From d267c2c44b15c6509d2c21484f6a7c6494032ff1 Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Mon, 7 Apr 2014 15:05:34 -0400
Subject: [PATCH] Use the raw capability interface via updated ncmlib rather
 than linking to libcap.

---
 CMakeLists.txt | 4 ++--
 Makefile       | 2 +-
 src/ifchd.c    | 3 ++-
 src/ndhc.c     | 2 +-
 src/sockd.c    | 5 +++--
 5 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d53b863..89b7a07 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,8 +2,8 @@ project (ndhc)
 
 cmake_minimum_required (VERSION 2.6)
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
-set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -lrt -lcap -D_GNU_SOURCE -DNK_USE_CAPABILITY")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
+set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -Wall -Wextra -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -D_GNU_SOURCE -DNK_USE_CAPABILITY")
 
 if (WIN32)
   set(OSNAME "Win32")
diff --git a/Makefile b/Makefile
index 2d19c6e..f8a1b19 100644
--- a/Makefile
+++ b/Makefile
@@ -36,7 +36,7 @@ ncmlib.a: $(NCM_OBJS)
 	$(RANLIB) $(BUILD_DIR)/$@
 
 ndhc: $(NDHC_OBJS) ifchd-parse.o
-	$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o -lcap -lrt
+	$(CC) $(CFLAGS) $(NCM_INC) -o $(BUILD_DIR)/$@ $(subst src/,$(OBJ_DIR)/src/,$(NDHC_OBJS)) $(BUILD_DIR)/ncmlib.a $(BUILD_DIR)/objs/src/ifchd-parse.o
 
 .PHONY: all clean
 
diff --git a/src/ifchd.c b/src/ifchd.c
index cf022e6..19c3f2a 100644
--- a/src/ifchd.c
+++ b/src/ifchd.c
@@ -399,7 +399,8 @@ void ifch_main(void)
 
     nk_set_chroot(chroot_dir);
     memset(chroot_dir, '\0', sizeof chroot_dir);
-    nk_set_uidgid(ifch_uid, ifch_gid, "cap_net_admin=ep");
+    unsigned char keepcaps[] = { CAP_NET_ADMIN };
+    nk_set_uidgid(ifch_uid, ifch_gid, keepcaps, sizeof keepcaps);
 
     do_ifch_work();
 }
diff --git a/src/ndhc.c b/src/ndhc.c
index 49079e3..bf627e4 100644
--- a/src/ndhc.c
+++ b/src/ndhc.c
@@ -408,7 +408,7 @@ static void ndhc_main(void) {
 
     nk_set_chroot(chroot_dir);
     memset(chroot_dir, '\0', sizeof chroot_dir);
-    nk_set_uidgid(ndhc_uid, ndhc_gid, NULL);
+    nk_set_uidgid(ndhc_uid, ndhc_gid, NULL, 0);
 
     if (cs.ifsPrevState != IFS_UP)
         ifchange_deconfig(&cs);
diff --git a/src/sockd.c b/src/sockd.c
index 8e0bf1d..960c2f6 100644
--- a/src/sockd.c
+++ b/src/sockd.c
@@ -623,8 +623,9 @@ void sockd_main(void)
     setup_signals_sockd();
     nk_set_chroot(chroot_dir);
     memset(chroot_dir, 0, sizeof chroot_dir);
-    nk_set_uidgid(sockd_uid, sockd_gid,
-                  "cap_net_bind_service,cap_net_broadcast,cap_net_raw=ep");
+    unsigned char keepcaps[] = { CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST,
+                                 CAP_NET_RAW };
+    nk_set_uidgid(sockd_uid, sockd_gid, keepcaps, sizeof keepcaps);
     do_sockd_work();
 }