[Openswan dev] [PATCH] fix 'ip' failure on Fedora when built against libcap-ng

Kyle McMartin kmcmartin at redhat.com
Sat Jan 16 17:24:36 EST 2010


When built against libcap-ng to drop posix capabilities, pluto must
retain some capabilities in the bounding set, otherwise its shell
children will not be able to add routes and addrs using the 'ip' command
in the _updown hook.

Fixes issue reported by Marek Greško
http://lists.openswan.org/pipermail/users/2010-January/018160.html
and
https://bugzilla.redhat.com/show_bug.cgi?id=550023

Signed-off-by: Kyle McMartin <kyle at redhat.com>
---
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 58686bd..92bf7c1 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -321,6 +321,10 @@ main(int argc, char **argv)
 	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
 			CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
 			CAP_IPC_LOCK, -1);
+	/* our children must be able to CAP_NET_ADMIN to change routes.
+	 */
+	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
+			CAP_NET_ADMIN, -1);
 	capng_apply(CAPNG_SELECT_BOTH);
 #endif
 


More information about the Dev mailing list