simplified capability dropping

9 files changed, 26 insertions, 45 deletions

diff --git a/src/charon/control/interfaces/dbus_interface.c b/src/charon/control/interfaces/dbus_interface.c
index 8f048ba9e..5d525f2f9 100644
--- a/src/charon/control/interfaces/dbus_interface.c
+++ b/src/charon/control/interfaces/dbus_interface.c
@@ -338,8 +338,7 @@ static DBusHandlerResult signal_handler(DBusConnection *con, DBusMessage *msg,
  */
 static void dispatch(private_dbus_interface_t *this)
 {
-	/* drop threads capabilities */
-	charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 
 	while (dbus_connection_read_write_dispatch(this->conn, -1))
 	{
diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c
index 26a031b14..96dcc7651 100755
--- a/src/charon/control/interfaces/stroke_interface.c
+++ b/src/charon/control/interfaces/stroke_interface.c
@@ -1535,8 +1535,7 @@ static void stroke_receive(private_stroke_interface_t *this)
 	int oldstate;
 	int strokefd;
 	
-	/* drop threads capabilities, keep NET_ADMIN to query use times for status */
-	charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 	
 	/* ignore sigpipe. writing over the pipe back to the console
 	 * only fails if SIGPIPE is ignored. */
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 467725249..62e29b365 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -224,19 +224,23 @@ static void kill_daemon(private_daemon_t *this, char *reason)
 /**
  * drop daemon capabilities
  */
-static void drop_capabilities(private_daemon_t *this, bool change_uid,
-							  bool netlink, bool bind)
+static void drop_capabilities(private_daemon_t *this, bool full)
 {
 	struct __user_cap_header_struct hdr;
 	struct __user_cap_data_struct data;
-	u_int32_t keep = 0;
+	/* CAP_NET_ADMIN is needed to use netlink */
+	u_int32_t keep = (1<<CAP_NET_ADMIN);
 	
-	if (netlink)
+	if (full)
 	{
-		/* CAP_NET_ADMIN is needed to use netlink */
-		keep |= (1<<CAP_NET_ADMIN);
+#		if IPSEC_GID
+			setgid(IPSEC_GID);
+#		endif
+#		if IPSEC_UID
+			setuid(IPSEC_UID);
+#		endif
 	}
-	if (bind)
+	else
 	{
 		/* CAP_NET_BIND_SERVICE to bind services below port 1024, 
 		 * CAP_NET_RAW to create RAW sockets.
@@ -245,22 +249,12 @@ static void drop_capabilities(private_daemon_t *this, bool change_uid,
 		keep |= (1<<CAP_NET_RAW);
 		keep |= (1<<CAP_DAC_READ_SEARCH);
 	}
-	
+
 	hdr.version = _LINUX_CAPABILITY_VERSION;
 	hdr.pid = 0;
 	data.effective = data.permitted = keep;
 	data.inheritable = 0;
 	
-	if (change_uid)
-	{
-#		if IPSEC_GID
-			setgid(IPSEC_GID);
-#		endif
-#		if IPSEC_UID
-			setuid(IPSEC_UID);
-#		endif
-	}
-	
 	if (capset(&hdr, &data))
 	{
 		kill_daemon(this, "unable to drop threads capabilities");
@@ -372,7 +366,7 @@ private_daemon_t *daemon_create(void)
 		
 	/* assign methods */
 	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
-	this->public.drop_capabilities = (void(*)(daemon_t*,bool,bool,bool))drop_capabilities;
+	this->public.drop_capabilities = (void(*)(daemon_t*,bool))drop_capabilities;
 	
 	/* NULL members for clean destruction */
 	this->public.socket = NULL;
@@ -458,8 +452,8 @@ int main(int argc, char *argv[])
 	
 	prctl(PR_SET_KEEPCAPS, 1);
 	
-	/* keep bind() and netlink capabilities, stay as root until all files loaded */
-	drop_capabilities(NULL, FALSE, TRUE, TRUE);
+	/* drop the capabilities we won't need at all */
+	drop_capabilities(NULL, FALSE);
 	
 	/* use CTRL loglevel for default */
 	for (signal = 0; signal < DBG_MAX; signal++)
@@ -534,9 +528,6 @@ int main(int argc, char *argv[])
 	
 	/* initialize daemon */
 	initialize(private_charon, use_syslog, levels);
-	
-	/* drop bind() capability, netlink is needed for cleanup */
-	drop_capabilities(private_charon, FALSE, TRUE, FALSE);
 
 	/* load pluggable EAP modules */
 	eap_method_load(eapdir);
@@ -568,8 +559,8 @@ int main(int argc, char *argv[])
 	}
 	list->destroy(list);
 	
-	/* change UID */
-	drop_capabilities(private_charon, TRUE, TRUE, FALSE);
+	/* drop additional capabilites (bind & root) */
+	drop_capabilities(private_charon, TRUE);
 	
 	/* run daemon */
 	run(private_charon);
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index f8add303e..640bc6a09 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -422,12 +422,9 @@ struct daemon_t {
 	 * @brief Let the calling thread drop its capabilities.
 	 * 
 	 * @param this			calling daemon
-	 * @param change_uid	TRUE to change UID/GID to IPSEC_UID/IPSEC_GID
-	 * @param netlink		TRUE to keep CAP_NET_ADMIN (using netlink)
-	 * @param bind			TRUE to keep CAP_NET_BIND_SERVICE and CAP_NET_RAW
+	 * @param full			TRUE to drop as many as possible
 	 */
-	void (*drop_capabilities) (daemon_t *this, bool change_uid,
-							   bool netlink, bool bind);
+	void (*drop_capabilities) (daemon_t *this, bool full);
 	
 	/**
 	 * @brief Shut down the daemon.
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index c68c5041e..4aabded6f 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -446,8 +446,7 @@ static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
  */
 static void receive_events(private_kernel_interface_t *this)
 {
-	/* keep netlink capabilities only */
-	charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 
 	while(TRUE) 
 	{
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index abb7105fd..dfb7429d9 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -254,8 +254,7 @@ static void receive_packets(private_receiver_t *this)
 	DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", 
 		 (int)pthread_self());
 	
-	/* drop threads capabilities */
-	charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 	
 	while (TRUE)
 	{
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 37e60b61a..933b8c192 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -88,8 +88,7 @@ static void send_packets(private_sender_t * this)
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
 	DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
 	
-	/* drop threads capabilities */
-	charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 
 	while (TRUE)
 	{
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 2fb4e16e7..7249e43e6 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -60,8 +60,7 @@ static void get_events(private_scheduler_t * this)
 	DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", 
 		 (int)pthread_self());
 
-	/* drop threads capabilities */
-	charon->drop_capabilities(charon, TRUE, FALSE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 
 	while (TRUE)
 	{
diff --git a/src/charon/processing/thread_pool.c b/src/charon/processing/thread_pool.c
index 09e1707e5..a9891da15 100644
--- a/src/charon/processing/thread_pool.c
+++ b/src/charon/processing/thread_pool.c
@@ -73,8 +73,7 @@ static void process_jobs(private_thread_pool_t *this)
 	DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
 		 (int)pthread_self());
 	
-	/* drop threads capabilities, except CAP_NET_ADMIN */
-	charon->drop_capabilities(charon, TRUE, TRUE, FALSE);
+	charon->drop_capabilities(charon, TRUE);
 	
 	while (TRUE)
 	{