capabilities: Move global capabilities_t instance to libstrongswan

src/charon-cmd/charon-cmd.c

@@ -169,13 +169,13 @@ static int run()
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
 	{
 		return FALSE;
 	}
@@ -360,7 +360,7 @@ int main(int argc, char *argv[])
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		exit(SS_RC_INITIALIZATION_FAILED);
 	}

src/charon-nm/charon-nm.c

@@ -122,13 +122,13 @@ static void segv_handler(int signal)
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
 	{
 		return FALSE;
 	}
@@ -214,7 +214,7 @@ int main(int argc, char *argv[])
 	}
 	lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
 		goto deinit;

src/charon-nm/nm/nm_backend.c

@@ -142,7 +142,7 @@ static bool nm_backend_init()
 	}
 
 	/* bypass file permissions to read from users ssh-agent */
-	if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE))
+	if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
 	{
 		DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
 		nm_backend_deinit();

src/charon-tkm/src/charon-tkm.c

@@ -151,13 +151,13 @@ static void segv_handler(int signal)
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
 	{
 		return FALSE;
 	}
@@ -201,8 +201,8 @@ static bool check_pidfile()
 	if (pidfile)
 	{
 		ignore_result(fchown(fileno(pidfile),
-							 charon->caps->get_uid(charon->caps),
-							 charon->caps->get_gid(charon->caps)));
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
 		fprintf(pidfile, "%d\n", getpid());
 		fflush(pidfile);
 	}
@@ -327,7 +327,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
 		goto deinit;

src/charon/charon.c

@@ -149,19 +149,19 @@ static void run()
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-	if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+	if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef IPSEC_GROUP
-	if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+	if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
 	{
 		return FALSE;
 	}
 #endif
 #ifdef ANDROID
-	charon->caps->set_uid(charon->caps, AID_VPN);
+	lib->caps->set_uid(lib->caps, AID_VPN);
 #endif
 	return TRUE;
 }
@@ -219,8 +219,8 @@ static bool check_pidfile()
 	if (pidfile)
 	{
 		ignore_result(fchown(fileno(pidfile),
-							 charon->caps->get_uid(charon->caps),
-							 charon->caps->get_gid(charon->caps)));
+							 lib->caps->get_uid(lib->caps),
+							 lib->caps->get_gid(lib->caps)));
 		fprintf(pidfile, "%d\n", getpid());
 		fflush(pidfile);
 	}
@@ -406,7 +406,7 @@ int main(int argc, char *argv[])
 		goto deinit;
 	}
 
-	if (!charon->caps->drop(charon->caps))
+	if (!lib->caps->drop(lib->caps))
 	{
 		DBG1(DBG_DMN, "capability dropping failed - aborting charon");
 		goto deinit;

src/libcharon/daemon.c

@@ -471,7 +471,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
-	DESTROY_IF(this->public.caps);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -581,7 +580,6 @@ private_daemon_t *daemon_create(const char *name)
 		.ref = 1,
 	);
 	charon = &this->public;
-	this->public.caps = capabilities_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.xauth = xauth_manager_create();
@@ -626,7 +624,7 @@ bool libcharon_init(const char *name)
 
 	this = daemon_create(name);
 
-	if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
 	{
 		dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
 		return FALSE;

src/libcharon/daemon.h

@@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
 
 #ifdef ME
 #include <sa/ikev2/connect_manager.h>
@@ -272,11 +271,6 @@ struct daemon_t {
 	mediation_manager_t *mediation_manager;
 #endif /* ME */
 
-	/**
-	 * POSIX capability dropping
-	 */
-	capabilities_t *caps;
-
 	/**
 	 * Name of the binary that uses the library (used for settings etc.)
 	 */

src/libcharon/plugins/duplicheck/duplicheck_notify.c

@@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/error_notify/error_notify_socket.c

@@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/ha/ha_ctl.c

@@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 		}
 		umask(old);
 	}
-	if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/ha/ha_kernel.c

@@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
 	{
 		while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 		{
-			if (chown(file, charon->caps->get_uid(charon->caps),
-					  charon->caps->get_gid(charon->caps)) != 0)
+			if (chown(file, lib->caps->get_uid(lib->caps),
+					  lib->caps->get_gid(lib->caps)) != 0)
 			{
 				DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
 					 strerror(errno));

src/libcharon/plugins/load_tester/load_tester_control.c

@@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/lookip/lookip_socket.c

@@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/smp/smp.c

@@ -768,8 +768,8 @@ plugin_t *smp_plugin_create()
 		return NULL;
 	}
 	umask(old);
-	if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
 	}

src/libcharon/plugins/stroke/stroke_socket.c

@@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/whitelist/whitelist_control.c

@@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
 			 strerror(errno));

src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c

@@ -53,7 +53,7 @@ plugin_t *xauth_pam_plugin_create()
 	xauth_pam_plugin_t *this;
 
 	/* required for PAM authentication */
-	if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
+	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
 	{
 		DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
 		return NULL;

src/libhydra/hydra.c

@@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon)
 	}
 	return !this->integrity_failed;
 }
-

src/libstrongswan/library.c

@@ -89,6 +89,7 @@ void library_deinit()
 	this->public.creds->destroy(this->public.creds);
 	this->public.encoding->destroy(this->public.encoding);
 	this->public.crypto->destroy(this->public.crypto);
+	this->public.caps->destroy(this->public.caps);
 	this->public.proposal->destroy(this->public.proposal);
 	this->public.fetcher->destroy(this->public.fetcher);
 	this->public.resolver->destroy(this->public.resolver);
@@ -255,6 +256,7 @@ bool library_init(char *settings)
 	this->public.settings = settings_create(settings);
 	this->public.hosts = host_resolver_create();
 	this->public.proposal = proposal_keywords_create();
+	this->public.caps = capabilities_create();
 	this->public.crypto = crypto_factory_create();
 	this->public.creds = credential_factory_create();
 	this->public.credmgr = credential_manager_create();

src/libstrongswan/library.h

@@ -101,6 +101,7 @@
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
 #include "utils/chunk.h"
+#include "utils/capabilities.h"
 #include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
 #include "utils/settings.h"
@@ -140,6 +141,11 @@ struct library_t {
 	 */
 	proposal_keywords_t *proposal;
 
+	/**
+	 * POSIX capability dropping
+	 */
+	capabilities_t *caps;
+
 	/**
 	 * crypto algorithm registry and factory
 	 */

src/libstrongswan/utils/capabilities.h

@@ -23,6 +23,8 @@
 #ifndef CAPABILITIES_H_
 #define CAPABILITIES_H_
 
+typedef struct capabilities_t capabilities_t;
+
 #include <library.h>
 #ifdef HAVE_SYS_CAPABILITY_H
 # include <sys/capability.h>
@@ -30,8 +32,6 @@
 # include <linux/capability.h>
 #endif
 
-typedef struct capabilities_t capabilities_t;
-
 /**
  * POSIX capability dropping abstraction layer.
  */