2 files changed, 13 insertions, 5 deletions

diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 70262b736..e375ab731 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -591,8 +591,6 @@ private_daemon_t *daemon_create(const char *name)
 	this->public.shunts = shunt_manager_create();
 	this->kernel_handler = kernel_handler_create();
 
-	this->public.caps->keep(this->public.caps, CAP_NET_ADMIN);
-
 	return this;
 }
 
@@ -628,6 +626,12 @@ bool libcharon_init(const char *name)
 
 	this = daemon_create(name);
 
+	if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
+	{
+		dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
+		return FALSE;
+	}
+
 	/* for uncritical pseudo random numbers */
 	srandom(time(NULL) + getpid());
 
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index b9ba0b5ac..522cc2426 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -52,6 +52,13 @@ plugin_t *xauth_pam_plugin_create()
 {
 	xauth_pam_plugin_t *this;
 
+	/* required for PAM authentication */
+	if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
+	{
+		DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
+		return NULL;
+	}
+
 	INIT(this,
 		.plugin = {
 			.get_name = _get_name,
@@ -60,8 +67,5 @@ plugin_t *xauth_pam_plugin_create()
 		},
 	);
 
-	/* required for PAM authentication */
-	charon->caps->keep(charon->caps, CAP_AUDIT_WRITE);
-
 	return &this->plugin;
 }