aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/charon/Makefile.am5
-rw-r--r--src/charon/daemon.c55
-rw-r--r--src/charon/plugins/eap_gtc/eap_gtc_plugin.c3
-rw-r--r--src/pluto/Makefile.am4
-rw-r--r--src/pluto/plutomain.c36
5 files changed, 53 insertions, 50 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 82f521fc6..c7fb7ffbd 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -129,6 +129,11 @@ if USE_SELF_TEST
AM_CFLAGS += -DSELF_TEST
endif
+if USE_CAPABILITIES
+ charon_LDADD += -lcap
+endif
+
+
# build optional plugins
########################
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 3d2ad77e8..127a15862 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -22,7 +22,6 @@
#endif /* HAVE_DLADDR */
#include <stdio.h>
-#include <linux/capability.h>
#include <sys/prctl.h>
#include <signal.h>
#include <pthread.h>
@@ -38,6 +37,9 @@
#ifdef HAVE_BACKTRACE
# include <execinfo.h>
#endif /* HAVE_BACKTRACE */
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
#include "daemon.h"
@@ -45,16 +47,6 @@
#include <config/traffic_selector.h>
#include <config/proposal.h>
-/* on some distros, a capset definition is missing */
-#ifdef NO_CAPSET_DEFINED
-extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif /* NO_CAPSET_DEFINED */
-
-/* missing on older kernel headers */
-#ifndef CAP_AUDIT_WRITE
-#define CAP_AUDIT_WRITE 29
-#endif /* CAP_AUDIT_WRITE */
-
#ifdef INTEGRITY_TEST
#include <fips/fips.h>
#include <fips/fips_signature.h>
@@ -80,11 +72,13 @@ struct private_daemon_t {
* The thread_id of main-thread.
*/
pthread_t main_thread_id;
-
+
+#ifdef CAPABILITIES
/**
* capabilities to keep
*/
- u_int32_t keep;
+ cap_t caps;
+#endif /* CAPABILITIES */
};
/**
@@ -193,6 +187,9 @@ static void destroy(private_daemon_t *this)
}
/* unload plugins to release threads */
lib->plugins->unload(lib->plugins);
+#ifdef CAPABILITIES
+ cap_free(this->caps);
+#endif /* CAPABILITIES */
DESTROY_IF(this->public.ike_sa_manager);
DESTROY_IF(this->public.kernel_interface);
DESTROY_IF(this->public.scheduler);
@@ -253,10 +250,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
* drop daemon capabilities
*/
static void drop_capabilities(private_daemon_t *this)
-{
- struct __user_cap_header_struct hdr;
- struct __user_cap_data_struct data;
-
+{
prctl(PR_SET_KEEPCAPS, 1);
if (setgid(charon->gid) != 0)
@@ -267,21 +261,13 @@ static void drop_capabilities(private_daemon_t *this)
{
kill_daemon(this, "change to unprivileged user failed");
}
-
- /* we use the old capset version for now. For systems with version 2
- * available, we specifiy version 1 excplicitly. */
-#ifdef _LINUX_CAPABILITY_VERSION_1
- hdr.version = _LINUX_CAPABILITY_VERSION_1;
-#else
- hdr.version = _LINUX_CAPABILITY_VERSION;
-#endif
- hdr.pid = 0;
- data.inheritable = data.effective = data.permitted = this->keep;
- if (capset(&hdr, &data))
+#ifdef CAPABILITIES
+ if (cap_set_proc(this->caps) != 0)
{
kill_daemon(this, "unable to drop daemon capabilities");
}
+#endif /* CAPABILITIES */
}
/**
@@ -289,7 +275,11 @@ static void drop_capabilities(private_daemon_t *this)
*/
static void keep_cap(private_daemon_t *this, u_int cap)
{
- this->keep |= 1 << cap;
+#ifdef CAPABILITIES
+ cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET);
+ cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET);
+ cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET);
+#endif /* CAPABILITIES */
}
/**
@@ -498,11 +488,14 @@ private_daemon_t *daemon_create(void)
this->public.gid = 0;
this->main_thread_id = pthread_self();
- this->keep = 1<<CAP_NET_ADMIN;
+#ifdef CAPABILITIES
+ this->caps = cap_init();
+ keep_cap(this, CAP_NET_ADMIN);
if (lib->leak_detective)
{
- this->keep = 1<<CAP_SYS_NICE;
+ keep_cap(this, CAP_SYS_NICE);
}
+#endif /* CAPABILITIES */
/* add handler for SEGV and ILL,
* add handler for USR1 (cancellation).
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
index 0407edc97..cea88ef9f 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -21,7 +21,8 @@
#include <daemon.h>
-#include <linux/capability.h>
+/* missing in cababilities.h */
+#define CAP_AUDIT_WRITE 29
/**
* Implementation of plugin_t.destroy
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 156b81018..c28fbf6e0 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -139,3 +139,7 @@ if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
endif
+if USE_CAPABILITIES
+ pluto_LDADD += -lcap
+endif
+
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index f1b31637a..b7bb8df98 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -29,11 +29,14 @@
#include <resolv.h>
#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
#include <sys/queue.h>
-#include <linux/capability.h>
#include <sys/prctl.h>
#include <pwd.h>
#include <grp.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
+
#include <freeswan.h>
#include <pfkeyv2.h>
@@ -68,11 +71,6 @@
#include "nat_traversal.h"
#include "virtual.h"
-/* on some distros, a capset() definition is missing */
-#ifdef NO_CAPSET_DEFINED
-extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif /* NO_CAPSET_DEFINED */
-
static void
usage(const char *mess)
{
@@ -236,8 +234,10 @@ main(int argc, char **argv)
bool force_keepalive = FALSE;
char *virtual_private = NULL;
int lockfd;
- struct __user_cap_header_struct hdr;
- struct __user_cap_data_struct data;
+#ifdef CAPABILITIES
+ cap_t caps;
+ int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+#endif /* CAPABILITIES */
/* handle arguments */
for (;;)
@@ -619,14 +619,6 @@ main(int argc, char **argv)
init_fetch();
/* drop unneeded capabilities and change UID/GID */
-#ifdef _LINUX_CAPABILITY_VERSION_1
- hdr.version = _LINUX_CAPABILITY_VERSION_1;
-#else
- hdr.version = _LINUX_CAPABILITY_VERSION;
-#endif
- hdr.pid = 0;
- data.inheritable = data.effective = data.permitted =
- 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
prctl(PR_SET_KEEPCAPS, 1);
@@ -656,11 +648,19 @@ main(int argc, char **argv)
}
}
#endif
- if (capset(&hdr, &data))
+
+#ifdef CAPABILITIES
+ caps = cap_init();
+ cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
+ cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
+ cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
+ if (cap_set_proc(caps) != 0)
{
- plog("unable to drop root privileges");
+ plog("unable to drop daemon capabilities");
abort();
}
+ cap_free(caps);
+#endif /* CAPABILITIES */
/* loading X.509 CA certificates */
load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);