From 9fd2583e6b5fbf231ab9504c8d341d26bc8588eb Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 25 Jun 2013 08:49:55 +0200
Subject: [PATCH] kernel-netlink: Make CAP_NET_ADMIN capability optional

It is not required to use the kernel-net part of the plugin.
---
 src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
index 2db03d8..8d5a0d5 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -66,10 +66,11 @@ plugin_t *kernel_netlink_plugin_create()
 	private_kernel_netlink_plugin_t *this;
 
 	if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
-	{	/* required to bind/use XFRM sockets / create routing tables */
-		DBG1(DBG_KNL, "kernel-netlink plugin requires CAP_NET_ADMIN "
+	{	/* required to bind/use XFRM sockets / create/modify routing tables, but
+		 * not if only the read-only parts of kernel-netlink-net are used, so
+		 * we don't fail here */
+		DBG1(DBG_KNL, "kernel-netlink plugin might require CAP_NET_ADMIN "
 			 "capability");
-		return NULL;
 	}
 
 	INIT(this,
-- 
2.7.4