rpms / libreswan

Clone
Source Code
GIT

Files

  1.   f7da3e92f0eb6ee1c2ef1d2c1af8a81ee67e88e6
  2.   SOURCES
  3.   libreswan-3.8-1092047.patch
Blob Blame History Raw 
diff -Naur libreswan-3.8-orig/programs/pluto/plutomain.c libreswan-3.8/programs/pluto/plutomain.c
--- libreswan-3.8-orig/programs/pluto/plutomain.c	2014-07-14 14:06:22.408265468 -0400
+++ libreswan-3.8/programs/pluto/plutomain.c	2014-07-14 14:34:39.150794888 -0400
@@ -447,23 +447,7 @@
 	leak_detective = 0;
 #endif
 
-#ifdef HAVE_LIBCAP_NG
-	/*
-	 * Drop capabilities - this generates a false positive valgrind warning
-	 * See: http://marc.info/?l=linux-security-module&m=125895232029657
-	 */
-	capng_clear(CAPNG_SELECT_BOTH);
 
-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
-		      CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
-		      CAP_IPC_LOCK, CAP_AUDIT_WRITE,
-		      CAP_SETGID, CAP_SETUID, /* for google authenticator pam */
-		      -1);
-	/* our children must be able to CAP_NET_ADMIN to change routes.
-	 */
-	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */
-	capng_apply(CAPNG_SELECT_BOTH);
-#endif
 
 	libreswan_passert_fail = passert_fail;
 
@@ -1104,6 +1088,30 @@
 	pluto_init_log();
 	pluto_init_nss(oco->confddir);
 
+#ifdef HAVE_LIBCAP_NG
+	/*
+	 * Drop capabilities - this generates a false positive valgrind warning
+	 * See: http://marc.info/?l=linux-security-module&m=125895232029657
+	 *
+	 * We drop these after creating the pluto socket or else we can't
+	 * create a socket if the parent dir is non-root
+	 */
+	capng_clear(CAPNG_SELECT_BOTH);
+
+	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+		      CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
+		      CAP_IPC_LOCK, CAP_AUDIT_WRITE,
+		      CAP_SETGID, CAP_SETUID, /* for google authenticator pam */
+		      -1);
+	/* our children must be able to CAP_NET_ADMIN to change routes.
+	 */
+	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_DAC_READ_SEARCH, -1); /* DAC needed for google authenticator pam */
+	capng_apply(CAPNG_SELECT_BOTH);
+	libreswan_log("libcap-ng support [enabled]");
+#else
+	libreswan_log("libcap-ng support [disabled]");
+#endif
+
 #ifdef FIPS_CHECK
 	/*
 	 * FIPS Kernel mode: fips=1 kernel boot parameter

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation