connmark: Add CAP_NET_RAW to capabilities keep list

Fix for "Permission denied (you must be root)" error when calling iptc_init(), which opens a RAW socket to communicate with the kernel, when built with "--with-capabilities=libcap". Closes strongswan/strongswan#53. Fixes #2157.
author: Tim Kent <tim@kent.id.au> 2016-10-25 16:17:10 +1000
committer: Tobias Brunner <tobias@strongswan.org> 2016-10-25 09:46:23 +0200
commit: 87875086d05c0d5b7825a8810cf42da26b67bc04 (patch)
tree: cb0ecf4b2cb8b3a0b7a84ec7163776219e990115 /src/libcharon/plugins/connmark/connmark_plugin.c
parent: e6a4bd83ffbef5ff00bb614e9b64cba203543845 (diff)
download: strongswan-87875086d05c0d5b7825a8810cf42da26b67bc04.tar.bz2
strongswan-87875086d05c0d5b7825a8810cf42da26b67bc04.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c
index 3f276f93e..ad44eba5f 100644
--- a/src/libcharon/plugins/connmark/connmark_plugin.c
+++ b/src/libcharon/plugins/connmark/connmark_plugin.c
@@ -90,6 +90,12 @@ plugin_t *connmark_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{
+		DBG1(DBG_NET, "connmark plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
author	Tim Kent <tim@kent.id.au>	2016-10-25 16:17:10 +1000
committer	Tobias Brunner <tobias@strongswan.org>	2016-10-25 09:46:23 +0200
commit	87875086d05c0d5b7825a8810cf42da26b67bc04 (patch)
tree	cb0ecf4b2cb8b3a0b7a84ec7163776219e990115 /src/libcharon/plugins/connmark/connmark_plugin.c
parent	e6a4bd83ffbef5ff00bb614e9b64cba203543845 (diff)
download	strongswan-87875086d05c0d5b7825a8810cf42da26b67bc04.tar.bz2 strongswan-87875086d05c0d5b7825a8810cf42da26b67bc04.tar.xz