From 6bcb5c83f24388866720e07caa0c4f871d5d1dda Mon Sep 17 00:00:00 2001
From: Yves Rutschle <git1@rutschle.net>
Date: Sun, 9 Feb 2014 21:39:27 +0100
Subject: [PATCH] libcap support: print out process capabilities at startup if
 verbose

---
 ChangeLog   |  6 ++++++
 common.c    |  5 -----
 common.h    |  6 ++++++
 sslh-main.c | 21 +++++++++++++++++++++
 4 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5f86b6a..11a1e9d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,12 @@ vNEXT:
 	first incoming packet.
 	(Ondrej Kuzník)
 
+	Libcap support: Keep only CAP_NET_ADMIN if started
+	as root with transparent proxying and dropping
+	priviledges (enable USELIBCAP in Makefile). This
+	avoids having to mess with filesystem capabilities.
+	(Sebastian Schmidt/yath)
+
 	Fixed bugs related to getpeername that would cause
 	sslh to quit erroneously (getpeername can return
 	actual errors if connections are dropped before
diff --git a/common.c b/common.c
index fefc33e..72c351a 100644
--- a/common.c
+++ b/common.c
@@ -37,11 +37,6 @@ struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
 int allow_severity =0, deny_severity = 0;
 #endif
 
-#ifdef LIBCAP
-#include <sys/prctl.h>
-#include <sys/capability.h>
-#endif
-
 /* check result and die, printing the offending address and error */
 void check_res_dumpdie(int res, struct addrinfo *addr, char* syscall)
 {
diff --git a/common.h b/common.h
index 3d09d71..db0ccc5 100644
--- a/common.h
+++ b/common.h
@@ -27,6 +27,12 @@
 #include <libgen.h>
 #include <time.h>
 #include <getopt.h>
+
+#ifdef LIBCAP
+#include <sys/prctl.h>
+#include <sys/capability.h>
+#endif
+
 #include "version.h"
 
 #define CHECK_RES_DIE(res, str) \
diff --git a/sslh-main.c b/sslh-main.c
index 2a6ad9c..907969f 100644
--- a/sslh-main.c
+++ b/sslh-main.c
@@ -91,6 +91,23 @@ static void print_usage(void)
     fprintf(stderr, USAGE_STRING, prots);
 }
 
+static void printcaps(void) {
+#ifdef LIBCAP
+    cap_t caps;
+    char* desc;
+    ssize_t len;
+
+    caps = cap_get_proc();
+
+    desc = cap_to_text(caps, &len);
+
+    fprintf(stderr, "capabilities: %s\n", desc);
+
+    cap_free(caps);
+    cap_free(desc);
+#endif
+}
+
 static void printsettings(void)
 {
     char buf[NI_MAXHOST];
@@ -508,9 +525,13 @@ int main(int argc, char *argv[])
    if (user_name)
        drop_privileges(user_name);
 
+
    /* Open syslog connection */
    setup_syslog(argv[0]);
 
+   if (verbose)
+       printcaps();
+
    main_loop(listen_sockets, num_addr_listen);
 
    return 0;