rpms / libreswan

Clone
Source Code
GIT

Files

  1.   9051f09a66b9dca91228646cb00d439f1296a98d
  2.   libreswan-4.12-libcap-ng.patch
Blob Blame History Raw 
commit ad147f53bebf596474df27609a4a6542d0e17400
Author: Paul Wouters <paul.wouters@aiven.io>
Date:   Tue Sep 5 22:49:28 2023 -0400

    pluto: check return code of libcap-ng functions
    
    Avoids "error: ignoring return value of ‘capng_apply’ ..."

diff --git a/include/pluto_constants.h b/include/pluto_constants.h
index 1dd86ba372..f4487a2b0a 100644
--- a/include/pluto_constants.h
+++ b/include/pluto_constants.h
@@ -1024,7 +1024,8 @@ enum pluto_exit_code {
 	PLUTO_EXIT_UNBOUND_FAIL = 9,
 	PLUTO_EXIT_LOCK_FAIL = 10, /* historic value */
 	PLUTO_EXIT_SELINUX_FAIL = 11,
-	PLUTO_EXIT_LEAVE_STATE = 12, /* leave kernel state and routes */
+	PLUTO_EXIT_CAPNG_FAIL = 12,
+	PLUTO_EXIT_LEAVE_STATE = 13, /* leave kernel state and routes */
 	/**/
 	PLUTO_EXIT_GIT_BISECT_CAN_NOT_TEST = 125,
 	PLUTO_EXIT_SHELL_COMMAND_NOT_FOUND = 126,
diff --git a/lib/libswan/pluto_exit_code_names.c b/lib/libswan/pluto_exit_code_names.c
index bb4b3284a5..6d245d4642 100644
--- a/lib/libswan/pluto_exit_code_names.c
+++ b/lib/libswan/pluto_exit_code_names.c
@@ -46,6 +46,7 @@ static const char *pluto_exit_code_name[] = {
 	S(PLUTO_EXIT_UNBOUND_FAIL),
 	S(PLUTO_EXIT_LOCK_FAIL),
 	S(PLUTO_EXIT_SELINUX_FAIL),
+	S(PLUTO_EXIT_CAPNG_FAIL),
 	S(PLUTO_EXIT_LEAVE_STATE),
 #undef S
 };
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 565538ba18..efc287b8fc 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -1708,13 +1708,16 @@ int main(int argc, char **argv)
 	 */
 	capng_clear(CAPNG_SELECT_BOTH);
 
-	capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+	if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
 		CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
 		CAP_IPC_LOCK, CAP_AUDIT_WRITE,
 		/* for google authenticator pam */
 		CAP_SETGID, CAP_SETUID,
 		CAP_DAC_READ_SEARCH,
-		-1);
+		-1) != 0) {
+			fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
+				"libcap-ng capng_updatev() failed");
+	}
 	/*
 	 * We need to retain some capabilities for our children (updown):
 	 * CAP_NET_ADMIN to change routes
@@ -1725,7 +1728,13 @@ int main(int argc, char **argv)
 	 */
 	capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_NET_RAW,
 			CAP_DAC_READ_SEARCH, -1);
-	capng_apply(CAPNG_SELECT_BOTH);
+	int ret = capng_apply(CAPNG_SELECT_BOUNDS);
+	if (ret != CAPNG_NONE) {
+		fatal(PLUTO_EXIT_CAPNG_FAIL, logger,
+			"libcap-ng capng_apply failed to apply changes, err=%d. see: man capng_apply",
+			ret);
+	}
+
 	llog(RC_LOG, logger, "libcap-ng support [enabled]");
 #else
 	llog(RC_LOG, logger, "libcap-ng support [disabled]");
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.