aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/charon-cmd/charon-cmd.c6
-rw-r--r--src/charon-nm/charon-nm.c6
-rw-r--r--src/charon-nm/nm/nm_backend.c2
-rw-r--r--src/charon-tkm/src/charon-tkm.c10
-rw-r--r--src/charon/charon.c12
-rw-r--r--src/libcharon/daemon.c4
-rw-r--r--src/libcharon/daemon.h6
-rw-r--r--src/libcharon/plugins/duplicheck/duplicheck_notify.c4
-rw-r--r--src/libcharon/plugins/error_notify/error_notify_socket.c4
-rw-r--r--src/libcharon/plugins/ha/ha_ctl.c4
-rw-r--r--src/libcharon/plugins/ha/ha_kernel.c4
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_control.c4
-rw-r--r--src/libcharon/plugins/lookip/lookip_socket.c4
-rw-r--r--src/libcharon/plugins/smp/smp.c4
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c4
-rw-r--r--src/libcharon/plugins/whitelist/whitelist_control.c4
-rw-r--r--src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c2
-rw-r--r--src/libhydra/hydra.c1
-rw-r--r--src/libstrongswan/library.c2
-rw-r--r--src/libstrongswan/library.h6
-rw-r--r--src/libstrongswan/utils/capabilities.h4
21 files changed, 48 insertions, 49 deletions
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index f3059bea5..494e4f84e 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -169,13 +169,13 @@ static int run()
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
@@ -360,7 +360,7 @@ int main(int argc, char *argv[])
{
exit(SS_RC_INITIALIZATION_FAILED);
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
exit(SS_RC_INITIALIZATION_FAILED);
}
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index d61ddee85..8e44589e5 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -122,13 +122,13 @@ static void segv_handler(int signal)
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
@@ -214,7 +214,7 @@ int main(int argc, char *argv[])
}
lib->plugins->status(lib->plugins, LEVEL_CTRL);
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
goto deinit;
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index e07919827..c83978291 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -142,7 +142,7 @@ static bool nm_backend_init()
}
/* bypass file permissions to read from users ssh-agent */
- if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE))
+ if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
{
DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
nm_backend_deinit();
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 4e364e7be..14a735590 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -151,13 +151,13 @@ static void segv_handler(int signal)
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
@@ -201,8 +201,8 @@ static bool check_pidfile()
if (pidfile)
{
ignore_result(fchown(fileno(pidfile),
- charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)));
+ lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)));
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
}
@@ -327,7 +327,7 @@ int main(int argc, char *argv[])
goto deinit;
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
goto deinit;
diff --git a/src/charon/charon.c b/src/charon/charon.c
index eb7dd58e3..8a8d0122c 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -149,19 +149,19 @@ static void run()
static bool lookup_uid_gid()
{
#ifdef IPSEC_USER
- if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+ if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
{
return FALSE;
}
#endif
#ifdef IPSEC_GROUP
- if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+ if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
{
return FALSE;
}
#endif
#ifdef ANDROID
- charon->caps->set_uid(charon->caps, AID_VPN);
+ lib->caps->set_uid(lib->caps, AID_VPN);
#endif
return TRUE;
}
@@ -219,8 +219,8 @@ static bool check_pidfile()
if (pidfile)
{
ignore_result(fchown(fileno(pidfile),
- charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)));
+ lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)));
fprintf(pidfile, "%d\n", getpid());
fflush(pidfile);
}
@@ -406,7 +406,7 @@ int main(int argc, char *argv[])
goto deinit;
}
- if (!charon->caps->drop(charon->caps))
+ if (!lib->caps->drop(lib->caps))
{
DBG1(DBG_DMN, "capability dropping failed - aborting charon");
goto deinit;
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index e375ab731..bc0407dc1 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -471,7 +471,6 @@ static void destroy(private_daemon_t *this)
DESTROY_IF(this->public.xauth);
DESTROY_IF(this->public.backends);
DESTROY_IF(this->public.socket);
- DESTROY_IF(this->public.caps);
/* rehook library logging, shutdown logging */
dbg = dbg_old;
@@ -581,7 +580,6 @@ private_daemon_t *daemon_create(const char *name)
.ref = 1,
);
charon = &this->public;
- this->public.caps = capabilities_create();
this->public.controller = controller_create();
this->public.eap = eap_manager_create();
this->public.xauth = xauth_manager_create();
@@ -626,7 +624,7 @@ bool libcharon_init(const char *name)
this = daemon_create(name);
- if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
+ if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
{
dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
return FALSE;
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 2926d945b..24e623c44 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
#include <config/backend_manager.h>
#include <sa/eap/eap_manager.h>
#include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
#ifdef ME
#include <sa/ikev2/connect_manager.h>
@@ -273,11 +272,6 @@ struct daemon_t {
#endif /* ME */
/**
- * POSIX capability dropping
- */
- capabilities_t *caps;
-
- /**
* Name of the binary that uses the library (used for settings etc.)
*/
const char *name;
diff --git a/src/libcharon/plugins/duplicheck/duplicheck_notify.c b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
index cd5d4970b..1091258da 100644
--- a/src/libcharon/plugins/duplicheck/duplicheck_notify.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_notify.c
@@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this)
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/error_notify/error_notify_socket.c b/src/libcharon/plugins/error_notify/error_notify_socket.c
index 3ea657ba5..2fc74202b 100644
--- a/src/libcharon/plugins/error_notify/error_notify_socket.c
+++ b/src/libcharon/plugins/error_notify/error_notify_socket.c
@@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this)
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
index cb9af3aed..178a0349b 100644
--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
@@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
}
umask(old);
}
- if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c
index c45339690..eed89e0bf 100644
--- a/src/libcharon/plugins/ha/ha_kernel.c
+++ b/src/libcharon/plugins/ha/ha_kernel.c
@@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
{
while (enumerator->enumerate(enumerator, NULL, &file, NULL))
{
- if (chown(file, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(file, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
index 0c21c23ca..3c82b5c30 100644
--- a/src/libcharon/plugins/load_tester/load_tester_control.c
+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
@@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this)
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/lookip/lookip_socket.c b/src/libcharon/plugins/lookip/lookip_socket.c
index f2a469e92..b1a46f46a 100644
--- a/src/libcharon/plugins/lookip/lookip_socket.c
+++ b/src/libcharon/plugins/lookip/lookip_socket.c
@@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this)
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index ad5029d1c..0c240cf7f 100644
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -768,8 +768,8 @@ plugin_t *smp_plugin_create()
return NULL;
}
umask(old);
- if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
}
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index d152ecd70..931dba1f4 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this)
return FALSE;
}
umask(old);
- if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/whitelist/whitelist_control.c b/src/libcharon/plugins/whitelist/whitelist_control.c
index a75ea9aee..b90b62ac1 100644
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this)
return FALSE;
}
umask(old);
- if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
- charon->caps->get_gid(charon->caps)) != 0)
+ if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+ lib->caps->get_gid(lib->caps)) != 0)
{
DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
strerror(errno));
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index 522cc2426..2ef9a6c8f 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -53,7 +53,7 @@ plugin_t *xauth_pam_plugin_create()
xauth_pam_plugin_t *this;
/* required for PAM authentication */
- if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
+ if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
{
DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
return NULL;
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index b199b2ffb..f531bd5f4 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon)
}
return !this->integrity_failed;
}
-
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 174a4cbe9..05d984b18 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -89,6 +89,7 @@ void library_deinit()
this->public.creds->destroy(this->public.creds);
this->public.encoding->destroy(this->public.encoding);
this->public.crypto->destroy(this->public.crypto);
+ this->public.caps->destroy(this->public.caps);
this->public.proposal->destroy(this->public.proposal);
this->public.fetcher->destroy(this->public.fetcher);
this->public.resolver->destroy(this->public.resolver);
@@ -255,6 +256,7 @@ bool library_init(char *settings)
this->public.settings = settings_create(settings);
this->public.hosts = host_resolver_create();
this->public.proposal = proposal_keywords_create();
+ this->public.caps = capabilities_create();
this->public.crypto = crypto_factory_create();
this->public.creds = credential_factory_create();
this->public.credmgr = credential_manager_create();
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 3b6d02002..1168da8fd 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -101,6 +101,7 @@
#include "credentials/credential_manager.h"
#include "credentials/cred_encoding.h"
#include "utils/chunk.h"
+#include "utils/capabilities.h"
#include "utils/integrity_checker.h"
#include "utils/leak_detective.h"
#include "utils/settings.h"
@@ -141,6 +142,11 @@ struct library_t {
proposal_keywords_t *proposal;
/**
+ * POSIX capability dropping
+ */
+ capabilities_t *caps;
+
+ /**
* crypto algorithm registry and factory
*/
crypto_factory_t *crypto;
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index 3de11bc6c..b9e5b9b1a 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -23,6 +23,8 @@
#ifndef CAPABILITIES_H_
#define CAPABILITIES_H_
+typedef struct capabilities_t capabilities_t;
+
#include <library.h>
#ifdef HAVE_SYS_CAPABILITY_H
# include <sys/capability.h>
@@ -30,8 +32,6 @@
# include <linux/capability.h>
#endif
-typedef struct capabilities_t capabilities_t;
-
/**
* POSIX capability dropping abstraction layer.
*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-19 15:24:47 +0000