agent_plugin_t *this;
 
+	/* required to connect to ssh-agent socket */
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
+	{
+		DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
@@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
 
 	return &this->public.plugin;
 }
-
diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c
index 8a3fb150a..c2e82a9f1 100644
--- a/src/libstrongswan/plugins/agent/agent_private_key.c
+++ b/src/libstrongswan/plugins/agent/agent_private_key.c
@@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
 	}
 	return &this->public;
 }
-
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index fe11a4dfc..20c18554b 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
 #ifndef CAP_NET_RAW
 # define CAP_NET_RAW 13
 #endif
+#ifndef CAP_DAC_OVERRIDE
+# define CAP_DAC_OVERRIDE 1
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.