首頁 探索 說明
登入
PUBLIC_REPOS
/
buildroot
镜像来自 git://git.buildroot.net/buildroot
2
1
複刻 0
檔案
瀏覽代碼

package/strongswan: allow to drop unneeded capabilities

strongSwan allows to drop unneeded capabilities[1] after the IKE daemon
has been started, based on libcap, so let's allow that via a config
option.

While the "native" (capset) way of dropping capabilities is supported,
it is deprecated so its support is not added in Buildroot.

While the documentation specifically mentions the IKE daemon (charon) as
being the one impacted by this change, the ifdefery with this autotools
option exists in various libraries in the source code, hence why this is
kept independent from the charon Kconfig option status.

[1] https://docs.strongswan.org/docs/latest/install/reducedPrivileges.html#_dropping_capabilities
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Quentin Schulz 1 月之前
父節點
5c18eb1a55
當前提交
e7ca2197c4
共有 2 個文件被更改,包括 16 次插入1 次删除
分割檢視 顯示文件統計
  1. 10 0
      package/strongswan/Config.in
  2. 6 1
      package/strongswan/strongswan.mk

+ 10 - 0
package/strongswan/Config.in
查看文件 

@@ -73,6 +73,16 @@ config BR2_PACKAGE_STRONGSWAN_CURL
 
 config BR2_PACKAGE_STRONGSWAN_MD4
 
 	bool "Enable MD4 hash algorithm"
 
 
+config BR2_PACKAGE_STRONGSWAN_DROP_CAPS
 
+	bool "Drop unneeded capabilities after initialization"
 
+	select BR2_PACKAGE_LIBCAP
 
+	help
 
+	  strongSwan supports capability dropping. The IKE charon daemon
 
+	  is started as root and most of its privileges are dropped
 
+	  immediately.
 
+	  After the daemon has been initialized, further unneeded
 
+	  capabilities are dropped.
 
+
 
 config BR2_PACKAGE_STRONGSWAN_CHARON
 
 	bool "Enable the IKEv1/IKEv2 keying daemon charon"
 
 	default y

+ 6 - 1
package/strongswan/strongswan.mk
查看文件 

@@ -62,6 +62,10 @@ STRONGSWAN_CONF_OPTS += \
 
 	--with-imcvdir=/usr/lib/ipsec/imcvs \
 
 	--with-dev-headers=/usr/include
 
 
+ifeq ($(BR2_PACKAGE_STRONGSWAN_DROP_CAPS),y)
 
+STRONGSWAN_CONF_OPTS += --with-capabilities=libcap
 
+endif
 
+
 
 ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
 
 STRONGSWAN_CONF_ENV += LIBS='-latomic'
 
 endif
 
@@ -75,7 +79,8 @@ STRONGSWAN_DEPENDENCIES += \
 
 	$(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \
 
 	$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \
 
 	$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) \
 
-	$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),wolfssl)
 
+	$(if $(BR2_PACKAGE_STRONGSWAN_WOLFSSL),wolfssl) \
 
+	$(if $(BR2_PACKAGE_STRONGSWAN_DROP_CAPS),libcap)
 
 
 ifeq ($(BR2_PACKAGE_STRONGSWAN_SQL),y)
 
 STRONGSWAN_DEPENDENCIES += \