dhcp: Require CAP_NET_BIND_SERVICE and CAP_NET_RAW to open/bind sockets

diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index a31f126..31195e2 100644 (file)
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -107,6 +107,17 @@ plugin_t *dhcp_plugin_create()
 {
        private_dhcp_plugin_t *this;
 
+       if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+       {       /* required to bind DHCP socket (port 68) */
+               DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
+               return NULL;
+       }
+       else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+       {       /* required to open DHCP receive socket (AF_PACKET) */
+               DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {

diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index 543af32..3493757 100644 (file)
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -38,6 +38,9 @@ typedef struct capabilities_t capabilities_t;
 #ifndef CAP_NET_ADMIN
 # define CAP_NET_ADMIN 12
 #endif
+#ifndef CAP_NET_RAW
+# define CAP_NET_RAW 13
+#endif
 
 /**
  * POSIX capability dropping abstraction layer.