capabilities: Move global capabilities_t instance to libstrongswan
This commit is contained in:
parent
2e21bac19a
commit
a2eb581781
|
@ -169,13 +169,13 @@ static int run()
|
|||
static bool lookup_uid_gid()
|
||||
{
|
||||
#ifdef IPSEC_USER
|
||||
if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
|
||||
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
#ifdef IPSEC_GROUP
|
||||
if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
|
||||
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
@ -360,7 +360,7 @@ int main(int argc, char *argv[])
|
|||
{
|
||||
exit(SS_RC_INITIALIZATION_FAILED);
|
||||
}
|
||||
if (!charon->caps->drop(charon->caps))
|
||||
if (!lib->caps->drop(lib->caps))
|
||||
{
|
||||
exit(SS_RC_INITIALIZATION_FAILED);
|
||||
}
|
||||
|
|
|
@ -122,13 +122,13 @@ static void segv_handler(int signal)
|
|||
static bool lookup_uid_gid()
|
||||
{
|
||||
#ifdef IPSEC_USER
|
||||
if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
|
||||
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
#ifdef IPSEC_GROUP
|
||||
if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
|
||||
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
@ -214,7 +214,7 @@ int main(int argc, char *argv[])
|
|||
}
|
||||
lib->plugins->status(lib->plugins, LEVEL_CTRL);
|
||||
|
||||
if (!charon->caps->drop(charon->caps))
|
||||
if (!lib->caps->drop(lib->caps))
|
||||
{
|
||||
DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
|
||||
goto deinit;
|
||||
|
|
|
@ -142,7 +142,7 @@ static bool nm_backend_init()
|
|||
}
|
||||
|
||||
/* bypass file permissions to read from users ssh-agent */
|
||||
if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE))
|
||||
if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
|
||||
{
|
||||
DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
|
||||
nm_backend_deinit();
|
||||
|
|
|
@ -151,13 +151,13 @@ static void segv_handler(int signal)
|
|||
static bool lookup_uid_gid()
|
||||
{
|
||||
#ifdef IPSEC_USER
|
||||
if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
|
||||
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
#ifdef IPSEC_GROUP
|
||||
if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
|
||||
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
@ -201,8 +201,8 @@ static bool check_pidfile()
|
|||
if (pidfile)
|
||||
{
|
||||
ignore_result(fchown(fileno(pidfile),
|
||||
charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)));
|
||||
lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)));
|
||||
fprintf(pidfile, "%d\n", getpid());
|
||||
fflush(pidfile);
|
||||
}
|
||||
|
@ -327,7 +327,7 @@ int main(int argc, char *argv[])
|
|||
goto deinit;
|
||||
}
|
||||
|
||||
if (!charon->caps->drop(charon->caps))
|
||||
if (!lib->caps->drop(lib->caps))
|
||||
{
|
||||
DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
|
||||
goto deinit;
|
||||
|
|
|
@ -149,19 +149,19 @@ static void run()
|
|||
static bool lookup_uid_gid()
|
||||
{
|
||||
#ifdef IPSEC_USER
|
||||
if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
|
||||
if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
#ifdef IPSEC_GROUP
|
||||
if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
|
||||
if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
#ifdef ANDROID
|
||||
charon->caps->set_uid(charon->caps, AID_VPN);
|
||||
lib->caps->set_uid(lib->caps, AID_VPN);
|
||||
#endif
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -219,8 +219,8 @@ static bool check_pidfile()
|
|||
if (pidfile)
|
||||
{
|
||||
ignore_result(fchown(fileno(pidfile),
|
||||
charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)));
|
||||
lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)));
|
||||
fprintf(pidfile, "%d\n", getpid());
|
||||
fflush(pidfile);
|
||||
}
|
||||
|
@ -406,7 +406,7 @@ int main(int argc, char *argv[])
|
|||
goto deinit;
|
||||
}
|
||||
|
||||
if (!charon->caps->drop(charon->caps))
|
||||
if (!lib->caps->drop(lib->caps))
|
||||
{
|
||||
DBG1(DBG_DMN, "capability dropping failed - aborting charon");
|
||||
goto deinit;
|
||||
|
|
|
@ -471,7 +471,6 @@ static void destroy(private_daemon_t *this)
|
|||
DESTROY_IF(this->public.xauth);
|
||||
DESTROY_IF(this->public.backends);
|
||||
DESTROY_IF(this->public.socket);
|
||||
DESTROY_IF(this->public.caps);
|
||||
|
||||
/* rehook library logging, shutdown logging */
|
||||
dbg = dbg_old;
|
||||
|
@ -581,7 +580,6 @@ private_daemon_t *daemon_create(const char *name)
|
|||
.ref = 1,
|
||||
);
|
||||
charon = &this->public;
|
||||
this->public.caps = capabilities_create();
|
||||
this->public.controller = controller_create();
|
||||
this->public.eap = eap_manager_create();
|
||||
this->public.xauth = xauth_manager_create();
|
||||
|
@ -626,7 +624,7 @@ bool libcharon_init(const char *name)
|
|||
|
||||
this = daemon_create(name);
|
||||
|
||||
if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
|
||||
if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
|
||||
{
|
||||
dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
|
||||
return FALSE;
|
||||
|
|
|
@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
|
|||
#include <config/backend_manager.h>
|
||||
#include <sa/eap/eap_manager.h>
|
||||
#include <sa/xauth/xauth_manager.h>
|
||||
#include <utils/capabilities.h>
|
||||
|
||||
#ifdef ME
|
||||
#include <sa/ikev2/connect_manager.h>
|
||||
|
@ -272,11 +271,6 @@ struct daemon_t {
|
|||
mediation_manager_t *mediation_manager;
|
||||
#endif /* ME */
|
||||
|
||||
/**
|
||||
* POSIX capability dropping
|
||||
*/
|
||||
capabilities_t *caps;
|
||||
|
||||
/**
|
||||
* Name of the binary that uses the library (used for settings etc.)
|
||||
*/
|
||||
|
|
|
@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
|
|||
}
|
||||
umask(old);
|
||||
}
|
||||
if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
|
|||
{
|
||||
while (enumerator->enumerate(enumerator, NULL, &file, NULL))
|
||||
{
|
||||
if (chown(file, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(file, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -768,8 +768,8 @@ plugin_t *smp_plugin_create()
|
|||
return NULL;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
|
||||
}
|
||||
|
|
|
@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this)
|
|||
return FALSE;
|
||||
}
|
||||
umask(old);
|
||||
if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
|
||||
charon->caps->get_gid(charon->caps)) != 0)
|
||||
if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
|
||||
lib->caps->get_gid(lib->caps)) != 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
|
||||
strerror(errno));
|
||||
|
|
|
@ -53,7 +53,7 @@ plugin_t *xauth_pam_plugin_create()
|
|||
xauth_pam_plugin_t *this;
|
||||
|
||||
/* required for PAM authentication */
|
||||
if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
|
||||
if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
|
||||
{
|
||||
DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
|
||||
return NULL;
|
||||
|
|
|
@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon)
|
|||
}
|
||||
return !this->integrity_failed;
|
||||
}
|
||||
|
||||
|
|
|
@ -89,6 +89,7 @@ void library_deinit()
|
|||
this->public.creds->destroy(this->public.creds);
|
||||
this->public.encoding->destroy(this->public.encoding);
|
||||
this->public.crypto->destroy(this->public.crypto);
|
||||
this->public.caps->destroy(this->public.caps);
|
||||
this->public.proposal->destroy(this->public.proposal);
|
||||
this->public.fetcher->destroy(this->public.fetcher);
|
||||
this->public.resolver->destroy(this->public.resolver);
|
||||
|
@ -255,6 +256,7 @@ bool library_init(char *settings)
|
|||
this->public.settings = settings_create(settings);
|
||||
this->public.hosts = host_resolver_create();
|
||||
this->public.proposal = proposal_keywords_create();
|
||||
this->public.caps = capabilities_create();
|
||||
this->public.crypto = crypto_factory_create();
|
||||
this->public.creds = credential_factory_create();
|
||||
this->public.credmgr = credential_manager_create();
|
||||
|
|
|
@ -101,6 +101,7 @@
|
|||
#include "credentials/credential_manager.h"
|
||||
#include "credentials/cred_encoding.h"
|
||||
#include "utils/chunk.h"
|
||||
#include "utils/capabilities.h"
|
||||
#include "utils/integrity_checker.h"
|
||||
#include "utils/leak_detective.h"
|
||||
#include "utils/settings.h"
|
||||
|
@ -140,6 +141,11 @@ struct library_t {
|
|||
*/
|
||||
proposal_keywords_t *proposal;
|
||||
|
||||
/**
|
||||
* POSIX capability dropping
|
||||
*/
|
||||
capabilities_t *caps;
|
||||
|
||||
/**
|
||||
* crypto algorithm registry and factory
|
||||
*/
|
||||
|
|
|
@ -23,6 +23,8 @@
|
|||
#ifndef CAPABILITIES_H_
|
||||
#define CAPABILITIES_H_
|
||||
|
||||
typedef struct capabilities_t capabilities_t;
|
||||
|
||||
#include <library.h>
|
||||
#ifdef HAVE_SYS_CAPABILITY_H
|
||||
# include <sys/capability.h>
|
||||
|
@ -30,8 +32,6 @@
|
|||
# include <linux/capability.h>
|
||||
#endif
|
||||
|
||||
typedef struct capabilities_t capabilities_t;
|
||||
|
||||
/**
|
||||
* POSIX capability dropping abstraction layer.
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue