From a2eb581781ca291c9053131be7ec99013e9c83ee Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 25 Jun 2013 07:25:18 +0200 Subject: [PATCH] capabilities: Move global capabilities_t instance to libstrongswan --- src/charon-cmd/charon-cmd.c | 6 +++--- src/charon-nm/charon-nm.c | 6 +++--- src/charon-nm/nm/nm_backend.c | 2 +- src/charon-tkm/src/charon-tkm.c | 10 +++++----- src/charon/charon.c | 12 ++++++------ src/libcharon/daemon.c | 4 +--- src/libcharon/daemon.h | 6 ------ src/libcharon/plugins/duplicheck/duplicheck_notify.c | 4 ++-- .../plugins/error_notify/error_notify_socket.c | 4 ++-- src/libcharon/plugins/ha/ha_ctl.c | 4 ++-- src/libcharon/plugins/ha/ha_kernel.c | 4 ++-- .../plugins/load_tester/load_tester_control.c | 4 ++-- src/libcharon/plugins/lookip/lookip_socket.c | 4 ++-- src/libcharon/plugins/smp/smp.c | 4 ++-- src/libcharon/plugins/stroke/stroke_socket.c | 4 ++-- src/libcharon/plugins/whitelist/whitelist_control.c | 4 ++-- src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c | 2 +- src/libhydra/hydra.c | 1 - src/libstrongswan/library.c | 2 ++ src/libstrongswan/library.h | 6 ++++++ src/libstrongswan/utils/capabilities.h | 4 ++-- 21 files changed, 48 insertions(+), 49 deletions(-) diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c index f3059bea5..494e4f84e 100644 --- a/src/charon-cmd/charon-cmd.c +++ b/src/charon-cmd/charon-cmd.c @@ -169,13 +169,13 @@ static int run() static bool lookup_uid_gid() { #ifdef IPSEC_USER - if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER)) + if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER)) { return FALSE; } #endif #ifdef IPSEC_GROUP - if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP)) + if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) { return FALSE; } @@ -360,7 +360,7 @@ int main(int argc, char *argv[]) { exit(SS_RC_INITIALIZATION_FAILED); } - if (!charon->caps->drop(charon->caps)) + if (!lib->caps->drop(lib->caps)) { exit(SS_RC_INITIALIZATION_FAILED); } diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c index d61ddee85..8e44589e5 100644 --- a/src/charon-nm/charon-nm.c +++ b/src/charon-nm/charon-nm.c @@ -122,13 +122,13 @@ static void segv_handler(int signal) static bool lookup_uid_gid() { #ifdef IPSEC_USER - if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER)) + if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER)) { return FALSE; } #endif #ifdef IPSEC_GROUP - if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP)) + if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) { return FALSE; } @@ -214,7 +214,7 @@ int main(int argc, char *argv[]) } lib->plugins->status(lib->plugins, LEVEL_CTRL); - if (!charon->caps->drop(charon->caps)) + if (!lib->caps->drop(lib->caps)) { DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm"); goto deinit; diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c index e07919827..c83978291 100644 --- a/src/charon-nm/nm/nm_backend.c +++ b/src/charon-nm/nm/nm_backend.c @@ -142,7 +142,7 @@ static bool nm_backend_init() } /* bypass file permissions to read from users ssh-agent */ - if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE)) + if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE)) { DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability"); nm_backend_deinit(); diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c index 4e364e7be..14a735590 100644 --- a/src/charon-tkm/src/charon-tkm.c +++ b/src/charon-tkm/src/charon-tkm.c @@ -151,13 +151,13 @@ static void segv_handler(int signal) static bool lookup_uid_gid() { #ifdef IPSEC_USER - if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER)) + if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER)) { return FALSE; } #endif #ifdef IPSEC_GROUP - if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP)) + if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) { return FALSE; } @@ -201,8 +201,8 @@ static bool check_pidfile() if (pidfile) { ignore_result(fchown(fileno(pidfile), - charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps))); + lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); } @@ -327,7 +327,7 @@ int main(int argc, char *argv[]) goto deinit; } - if (!charon->caps->drop(charon->caps)) + if (!lib->caps->drop(lib->caps)) { DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name); goto deinit; diff --git a/src/charon/charon.c b/src/charon/charon.c index eb7dd58e3..8a8d0122c 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -149,19 +149,19 @@ static void run() static bool lookup_uid_gid() { #ifdef IPSEC_USER - if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER)) + if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER)) { return FALSE; } #endif #ifdef IPSEC_GROUP - if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP)) + if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP)) { return FALSE; } #endif #ifdef ANDROID - charon->caps->set_uid(charon->caps, AID_VPN); + lib->caps->set_uid(lib->caps, AID_VPN); #endif return TRUE; } @@ -219,8 +219,8 @@ static bool check_pidfile() if (pidfile) { ignore_result(fchown(fileno(pidfile), - charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps))); + lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps))); fprintf(pidfile, "%d\n", getpid()); fflush(pidfile); } @@ -406,7 +406,7 @@ int main(int argc, char *argv[]) goto deinit; } - if (!charon->caps->drop(charon->caps)) + if (!lib->caps->drop(lib->caps)) { DBG1(DBG_DMN, "capability dropping failed - aborting charon"); goto deinit; diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index e375ab731..bc0407dc1 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -471,7 +471,6 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.xauth); DESTROY_IF(this->public.backends); DESTROY_IF(this->public.socket); - DESTROY_IF(this->public.caps); /* rehook library logging, shutdown logging */ dbg = dbg_old; @@ -581,7 +580,6 @@ private_daemon_t *daemon_create(const char *name) .ref = 1, ); charon = &this->public; - this->public.caps = capabilities_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.xauth = xauth_manager_create(); @@ -626,7 +624,7 @@ bool libcharon_init(const char *name) this = daemon_create(name); - if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN)) + if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN)) { dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability"); return FALSE; diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 2926d945b..24e623c44 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t; #include #include #include -#include #ifdef ME #include @@ -272,11 +271,6 @@ struct daemon_t { mediation_manager_t *mediation_manager; #endif /* ME */ - /** - * POSIX capability dropping - */ - capabilities_t *caps; - /** * Name of the binary that uses the library (used for settings etc.) */ diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c index cd5d4970b..1091258da 100644 --- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c +++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c @@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c index 3ea657ba5..2fc74202b 100644 --- a/src/libcharon/plugins/error_notify/error_notify_socket.c +++ b/src/libcharon/plugins/error_notify/error_notify_socket.c @@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing notify socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index cb9af3aed..178a0349b 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) } umask(old); } - if (chown(HA_FIFO, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(HA_FIFO, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index c45339690..eed89e0bf 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this) { while (enumerator->enumerate(enumerator, NULL, &file, NULL)) { - if (chown(file, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(file, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c index 0c21c23ca..3c82b5c30 100644 --- a/src/libcharon/plugins/load_tester/load_tester_control.c +++ b/src/libcharon/plugins/load_tester/load_tester_control.c @@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c index f2a469e92..b1a46f46a 100644 --- a/src/libcharon/plugins/lookip/lookip_socket.c +++ b/src/libcharon/plugins/lookip/lookip_socket.c @@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing lookip socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index ad5029d1c..0c240cf7f 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -768,8 +768,8 @@ plugin_t *smp_plugin_create() return NULL; } umask(old); - if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno)); } diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index d152ecd70..931dba1f4 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this) return FALSE; } umask(old); - if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing stroke socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c index a75ea9aee..b90b62ac1 100644 --- a/src/libcharon/plugins/whitelist/whitelist_control.c +++ b/src/libcharon/plugins/whitelist/whitelist_control.c @@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c index 522cc2426..2ef9a6c8f 100644 --- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c +++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c @@ -53,7 +53,7 @@ plugin_t *xauth_pam_plugin_create() xauth_pam_plugin_t *this; /* required for PAM authentication */ - if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE)) + if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE)) { DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability"); return NULL; diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c index b199b2ffb..f531bd5f4 100644 --- a/src/libhydra/hydra.c +++ b/src/libhydra/hydra.c @@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon) } return !this->integrity_failed; } - diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 174a4cbe9..05d984b18 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -89,6 +89,7 @@ void library_deinit() this->public.creds->destroy(this->public.creds); this->public.encoding->destroy(this->public.encoding); this->public.crypto->destroy(this->public.crypto); + this->public.caps->destroy(this->public.caps); this->public.proposal->destroy(this->public.proposal); this->public.fetcher->destroy(this->public.fetcher); this->public.resolver->destroy(this->public.resolver); @@ -255,6 +256,7 @@ bool library_init(char *settings) this->public.settings = settings_create(settings); this->public.hosts = host_resolver_create(); this->public.proposal = proposal_keywords_create(); + this->public.caps = capabilities_create(); this->public.crypto = crypto_factory_create(); this->public.creds = credential_factory_create(); this->public.credmgr = credential_manager_create(); diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 3b6d02002..1168da8fd 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -101,6 +101,7 @@ #include "credentials/credential_manager.h" #include "credentials/cred_encoding.h" #include "utils/chunk.h" +#include "utils/capabilities.h" #include "utils/integrity_checker.h" #include "utils/leak_detective.h" #include "utils/settings.h" @@ -140,6 +141,11 @@ struct library_t { */ proposal_keywords_t *proposal; + /** + * POSIX capability dropping + */ + capabilities_t *caps; + /** * crypto algorithm registry and factory */ diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h index 3de11bc6c..b9e5b9b1a 100644 --- a/src/libstrongswan/utils/capabilities.h +++ b/src/libstrongswan/utils/capabilities.h @@ -23,6 +23,8 @@ #ifndef CAPABILITIES_H_ #define CAPABILITIES_H_ +typedef struct capabilities_t capabilities_t; + #include #ifdef HAVE_SYS_CAPABILITY_H # include @@ -30,8 +32,6 @@ # include #endif -typedef struct capabilities_t capabilities_t; - /** * POSIX capability dropping abstraction layer. */