From bc158e058d0de730f08bcb5708dba218f74fcabb Mon Sep 17 00:00:00 2001 From: Jiung Date: Tue, 24 Oct 2017 14:25:15 +0900 Subject: [PATCH] Add option for dropping capability Change-Id: Ia599762b6b92307d9e87b8ef2836db12051a3567 Signed-off-by: Yu jiung --- conf/options/charon-logging.conf | 2 +- conf/options/charon.conf | 4 ++-- packaging/strongswan.spec | 19 ++++++++++--------- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf index 24b68bd..2acf1eb 100644 --- a/conf/options/charon-logging.conf +++ b/conf/options/charon-logging.conf @@ -5,7 +5,7 @@ charon { filelog { # is the full path to the log file. - /var/log/charon.log { + /opt/usr/data/network/charon.log { # Loglevel for a specific subsystem. # = diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 9c52d8f..1f58a9c 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -64,7 +64,7 @@ charon { # fragment_size = 1280 # Name of the group the daemon changes to after startup. - # group = + group = network_fw # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). # half_open_timeout = 30 @@ -240,7 +240,7 @@ charon { # threads = 16 # Name of the user the daemon changes to after startup. - # user = + user = network_fw crypto_test { diff --git a/packaging/strongswan.spec b/packaging/strongswan.spec index 950ff1f..7bbd331 100755 --- a/packaging/strongswan.spec +++ b/packaging/strongswan.spec @@ -1,7 +1,7 @@ Name: strongswan Summary: StrongSwan - An OpenSource IPsec-based VPN Solution Version: 5.5.1 -Release: 2 +Release: 3 Group: Security/Service License: GPL-2.0+ URL: http://www.strongswan.org/ @@ -15,6 +15,7 @@ BuildRequires: pkgconfig(openssl) #BuildRequires: pkgconfig(sqlite3) #BuildRequires: pkgconfig(cert-svc) #BuildRequires: pkgconfig(secure-storage) +BuildRequires: pkgconfig(libcap) BuildRequires: bison BuildRequires: gperf BuildRequires: flex @@ -34,7 +35,7 @@ cp -a %{SOURCE1001} . export CFLAGS="${CFLAGS} -fPIE" export LDFLAGS="${LDFLAGS} -pie %{?asan:-lpthread}" -%configure --libexecdir=%{_bindir} --with-ipsecdir=%{_bindir} --with-ipseclibdir=%{_libdir} --with-strongswan-conf=%{_sysconfdir}/strongswan.conf --enable-monolithic --enable-openssl --enable-unity --disable-gmp --disable-pki --disable-stroke --disable-swanctl +%configure --libexecdir=%{_bindir} --with-ipsecdir=%{_bindir} --with-ipseclibdir=%{_libdir} --with-strongswan-conf=%{_sysconfdir}/strongswan.conf --enable-monolithic --enable-openssl --enable-unity --disable-gmp --disable-pki --disable-stroke --with-capabilities=libcap --with-user=network_fw --with-group=network_fw make %{?_smp_mflags} @@ -54,18 +55,18 @@ rm -rf %{buildroot}%{_libdir}/libvici.so %files %manifest strongswan.manifest %license LICENSE -%defattr(-,root,root) +%defattr(-,network_fw,network_fw) %config %{_sysconfdir}/strongswan.conf -%attr(500,root,root) %{_bindir}/* -%attr(500,root,root) %{_libdir}/libcharon.so.* -%attr(500,root,root) %{_libdir}/libstrongswan.so.* -%attr(500,root,root) %{_libdir}/libvici.so.* +%attr(500,network_fw,network_fw) %{_bindir}/* +%attr(500,network_fw,network_fw) %{_libdir}/libcharon.so.* +%attr(500,network_fw,network_fw) %{_libdir}/libstrongswan.so.* +%attr(500,network_fw,network_fw) %{_libdir}/libvici.so.* #%attr(500,root,root) %{_libdir}/libipsec* #%attr(500,root,root) %{_libdir}/libsimaka* /usr/sbin/ipsec /etc/strongswan.d/* -#/etc/swanctl/swanctl.conf -#/usr/sbin/swanctl +%attr(500,network_fw,network_fw) /etc/swanctl/swanctl.conf +%attr(500,network_fw,network_fw) /usr/sbin/swanctl %changelog -- 2.7.4