Use random ports in NetworkManager backend
[strongswan.git] / src / charon-nm / charon-nm.c
index 16b0ed8..35e9067 100644 (file)
 #include <signal.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <pwd.h>
-#include <grp.h>
-#ifdef HAVE_PRCTL
-#include <sys/prctl.h>
-#endif
 
 #include <hydra.h>
 #include <daemon.h>
@@ -149,60 +144,17 @@ static void initialize_logger()
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
+       if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
        {
-               char buf[1024];
-               struct passwd passwd, *pwp;
-
-               if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
-                       pwp == NULL)
-               {
-                       DBG1(DBG_DMN, "resolving user '"IPSEC_USER"' failed");
-                       return FALSE;
-               }
-               charon->uid = pwp->pw_uid;
+               return FALSE;
        }
 #endif
 #ifdef IPSEC_GROUP
+       if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
        {
-               char buf[1024];
-               struct group group, *grp;
-
-               if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
-                       grp == NULL)
-               {
-                       DBG1(DBG_DMN, "resolving group '"IPSEC_GROUP"' failed");
-                       return FALSE;
-               }
-               charon->gid = grp->gr_gid;
-       }
-#endif
-       return TRUE;
-}
-
-/**
- * Drop process capabilities
- */
-static bool drop_capabilities()
-{
-#ifdef HAVE_PRCTL
-       prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
-#endif
-
-       if (setgid(charon->gid) != 0)
-       {
-               DBG1(DBG_DMN, "change to unprivileged group failed");
-               return FALSE;
-       }
-       if (setuid(charon->uid) != 0)
-       {
-               DBG1(DBG_DMN, "change to unprivileged user failed");
-               return FALSE;
-       }
-       if (!charon->drop_capabilities(charon))
-       {
-               DBG1(DBG_DMN, "unable to drop daemon capabilities");
                return FALSE;
        }
+#endif
        return TRUE;
 }
 
@@ -240,7 +192,7 @@ int main(int argc, char *argv[])
                exit(SS_RC_INITIALIZATION_FAILED);
        }
 
-       if (!libcharon_init())
+       if (!libcharon_init("charon-nm"))
        {
                dbg_syslog(DBG_DMN, 1, "initialization failed - aborting charon-nm");
                goto deinit;
@@ -254,6 +206,10 @@ int main(int argc, char *argv[])
 
        initialize_logger();
 
+       /* use random ports to avoid conflicts with regular charon */
+       lib->settings->set_int(lib->settings, "charon-nm.port", 0);
+       lib->settings->set_int(lib->settings, "charon-nm.port_natt_t", 0);
+
        DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
        if (lib->integrity)
        {
@@ -264,6 +220,9 @@ int main(int argc, char *argv[])
                DBG1(DBG_DMN, "daemon 'charon-nm': passed file integrity test");
        }
 
+       /* register NM backend to be loaded with plugins */
+       nm_backend_register();
+
        /* initialize daemon */
        if (!charon->initialize(charon,
                        lib->settings->get_str(lib->settings, "charon-nm.load", PLUGINS)))
@@ -272,17 +231,10 @@ int main(int argc, char *argv[])
                goto deinit;
        }
 
-       /* load NM backend */
-       if (!nm_backend_init())
-       {
-               DBG1(DBG_DMN, "failed to initialize NetworkManager backend - aborting charon-nm");
-               goto deinit_nm;
-       }
-
-       if (!drop_capabilities())
+       if (!charon->caps->drop(charon->caps))
        {
                DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
-               goto deinit_nm;
+               goto deinit;
        }
 
        /* add handler for SEGV and ILL,
@@ -308,8 +260,6 @@ int main(int argc, char *argv[])
 
        status = 0;
 
-deinit_nm:
-       nm_backend_deinit();
 deinit:
        libcharon_deinit();
        libhydra_deinit();