package/strongswan: allow non-root user/group to own IKE charon daemon

Strongswan allows[1] to run the IKE charon daemon as non-root (defaults
to running as root) user/group, so let's allow that.

[1] https://docs.strongswan.org/docs/latest/install/reducedPrivileges.html#_running_strongswan_as_non_root
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/strongswan/Config.in

@@ -204,6 +204,11 @@ config BR2_PACKAGE_STRONGSWAN_SQL
 config BR2_PACKAGE_STRONGSWAN_BYPASS_LAN
 	bool "Enable BYPASS-LAN plugin"
 
+config BR2_PACKAGE_STRONGSWAN_NONROOT
+	bool "Run as non-root"
+	help
+	  This allows running the IKE charon daemon as the non-root
+	  user/group charon/charon.
 endif
 
 config BR2_PACKAGE_STRONGSWAN_PKI

package/strongswan/strongswan.mk

@@ -66,6 +66,16 @@ ifeq ($(BR2_PACKAGE_STRONGSWAN_DROP_CAPS),y)
 STRONGSWAN_CONF_OPTS += --with-capabilities=libcap
 endif
 
+ifeq ($(BR2_PACKAGE_STRONGSWAN_NONROOT),y)
+STRONGSWAN_CONF_OPTS += \
+	--with-user=charon \
+	--with-group=charon
+
+define STRONGSWAN_USERS
+	charon -1 charon -1 * - - -
+endef
+endif
+
 ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
 STRONGSWAN_CONF_ENV += LIBS='-latomic'
 endif