diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2013-06-25 17:17:40 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2013-06-25 17:17:40 +0200 |
| commit | 9da5a2ed1e72d1b68feefd5811a089d0881dd87d (patch) | |
| tree | 2eeb8375e6ffb24321e1d7e3a4ba06183bf9eaec /src/libcharon/plugins | |
| parent | a65024264379bacc2733282f2b59b8c14e3897c0 (diff) | |
| parent | ac2ffde4ae8ceaddeab8b6f740804536033153e6 (diff) | |
| download | strongswan-9da5a2ed1e72d1b68feefd5811a089d0881dd87d.tar.bz2 strongswan-9da5a2ed1e72d1b68feefd5811a089d0881dd87d.tar.xz | |
Merge branch 'check-caps'
Plugins may now ensure the process has all the required capabilities.
Some minor changes to UID/GID handling are also included.
Diffstat (limited to 'src/libcharon/plugins')
21 files changed, 109 insertions, 21 deletions
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c index a31f12689..31195e25b 100644 --- a/src/libcharon/plugins/dhcp/dhcp_plugin.c +++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c @@ -107,6 +107,17 @@ plugin_t *dhcp_plugin_create() { private_dhcp_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE)) + { /* required to bind DHCP socket (port 68) */ + DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability"); + return NULL; + } + else if (!lib->caps->keep(lib->caps, CAP_NET_RAW)) + { /* required to open DHCP receive socket (AF_PACKET) */ + DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c index cd5d4970b..1091258da 100644 --- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c +++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c @@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c index 4d018dbef..d6e652d59 100644 --- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c +++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c @@ -98,6 +98,12 @@ plugin_t *duplicheck_plugin_create() return NULL; } + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) notify socket */ + DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c index a1e4351eb..48b3d94db 100644 --- a/src/libcharon/plugins/error_notify/error_notify_plugin.c +++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c @@ -92,6 +92,12 @@ plugin_t *error_notify_plugin_create() { private_error_notify_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) notify socket */ + DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c index 3ea657ba5..2fc74202b 100644 --- a/src/libcharon/plugins/error_notify/error_notify_socket.c +++ b/src/libcharon/plugins/error_notify/error_notify_socket.c @@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing notify socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c index cbc0bcf82..d31defca4 100644 --- a/src/libcharon/plugins/farp/farp_plugin.c +++ b/src/libcharon/plugins/farp/farp_plugin.c @@ -92,6 +92,12 @@ plugin_t *farp_plugin_create() { private_farp_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_NET_RAW)) + { /* required to open ARP socket (AF_PACKET) */ + DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index cb9af3aed..178a0349b 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) } umask(old); } - if (chown(HA_FIFO, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(HA_FIFO, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index c45339690..eed89e0bf 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this) { while (enumerator->enumerate(enumerator, NULL, &file, NULL)) { - if (chown(file, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(file, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index 677985c57..e7697dc4f 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -179,6 +179,12 @@ plugin_t *ha_plugin_create() return NULL; } + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) control socket */ + DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c index d5f3bc248..bac3c1c45 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c @@ -102,6 +102,13 @@ plugin_t *kernel_libipsec_plugin_create() { private_kernel_libipsec_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN)) + { /* required to create TUN devices */ + DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN " + "capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c index 0c21c23ca..3c82b5c30 100644 --- a/src/libcharon/plugins/load_tester/load_tester_control.c +++ b/src/libcharon/plugins/load_tester/load_tester_control.c @@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 6fee2bf3b..a32a2a435 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -269,6 +269,12 @@ plugin_t *load_tester_plugin_create() return NULL; } + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) control socket */ + DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c index 319d72753..89bdad92e 100644 --- a/src/libcharon/plugins/lookip/lookip_plugin.c +++ b/src/libcharon/plugins/lookip/lookip_plugin.c @@ -92,6 +92,12 @@ plugin_t *lookip_plugin_create() { private_lookip_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) control socket */ + DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c index f2a469e92..b1a46f46a 100644 --- a/src/libcharon/plugins/lookip/lookip_socket.c +++ b/src/libcharon/plugins/lookip/lookip_socket.c @@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing lookip socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c index ad5029d1c..d13b82216 100644 --- a/src/libcharon/plugins/smp/smp.c +++ b/src/libcharon/plugins/smp/smp.c @@ -739,6 +739,12 @@ plugin_t *smp_plugin_create() private_smp_t *this; mode_t old; + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) control socket */ + DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { @@ -768,8 +774,8 @@ plugin_t *smp_plugin_create() return NULL; } umask(old); - if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno)); } diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c index aa3d795fc..494bf57b1 100644 --- a/src/libcharon/plugins/socket_default/socket_default_socket.c +++ b/src/libcharon/plugins/socket_default/socket_default_socket.c @@ -692,6 +692,18 @@ socket_default_socket_t *socket_default_socket_create() this->natt = 0; } + if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024)) + { + if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE)) + { + /* required to bind ports < 1024 */ + DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE " + "capability"); + destroy(this); + return NULL; + } + } + /* we allocate IPv6 sockets first as that will reserve randomly allocated * ports also for IPv4. On OS X, we have to do it the other way round * for the same effect. */ diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 4e47a120d..6c4687f4a 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -91,6 +91,12 @@ plugin_t *stroke_plugin_create() { private_stroke_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) stroke socket */ + DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index d152ecd70..931dba1f4 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this) return FALSE; } umask(old); - if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing stroke socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c index a75ea9aee..b90b62ac1 100644 --- a/src/libcharon/plugins/whitelist/whitelist_control.c +++ b/src/libcharon/plugins/whitelist/whitelist_control.c @@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this) return FALSE; } umask(old); - if (chown(addr.sun_path, charon->caps->get_uid(charon->caps), - charon->caps->get_gid(charon->caps)) != 0) + if (chown(addr.sun_path, lib->caps->get_uid(lib->caps), + lib->caps->get_gid(lib->caps)) != 0) { DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c index 5ba3e1449..4f397d76e 100644 --- a/src/libcharon/plugins/whitelist/whitelist_plugin.c +++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c @@ -92,6 +92,12 @@ plugin_t *whitelist_plugin_create() { private_whitelist_plugin_t *this; + if (!lib->caps->keep(lib->caps, CAP_CHOWN)) + { /* required to chown(2) control socket */ + DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability"); + return NULL; + } + INIT(this, .public = { .plugin = { diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c index b9ba0b5ac..2ef9a6c8f 100644 --- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c +++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c @@ -52,6 +52,13 @@ plugin_t *xauth_pam_plugin_create() { xauth_pam_plugin_t *this; + /* required for PAM authentication */ + if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE)) + { + DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability"); + return NULL; + } + INIT(this, .plugin = { .get_name = _get_name, @@ -60,8 +67,5 @@ plugin_t *xauth_pam_plugin_create() }, ); - /* required for PAM authentication */ - charon->caps->keep(charon->caps, CAP_AUDIT_WRITE); - return &this->plugin; } |