capabilities: Move global capabilities_t instance to libstrongswan
authorTobias Brunner <tobias@strongswan.org>
Tue, 25 Jun 2013 05:25:18 +0000 (07:25 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 25 Jun 2013 15:16:32 +0000 (17:16 +0200)
21 files changed:
src/charon-cmd/charon-cmd.c
src/charon-nm/charon-nm.c
src/charon-nm/nm/nm_backend.c
src/charon-tkm/src/charon-tkm.c
src/charon/charon.c
src/libcharon/daemon.c
src/libcharon/daemon.h
src/libcharon/plugins/duplicheck/duplicheck_notify.c
src/libcharon/plugins/error_notify/error_notify_socket.c
src/libcharon/plugins/ha/ha_ctl.c
src/libcharon/plugins/ha/ha_kernel.c
src/libcharon/plugins/load_tester/load_tester_control.c
src/libcharon/plugins/lookip/lookip_socket.c
src/libcharon/plugins/smp/smp.c
src/libcharon/plugins/stroke/stroke_socket.c
src/libcharon/plugins/whitelist/whitelist_control.c
src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
src/libhydra/hydra.c
src/libstrongswan/library.c
src/libstrongswan/library.h
src/libstrongswan/utils/capabilities.h

index f3059be..494e4f8 100644 (file)
@@ -169,13 +169,13 @@ static int run()
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-       if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
        {
                return FALSE;
        }
 #endif
 #ifdef IPSEC_GROUP
-       if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
        {
                return FALSE;
        }
@@ -360,7 +360,7 @@ int main(int argc, char *argv[])
        {
                exit(SS_RC_INITIALIZATION_FAILED);
        }
-       if (!charon->caps->drop(charon->caps))
+       if (!lib->caps->drop(lib->caps))
        {
                exit(SS_RC_INITIALIZATION_FAILED);
        }
index d61ddee..8e44589 100644 (file)
@@ -122,13 +122,13 @@ static void segv_handler(int signal)
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-       if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
        {
                return FALSE;
        }
 #endif
 #ifdef IPSEC_GROUP
-       if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
        {
                return FALSE;
        }
@@ -214,7 +214,7 @@ int main(int argc, char *argv[])
        }
        lib->plugins->status(lib->plugins, LEVEL_CTRL);
 
-       if (!charon->caps->drop(charon->caps))
+       if (!lib->caps->drop(lib->caps))
        {
                DBG1(DBG_DMN, "capability dropping failed - aborting charon-nm");
                goto deinit;
index e079198..c839782 100644 (file)
@@ -142,7 +142,7 @@ static bool nm_backend_init()
        }
 
        /* bypass file permissions to read from users ssh-agent */
-       if (!charon->caps->keep(charon->caps, CAP_DAC_OVERRIDE))
+       if (!lib->caps->keep(lib->caps, CAP_DAC_OVERRIDE))
        {
                DBG1(DBG_CFG, "NM backend requires CAP_DAC_OVERRIDE capability");
                nm_backend_deinit();
index 4e364e7..14a7355 100644 (file)
@@ -151,13 +151,13 @@ static void segv_handler(int signal)
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-       if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
        {
                return FALSE;
        }
 #endif
 #ifdef IPSEC_GROUP
-       if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
        {
                return FALSE;
        }
@@ -201,8 +201,8 @@ static bool check_pidfile()
        if (pidfile)
        {
                ignore_result(fchown(fileno(pidfile),
-                                                        charon->caps->get_uid(charon->caps),
-                                                        charon->caps->get_gid(charon->caps)));
+                                                        lib->caps->get_uid(lib->caps),
+                                                        lib->caps->get_gid(lib->caps)));
                fprintf(pidfile, "%d\n", getpid());
                fflush(pidfile);
        }
@@ -327,7 +327,7 @@ int main(int argc, char *argv[])
                goto deinit;
        }
 
-       if (!charon->caps->drop(charon->caps))
+       if (!lib->caps->drop(lib->caps))
        {
                DBG1(DBG_DMN, "capability dropping failed - aborting %s", dmn_name);
                goto deinit;
index eb7dd58..8a8d012 100644 (file)
@@ -149,19 +149,19 @@ static void run()
 static bool lookup_uid_gid()
 {
 #ifdef IPSEC_USER
-       if (!charon->caps->resolve_uid(charon->caps, IPSEC_USER))
+       if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
        {
                return FALSE;
        }
 #endif
 #ifdef IPSEC_GROUP
-       if (!charon->caps->resolve_gid(charon->caps, IPSEC_GROUP))
+       if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
        {
                return FALSE;
        }
 #endif
 #ifdef ANDROID
-       charon->caps->set_uid(charon->caps, AID_VPN);
+       lib->caps->set_uid(lib->caps, AID_VPN);
 #endif
        return TRUE;
 }
@@ -219,8 +219,8 @@ static bool check_pidfile()
        if (pidfile)
        {
                ignore_result(fchown(fileno(pidfile),
-                                                        charon->caps->get_uid(charon->caps),
-                                                        charon->caps->get_gid(charon->caps)));
+                                                        lib->caps->get_uid(lib->caps),
+                                                        lib->caps->get_gid(lib->caps)));
                fprintf(pidfile, "%d\n", getpid());
                fflush(pidfile);
        }
@@ -406,7 +406,7 @@ int main(int argc, char *argv[])
                goto deinit;
        }
 
-       if (!charon->caps->drop(charon->caps))
+       if (!lib->caps->drop(lib->caps))
        {
                DBG1(DBG_DMN, "capability dropping failed - aborting charon");
                goto deinit;
index e375ab7..bc0407d 100644 (file)
@@ -471,7 +471,6 @@ static void destroy(private_daemon_t *this)
        DESTROY_IF(this->public.xauth);
        DESTROY_IF(this->public.backends);
        DESTROY_IF(this->public.socket);
-       DESTROY_IF(this->public.caps);
 
        /* rehook library logging, shutdown logging */
        dbg = dbg_old;
@@ -581,7 +580,6 @@ private_daemon_t *daemon_create(const char *name)
                .ref = 1,
        );
        charon = &this->public;
-       this->public.caps = capabilities_create();
        this->public.controller = controller_create();
        this->public.eap = eap_manager_create();
        this->public.xauth = xauth_manager_create();
@@ -626,7 +624,7 @@ bool libcharon_init(const char *name)
 
        this = daemon_create(name);
 
-       if (!this->public.caps->keep(this->public.caps, CAP_NET_ADMIN))
+       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
        {
                dbg(DBG_DMN, 1, "libcharon requires CAP_NET_ADMIN capability");
                return FALSE;
index 2926d94..24e623c 100644 (file)
@@ -163,7 +163,6 @@ typedef struct daemon_t daemon_t;
 #include <config/backend_manager.h>
 #include <sa/eap/eap_manager.h>
 #include <sa/xauth/xauth_manager.h>
-#include <utils/capabilities.h>
 
 #ifdef ME
 #include <sa/ikev2/connect_manager.h>
@@ -273,11 +272,6 @@ struct daemon_t {
 #endif /* ME */
 
        /**
-        * POSIX capability dropping
-        */
-       capabilities_t *caps;
-
-       /**
         * Name of the binary that uses the library (used for settings etc.)
         */
        const char *name;
index cd5d497..1091258 100644 (file)
@@ -84,8 +84,8 @@ static bool open_socket(private_duplicheck_notify_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing duplicheck socket permissions failed: %s",
                         strerror(errno));
index 3ea657b..2fc7420 100644 (file)
@@ -84,8 +84,8 @@ static bool open_socket(private_error_notify_socket_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing notify socket permissions failed: %s",
                         strerror(errno));
index cb9af3a..178a034 100644 (file)
@@ -129,8 +129,8 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
                }
                umask(old);
        }
-       if (chown(HA_FIFO, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(HA_FIFO, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing HA FIFO permissions failed: %s",
                         strerror(errno));
index c453396..eed89e0 100644 (file)
@@ -316,8 +316,8 @@ static void disable_all(private_ha_kernel_t *this)
        {
                while (enumerator->enumerate(enumerator, NULL, &file, NULL))
                {
-                       if (chown(file, charon->caps->get_uid(charon->caps),
-                                         charon->caps->get_gid(charon->caps)) != 0)
+                       if (chown(file, lib->caps->get_uid(lib->caps),
+                                         lib->caps->get_gid(lib->caps)) != 0)
                        {
                                DBG1(DBG_CFG, "changing ClusterIP permissions failed: %s",
                                         strerror(errno));
index 0c21c23..3c82b5c 100644 (file)
@@ -110,8 +110,8 @@ static bool open_socket(private_load_tester_control_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing load-tester socket permissions failed: %s",
                         strerror(errno));
index f2a469e..b1a46f4 100644 (file)
@@ -94,8 +94,8 @@ static bool open_socket(private_lookip_socket_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing lookip socket permissions failed: %s",
                         strerror(errno));
index ad5029d..0c240cf 100644 (file)
@@ -768,8 +768,8 @@ plugin_t *smp_plugin_create()
                return NULL;
        }
        umask(old);
-       if (chown(unix_addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(unix_addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing XML socket permissions failed: %s", strerror(errno));
        }
index d152ecd..931dba1 100644 (file)
@@ -847,8 +847,8 @@ static bool open_socket(private_stroke_socket_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(socket_addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(socket_addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
                         strerror(errno));
index a75ea9a..b90b62a 100644 (file)
@@ -77,8 +77,8 @@ static bool open_socket(private_whitelist_control_t *this)
                return FALSE;
        }
        umask(old);
-       if (chown(addr.sun_path, charon->caps->get_uid(charon->caps),
-                         charon->caps->get_gid(charon->caps)) != 0)
+       if (chown(addr.sun_path, lib->caps->get_uid(lib->caps),
+                         lib->caps->get_gid(lib->caps)) != 0)
        {
                DBG1(DBG_CFG, "changing whitelist socket permissions failed: %s",
                         strerror(errno));
index 522cc24..2ef9a6c 100644 (file)
@@ -53,7 +53,7 @@ plugin_t *xauth_pam_plugin_create()
        xauth_pam_plugin_t *this;
 
        /* required for PAM authentication */
-       if (!charon->caps->keep(charon->caps, CAP_AUDIT_WRITE))
+       if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
        {
                DBG1(DBG_DMN, "xauth-pam plugin requires CAP_AUDIT_WRITE capability");
                return NULL;
index b199b2f..f531bd5 100644 (file)
@@ -97,4 +97,3 @@ bool libhydra_init(const char *daemon)
        }
        return !this->integrity_failed;
 }
-
index 174a4cb..05d984b 100644 (file)
@@ -89,6 +89,7 @@ void library_deinit()
        this->public.creds->destroy(this->public.creds);
        this->public.encoding->destroy(this->public.encoding);
        this->public.crypto->destroy(this->public.crypto);
+       this->public.caps->destroy(this->public.caps);
        this->public.proposal->destroy(this->public.proposal);
        this->public.fetcher->destroy(this->public.fetcher);
        this->public.resolver->destroy(this->public.resolver);
@@ -255,6 +256,7 @@ bool library_init(char *settings)
        this->public.settings = settings_create(settings);
        this->public.hosts = host_resolver_create();
        this->public.proposal = proposal_keywords_create();
+       this->public.caps = capabilities_create();
        this->public.crypto = crypto_factory_create();
        this->public.creds = credential_factory_create();
        this->public.credmgr = credential_manager_create();
index 3b6d020..1168da8 100644 (file)
 #include "credentials/credential_manager.h"
 #include "credentials/cred_encoding.h"
 #include "utils/chunk.h"
+#include "utils/capabilities.h"
 #include "utils/integrity_checker.h"
 #include "utils/leak_detective.h"
 #include "utils/settings.h"
@@ -141,6 +142,11 @@ struct library_t {
        proposal_keywords_t *proposal;
 
        /**
+        * POSIX capability dropping
+        */
+       capabilities_t *caps;
+
+       /**
         * crypto algorithm registry and factory
         */
        crypto_factory_t *crypto;
index 3de11bc..b9e5b9b 100644 (file)
@@ -23,6 +23,8 @@
 #ifndef CAPABILITIES_H_
 #define CAPABILITIES_H_
 
+typedef struct capabilities_t capabilities_t;
+
 #include <library.h>
 #ifdef HAVE_SYS_CAPABILITY_H
 # include <sys/capability.h>
@@ -30,8 +32,6 @@
 # include <linux/capability.h>
 #endif
 
-typedef struct capabilities_t capabilities_t;
-
 /**
  * POSIX capability dropping abstraction layer.
  */