diff options
Diffstat (limited to 'src/pluto')
-rw-r--r-- | src/pluto/Makefile.am | 4 | ||||
-rw-r--r-- | src/pluto/Makefile.in | 7 | ||||
-rw-r--r-- | src/pluto/log.c | 6 | ||||
-rw-r--r-- | src/pluto/plutomain.c | 38 | ||||
-rw-r--r-- | src/pluto/vendor.c | 8 | ||||
-rw-r--r-- | src/pluto/vendor.h | 6 |
6 files changed, 42 insertions, 27 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 156b81018..c28fbf6e0 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -139,3 +139,7 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif +if USE_CAPABILITIES + pluto_LDADD += -lcap +endif + diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 42017641c..6ea863973 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -60,6 +60,7 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD +@USE_CAPABILITIES_TRUE@am__append_10 = -lcap subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in TODO @@ -102,7 +103,7 @@ pluto_OBJECTS = $(am_pluto_OBJECTS) am__DEPENDENCIES_1 = pluto_DEPENDENCIES = oid.o $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBCRYPTODIR)/libcrypto.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -239,6 +240,8 @@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ @@ -339,7 +342,7 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ $(am__append_8) $(am__append_9) pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \ $(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \ - $(am__append_5) $(am__append_7) + $(am__append_5) $(am__append_7) $(am__append_10) _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv -ldl diff --git a/src/pluto/log.c b/src/pluto/log.c index 0fb5f1d25..b7c1ba8b8 100644 --- a/src/pluto/log.c +++ b/src/pluto/log.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: log.c 4024 2008-05-29 07:49:47Z andreas $ + * RCSID $Id: log.c 4246 2008-08-03 18:01:21Z andreas $ */ #include <stdio.h> @@ -95,8 +95,8 @@ void close_peerlog(void) { /* exit if the queue has not been initialized */ - if (TAILQ_LAST(&perpeer_list, perpeer) == NULL) - return; + if (perpeer_list.tqh_first == NULL) + return; /* end of queue is given by pointer to "HEAD" */ while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list) diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 5662c5c41..a39934f1f 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -12,7 +12,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: plutomain.c 3914 2008-05-08 10:58:04Z martin $ + * RCSID $Id: plutomain.c 4313 2008-08-29 09:24:14Z martin $ */ #include <stdio.h> @@ -29,11 +29,14 @@ #include <resolv.h> #include <arpa/nameser.h> /* missing from <resolv.h> on old systems */ #include <sys/queue.h> -#include <linux/capability.h> #include <sys/prctl.h> #include <pwd.h> #include <grp.h> +#ifdef CAPABILITIES +#include <sys/capability.h> +#endif /* CAPABILITIES */ + #include <freeswan.h> #include <pfkeyv2.h> @@ -68,11 +71,6 @@ #include "nat_traversal.h" #include "virtual.h" -/* on some distros, a capset() definition is missing */ -#ifdef NO_CAPSET_DEFINED -extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap); -#endif /* NO_CAPSET_DEFINED */ - static void usage(const char *mess) { @@ -236,8 +234,10 @@ main(int argc, char **argv) bool force_keepalive = FALSE; char *virtual_private = NULL; int lockfd; - struct __user_cap_header_struct hdr; - struct __user_cap_data_struct data; +#ifdef CAPABILITIES + cap_t caps; + int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; +#endif /* CAPABILITIES */ /* handle arguments */ for (;;) @@ -619,14 +619,6 @@ main(int argc, char **argv) init_fetch(); /* drop unneeded capabilities and change UID/GID */ -#ifdef _LINUX_CAPABILITY_VERSION_1 - hdr.version = _LINUX_CAPABILITY_VERSION_1; -#else - hdr.version = _LINUX_CAPABILITY_VERSION; -#endif - hdr.pid = 0; - data.inheritable = data.effective = data.permitted = - 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE; prctl(PR_SET_KEEPCAPS, 1); @@ -656,11 +648,19 @@ main(int argc, char **argv) } } #endif - if (capset(&hdr, &data)) + +#ifdef CAPABILITIES + caps = cap_init(); + cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET); + cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET); + cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET); + if (cap_set_proc(caps) != 0) { - plog("unable to drop root privileges"); + plog("unable to drop daemon capabilities"); abort(); } + cap_free(caps); +#endif /* CAPABILITIES */ /* loading X.509 CA certificates */ load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index 3b779ed24..1db4027d1 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.c 4016 2008-05-25 10:35:39Z andreas $ + * RCSID $Id: vendor.c 4348 2008-09-18 00:42:22Z andreas $ */ #include <stdlib.h> @@ -206,7 +206,11 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.2.4") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.2.8") + DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7") + DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6") + DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5") + DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4") DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3") DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2") DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index c1d8870bc..cf6b68e51 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.h 4016 2008-05-25 10:35:39Z andreas $ + * RCSID $Id: vendor.h 4348 2008-09-18 00:42:22Z andreas $ */ #ifndef _VENDOR_H_ @@ -120,6 +120,10 @@ enum known_vendorid { VID_STRONGSWAN_4_2_1 =101, VID_STRONGSWAN_4_2_2 =102, VID_STRONGSWAN_4_2_3 =103, + VID_STRONGSWAN_4_2_4 =104, + VID_STRONGSWAN_4_2_5 =105, + VID_STRONGSWAN_4_2_6 =106, + VID_STRONGSWAN_4_2_7 =107, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =151, |