agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket
This is also required if charon-cmd is used with capability dropping.
This commit is contained in:
parent
53d2164c5d
commit
54ca25800c
|
@ -22,10 +22,6 @@
|
||||||
#include <daemon.h>
|
#include <daemon.h>
|
||||||
#include <processing/jobs/callback_job.h>
|
#include <processing/jobs/callback_job.h>
|
||||||
|
|
||||||
#ifndef CAP_DAC_OVERRIDE
|
|
||||||
#define CAP_DAC_OVERRIDE 1
|
|
||||||
#endif
|
|
||||||
|
|
||||||
typedef struct nm_backend_t nm_backend_t;
|
typedef struct nm_backend_t nm_backend_t;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -143,14 +139,6 @@ static bool nm_backend_init()
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* bypass file permissions to read from users ssh-agent */
|
|
||||||
if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
|
|
||||||
{
|
|
||||||
DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
|
|
||||||
nm_backend_deinit();
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
lib->processor->queue_job(lib->processor,
|
lib->processor->queue_job(lib->processor,
|
||||||
(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
|
(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
|
||||||
NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
|
NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
|
||||||
|
|
|
@ -63,6 +63,13 @@ plugin_t *agent_plugin_create()
|
||||||
{
|
{
|
||||||
private_agent_plugin_t *this;
|
private_agent_plugin_t *this;
|
||||||
|
|
||||||
|
/* required to connect to ssh-agent socket */
|
||||||
|
if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
|
||||||
|
{
|
||||||
|
DBG1(DBG_DMN, "agent plugin requires CAP_DAC_OVERRIDE capability");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
INIT(this,
|
INIT(this,
|
||||||
.public = {
|
.public = {
|
||||||
.plugin = {
|
.plugin = {
|
||||||
|
@ -75,4 +82,3 @@ plugin_t *agent_plugin_create()
|
||||||
|
|
||||||
return &this->public.plugin;
|
return &this->public.plugin;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -442,4 +442,3 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
|
||||||
}
|
}
|
||||||
return &this->public;
|
return &this->public;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,9 @@ typedef struct capabilities_t capabilities_t;
|
||||||
#ifndef CAP_NET_RAW
|
#ifndef CAP_NET_RAW
|
||||||
# define CAP_NET_RAW 13
|
# define CAP_NET_RAW 13
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef CAP_DAC_OVERRIDE
|
||||||
|
# define CAP_DAC_OVERRIDE 1
|
||||||
|
#endif
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* POSIX capability dropping abstraction layer.
|
* POSIX capability dropping abstraction layer.
|
||||||
|
|
Loading…
Reference in New Issue