23 files changed, 109 insertions, 35 deletions

diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 70262b736..1ad80693a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -33,10 +33,6 @@
 #include <processing/jobs/start_action_job.h>
 #include <threading/mutex.h>
 
-#ifndef CAP_NET_ADMIN
-#define CAP_NET_ADMIN 12
-#endif
-
 #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
 #define LOG_AUTHPRIV LOG_AUTH
 #endif
@@ -471,7 +467,6 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.xauth);
 	DESTROY_IF(this->public.backends);
 	DESTROY_IF(this->public.socket);
-	DESTROY_IF(this->public.caps);
 
 	/* rehook library logging, shutdown logging */
 	dbg = dbg_old;
@@ -581,7 +576,6 @@ private_daemon_t *daemon_create(const char *name)
 		.ref = 1,
 	);
 	charon = &this->public;
-	this->public.caps = capabilities_create();
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.xauth = xauth_manager_create();
@@ -591,8 +585,6 @@ private_daemon_t *daemon_create(const char *name)
 	this->public.shunts = shunt_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
-	this->public.caps->keep(this->public.caps, CAP_NET_ADMIN);
-
 	return this;
 }
 
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 2926d945b..24e623c44 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
 
 #ifdef ME
 #include <sa/ikev2/connect_manager.h>
@@ -273,11 +272,6 @@ struct daemon_t {
 #endif /* ME */
 
 	/**
-	 * POSIX capability dropping
-	 */
-	capabilities_t *caps;
-
-	/**
 	 * Name of the binary that uses the library (used for settings etc.)
 	 */
 	const char *name;
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index a31f12689..31195e25b 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -107,6 +107,17 @@ plugin_t *dhcp_plugin_create()
 {
 	private_dhcp_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+	{	/* required to bind DHCP socket (port 68) */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
+		return NULL;
+	}
+	else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open DHCP receive socket (AF_PACKET) */
+		DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index cd5d4970b..1091258da 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index 4d018dbef..d6e652d59 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,6 +98,12 @@ plugin_t *duplicheck_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) notify socket */
+		DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index a1e4351eb..48b3d94db 100644
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,6 +92,12 @@ plugin_t *error_notify_plugin_create()
 {
 	private_error_notify_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) notify socket */
+		DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index 3ea657ba5..2fc74202b 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index cbc0bcf82..d31defca4 100644
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -92,6 +92,12 @@ plugin_t *farp_plugin_create()
 {
 	private_farp_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+	{	/* required to open ARP socket (AF_PACKET) */
+		DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index cb9af3aed..178a0349b 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
 		}
 		umask(old);
 	}
-	if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index c45339690..eed89e0bf 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
 	{
 		while (enumerator->enumerate(enumerator, NULL, &file, NULL))
 		{
-			if (chown(file, charon->caps->get_uid(charon->caps),
-					  charon->caps->get_gid(charon->caps)) != 0)
+			if (chown(file, lib->caps->get_uid(lib->caps),
+					  lib->caps->get_gid(lib->caps)) != 0)
 			{
 				DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
 					 strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 677985c57..e7697dc4f 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -179,6 +179,12 @@ plugin_t *ha_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index d5f3bc248..bac3c1c45 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,6 +102,13 @@ plugin_t *kernel_libipsec_plugin_create()
 {
 	private_kernel_libipsec_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+	{	/* required to create TUN devices */
+		DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
+			 "capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index 0c21c23ca..3c82b5c30 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index 6fee2bf3b..a32a2a435 100644
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,6 +269,12 @@ plugin_t *load_tester_plugin_create()
 		return NULL;
 	}
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 319d72753..89bdad92e 100644
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,6 +92,12 @@ plugin_t *lookip_plugin_create()
 {
 	private_lookip_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
index f2a469e92..b1a46f46a 100644
--- a/src/libcharon/plugins/lookip/lookip_socket.c
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index ad5029d1c..d13b82216 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -739,6 +739,12 @@ plugin_t *smp_plugin_create()
 	private_smp_t *this;
 	mode_t old;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
@@ -768,8 +774,8 @@ plugin_t *smp_plugin_create()
 		return NULL;
 	}
 	umask(old);
-	if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
 	}
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index aa3d795fc..494bf57b1 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -692,6 +692,18 @@ socket_default_socket_t *socket_default_socket_create()
 		this->natt = 0;
 	}
 
+	if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
+	{
+		if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+		{
+			/* required to bind ports < 1024 */
+			DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "
+				 "capability");
+			destroy(this);
+			return NULL;
+		}
+	}
+
 	/* we allocate IPv6 sockets first as that will reserve randomly allocated
 	 * ports also for IPv4. On OS X, we have to do it the other way round
 	 * for the same effect. */
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 4e47a120d..6c4687f4a 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,6 +91,12 @@ plugin_t *stroke_plugin_create()
 {
 	private_stroke_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) stroke socket */
+		DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index d152ecd70..931dba1f4 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index a75ea9aee..b90b62ac1 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this)
 		return FALSE;
 	}
 	umask(old);
-	if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-			  charon->caps->get_gid(charon->caps)) != 0)
+	if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+			  lib->caps->get_gid(lib->caps)) != 0)
 	{
 		DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
 			 strerror(errno));
diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 5ba3e1449..4f397d76e 100644
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,6 +92,12 @@ plugin_t *whitelist_plugin_create()
 {
 	private_whitelist_plugin_t *this;
 
+	if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+	{	/* required to chown(2) control socket */
+		DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.public = {
 			.plugin = {
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index b9ba0b5ac..2ef9a6c8f 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -52,6 +52,13 @@ plugin_t *xauth_pam_plugin_create()
 {
 	xauth_pam_plugin_t *this;
 
+	/* required for PAM authentication */
+	if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
+	{
+		DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.plugin = {
 			.get_name = _get_name,
@@ -60,8 +67,5 @@ plugin_t *xauth_pam_plugin_create()
 		},
 	);
 
-	/* required for PAM authentication */
-	charon->caps->keep(charon->caps, CAP_AUDIT_WRITE);
-
 	return &this->plugin;
 }