capabilities: Some plugins don't actually require capabilities at runtime

13 files changed, 17 insertions, 14 deletions

diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index 31195e25b..c36c60d28 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -107,13 +107,14 @@ plugin_t *dhcp_plugin_create()
 {
 	private_dhcp_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+	if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
 	{	/* required to bind DHCP socket (port 68) */
 		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
 		return NULL;
 	}
 	else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-	{	/* required to open DHCP receive socket (AF_PACKET) */
+	{	/* required to open DHCP receive socket (AF_PACKET). according to
+		 * capabilities(7) it is also required to use the socket */
 		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index d6e652d59..6b8609ebc 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,7 +98,7 @@ plugin_t *duplicheck_plugin_create()
 		return NULL;
 	}
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) notify socket */
 		DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index 48b3d94db..9ee3ed69f 100644
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,7 +92,7 @@ plugin_t *error_notify_plugin_create()
 {
 	private_error_notify_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) notify socket */
 		DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index d31defca4..4b74da3b9 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -93,7 +93,8 @@ plugin_t *farp_plugin_create()
 	private_farp_plugin_t *this;
 
 	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-	{	/* required to open ARP socket (AF_PACKET) */
+	{	/* required to open ARP socket (AF_PACKET). according to capabilities(7)
+		 * it is also require to use the socket */
 		DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index e7697dc4f..5d4cc6184 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -180,7 +180,8 @@ plugin_t *ha_plugin_create()
 	}
 
 	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
-	{	/* required to chown(2) control socket */
+	{	/* required to chown(2) control socket, ha_kernel also needs it at
+		 * runtime */
 		DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
 		return NULL;
 	}
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index bac3c1c45..56f526217 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,7 +102,7 @@ plugin_t *kernel_libipsec_plugin_create()
 {
 	private_kernel_libipsec_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
 	{	/* required to create TUN devices */
 		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
 			 "capability");
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index a32a2a435..7f2d425fd 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,7 +269,7 @@ plugin_t *load_tester_plugin_create()
 		return NULL;
 	}
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) control socket */
 		DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 89bdad92e..4466ad99f 100644
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,7 +92,7 @@ plugin_t *lookip_plugin_create()
 {
 	private_lookip_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) control socket */
 		DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 123608819..a92e571de 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -741,7 +741,7 @@ plugin_t *smp_plugin_create()
 	private_smp_t *this;
 	mode_t old;
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) control socket */
 		DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 54380eda0..4139afe5a 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -736,7 +736,7 @@ socket_default_socket_t *socket_default_socket_create()
 
 	if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
 	{
-		if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+		if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
 		{
 			/* required to bind ports < 1024 */
 			DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 6c4687f4a..767bdc64b 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,7 +91,7 @@ plugin_t *stroke_plugin_create()
 {
 	private_stroke_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) stroke socket */
 		DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 4f397d76e..e51f02c05 100644
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,7 +92,7 @@ plugin_t *whitelist_plugin_create()
 {
 	private_whitelist_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	if (!lib->caps->check(lib->caps, CAP_CHOWN))
 	{	/* required to chown(2) control socket */
 		DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
 		return NULL;
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index d2c00b0f2..61d576547 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,7 +62,7 @@ plugin_t *kernel_pfkey_plugin_create()
 {
 	private_kernel_pfkey_plugin_t *this;
 
-	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
 	{	/* required to open PF_KEY sockets */
 		DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
 		return NULL;