capabilities: Some plugins don't actually require capabilities at runtime

diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index 31195e2..c36c60d 100644 (file)
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -107,13 +107,14 @@ plugin_t *dhcp_plugin_create()
 {
        private_dhcp_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+       if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
        {       /* required to bind DHCP socket (port 68) */
                DBG1(DBG_NET, "dhcp plugin requires CAP_NET_BIND_SERVICE capability");
                return NULL;
        }
        else if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-       {       /* required to open DHCP receive socket (AF_PACKET) */
+       {       /* required to open DHCP receive socket (AF_PACKET). according to
+                * capabilities(7) it is also required to use the socket */
                DBG1(DBG_NET, "dhcp plugin requires CAP_NET_RAW capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
index d6e652d..6b8609e 100644 (file)
--- a/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
+++ b/src/libcharon/plugins/duplicheck/duplicheck_plugin.c
@@ -98,7 +98,7 @@ plugin_t *duplicheck_plugin_create()
                return NULL;
        }
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) notify socket */
                DBG1(DBG_CFG, "duplicheck plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/error_notify/error_notify_plugin.c b/src/libcharon/plugins/error_notify/error_notify_plugin.c
index 48b3d94..9ee3ed6 100644 (file)
--- a/src/libcharon/plugins/error_notify/error_notify_plugin.c
+++ b/src/libcharon/plugins/error_notify/error_notify_plugin.c
@@ -92,7 +92,7 @@ plugin_t *error_notify_plugin_create()
 {
        private_error_notify_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) notify socket */
                DBG1(DBG_CFG, "error-notify plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/farp/farp_plugin.c b/src/libcharon/plugins/farp/farp_plugin.c
index d31defc..4b74da3 100644 (file)
--- a/src/libcharon/plugins/farp/farp_plugin.c
+++ b/src/libcharon/plugins/farp/farp_plugin.c
@@ -93,7 +93,8 @@ plugin_t *farp_plugin_create()
        private_farp_plugin_t *this;
 
        if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
-       {       /* required to open ARP socket (AF_PACKET) */
+       {       /* required to open ARP socket (AF_PACKET). according to capabilities(7)
+                * it is also require to use the socket */
                DBG1(DBG_NET, "farp plugin requires CAP_NET_RAW capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index e7697dc..5d4cc61 100644 (file)
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -180,7 +180,8 @@ plugin_t *ha_plugin_create()
        }
 
        if (!lib->caps->keep(lib->caps, CAP_CHOWN))
-       {       /* required to chown(2) control socket */
+       {       /* required to chown(2) control socket, ha_kernel also needs it at
+                * runtime */
                DBG1(DBG_CFG, "ha plugin requires CAP_CHOWN capability");
                return NULL;
        }

diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
index bac3c1c..56f5262 100644 (file)
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c
@@ -102,7 +102,7 @@ plugin_t *kernel_libipsec_plugin_create()
 {
        private_kernel_libipsec_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
        {       /* required to create TUN devices */
                DBG1(DBG_KNL, "kernel-libipsec plugin requires CAP_NET_ADMIN "
                         "capability");

diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
index a32a2a4..7f2d425 100644 (file)
--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
@@ -269,7 +269,7 @@ plugin_t *load_tester_plugin_create()
                return NULL;
        }
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "load-tester plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c
index 89bdad9..4466ad9 100644 (file)
--- a/src/libcharon/plugins/lookip/lookip_plugin.c
+++ b/src/libcharon/plugins/lookip/lookip_plugin.c
@@ -92,7 +92,7 @@ plugin_t *lookip_plugin_create()
 {
        private_lookip_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "lookip plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
index 1236088..a92e571 100644 (file)
--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
@@ -741,7 +741,7 @@ plugin_t *smp_plugin_create()
        private_smp_t *this;
        mode_t old;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "smp plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 54380ed..4139afe 100644 (file)
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -736,7 +736,7 @@ socket_default_socket_t *socket_default_socket_create()
 
        if ((this->port && this->port < 1024) || (this->natt && this->natt < 1024))
        {
-               if (!lib->caps->keep(lib->caps, CAP_NET_BIND_SERVICE))
+               if (!lib->caps->check(lib->caps, CAP_NET_BIND_SERVICE))
                {
                        /* required to bind ports < 1024 */
                        DBG1(DBG_NET, "socket-default plugin requires CAP_NET_BIND_SERVICE "

diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 6c4687f..767bdc6 100644 (file)
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -91,7 +91,7 @@ plugin_t *stroke_plugin_create()
 {
        private_stroke_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) stroke socket */
                DBG1(DBG_CFG, "stroke plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libcharon/plugins/whitelist/whitelist_plugin.c b/src/libcharon/plugins/whitelist/whitelist_plugin.c
index 4f397d7..e51f02c 100644 (file)
--- a/src/libcharon/plugins/whitelist/whitelist_plugin.c
+++ b/src/libcharon/plugins/whitelist/whitelist_plugin.c
@@ -92,7 +92,7 @@ plugin_t *whitelist_plugin_create()
 {
        private_whitelist_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_CHOWN))
+       if (!lib->caps->check(lib->caps, CAP_CHOWN))
        {       /* required to chown(2) control socket */
                DBG1(DBG_CFG, "whitelist plugin requires CAP_CHOWN capability");
                return NULL;

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index d2c00b0..61d5765 100644 (file)
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -62,7 +62,7 @@ plugin_t *kernel_pfkey_plugin_create()
 {
        private_kernel_pfkey_plugin_t *this;
 
-       if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+       if (!lib->caps->check(lib->caps, CAP_NET_ADMIN))
        {       /* required to open PF_KEY sockets */
                DBG1(DBG_KNL, "kernel-pfkey plugin requires CAP_NET_ADMIN capability");
                return NULL;