libcap support: print out process capabilities at startup if verbose

ChangeLog

@@ -5,6 +5,12 @@ vNEXT:
 	first incoming packet.
 	(Ondrej Kuzník)
 
+	Libcap support: Keep only CAP_NET_ADMIN if started
+	as root with transparent proxying and dropping
+	priviledges (enable USELIBCAP in Makefile). This
+	avoids having to mess with filesystem capabilities.
+	(Sebastian Schmidt/yath)
+
 	Fixed bugs related to getpeername that would cause
 	sslh to quit erroneously (getpeername can return
 	actual errors if connections are dropped before

common.c

@@ -37,11 +37,6 @@ struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
 int allow_severity =0, deny_severity = 0;
 #endif
 
-#ifdef LIBCAP
-#include <sys/prctl.h>
-#include <sys/capability.h>
-#endif
-
 /* check result and die, printing the offending address and error */
 void check_res_dumpdie(int res, struct addrinfo *addr, char* syscall)
 {

common.h

@@ -27,6 +27,12 @@
 #include <libgen.h>
 #include <time.h>
 #include <getopt.h>
+
+#ifdef LIBCAP
+#include <sys/prctl.h>
+#include <sys/capability.h>
+#endif
+
 #include "version.h"
 
 #define CHECK_RES_DIE(res, str) \

sslh-main.c

@@ -91,6 +91,23 @@ static void print_usage(void)
     fprintf(stderr, USAGE_STRING, prots);
 }
 
+static void printcaps(void) {
+#ifdef LIBCAP
+    cap_t caps;
+    char* desc;
+    ssize_t len;
+
+    caps = cap_get_proc();
+
+    desc = cap_to_text(caps, &len);
+
+    fprintf(stderr, "capabilities: %s\n", desc);
+
+    cap_free(caps);
+    cap_free(desc);
+#endif
+}
+
 static void printsettings(void)
 {
     char buf[NI_MAXHOST];
@@ -508,9 +525,13 @@ int main(int argc, char *argv[])
    if (user_name)
        drop_privileges(user_name);
 
+
    /* Open syslog connection */
    setup_syslog(argv[0]);
 
+   if (verbose)
+       printcaps();
+
    main_loop(listen_sockets, num_addr_listen);
 
    return 0;