diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2010-06-15 19:40:44 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2010-06-15 19:58:30 +0200 |
| commit | 946be4d357e29494987687d093297e9fcc68b0ed (patch) | |
| tree | 61b56ca842a0a21e0c955e030bb3e81b5dc8d9ea /src/pluto | |
| parent | b77e493bea02ab675241c9f1a31456c21259c3ce (diff) | |
| download | strongswan-946be4d357e29494987687d093297e9fcc68b0ed.tar.bz2 strongswan-946be4d357e29494987687d093297e9fcc68b0ed.tar.xz | |
Adding support for the native Linux capabilities interface.
Note that this interface is deprecated and mainly added to support
Android. Use libcap, if possible.
Diffstat (limited to 'src/pluto')
| -rw-r--r-- | src/pluto/plutomain.c | 46 |
1 files changed, 35 insertions, 11 deletions
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 2e27b00f8..89123bb8a 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -33,7 +33,9 @@ #include <grp.h> #ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H #include <sys/capability.h> +#endif /* HAVE_SYS_CAPABILITY_H */ #endif /* CAPABILITIES */ #include <freeswan.h> @@ -258,7 +260,6 @@ int main(int argc, char **argv) char *virtual_private = NULL; int lockfd; #ifdef CAPABILITIES - cap_t caps; int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; #endif /* CAPABILITIES */ @@ -716,18 +717,41 @@ int main(int argc, char **argv) } #endif -#ifdef CAPABILITIES - caps = cap_init(); - cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET); - if (cap_set_proc(caps) != 0) +#ifdef CAPABILITIES_LIBCAP { - plog("unable to drop daemon capabilities"); - abort(); + cap_t caps; + caps = cap_init(); + cap_set_flag(caps, CAP_EFFECTIVE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_INHERITABLE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_PERMITTED, countof(keep), keep, CAP_SET); + if (cap_set_proc(caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } + cap_free(caps); } - cap_free(caps); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + { + struct __user_cap_data_struct caps = { .effective = 0 }; + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION, + }; + int i; + for (i = 0; i < countof(keep); i++) + { + caps.effective |= 1 << keep[i]; + caps.permitted |= 1 << keep[i]; + caps.inheritable |= 1 << keep[i]; + } + if (capset(&header, &caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } + } +#endif /* CAPABILITIES_NATIVE */ /* loading X.509 CA certificates */ load_authcerts("ca", CA_CERT_PATH, X509_CA); |