connmark: Add CAP_NET_RAW to capabilities keep list
authorTim Kent <tim@kent.id.au>
Tue, 25 Oct 2016 06:17:10 +0000 (16:17 +1000)
committerTobias Brunner <tobias@strongswan.org>
Tue, 25 Oct 2016 07:46:23 +0000 (09:46 +0200)
Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".

Closes strongswan/strongswan#53.
Fixes #2157.

src/libcharon/plugins/connmark/connmark_plugin.c

index 3f276f9..ad44eba 100644 (file)
@@ -90,6 +90,12 @@ plugin_t *connmark_plugin_create()
                return NULL;
        }
 
+       if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+       {
+               DBG1(DBG_NET, "connmark plugin requires CAP_NET_RAW capability");
+               return NULL;
+       }
+
        INIT(this,
                .public = {
                        .plugin = {