From 14ed50ffca66bbb860c5a648e6079735181c74da Mon Sep 17 00:00:00 2001
From: Maxime Bizon <mbizon@freebox.fr>
Date: Tue, 22 Oct 2019 19:07:48 +0200
Subject: [PATCH 2/4] libstrongswan: support chroot

---
 src/libstrongswan/utils/capabilities.c | 24 ++++++++++++++++++++++++
 src/libstrongswan/utils/capabilities.h |  2 ++
 2 files changed, 26 insertions(+)

diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c
index 38c2ee09e..1bd11ca8f 100644
--- a/src/libstrongswan/utils/capabilities.c
+++ b/src/libstrongswan/utils/capabilities.c
@@ -77,6 +77,8 @@ struct private_capabilities_t {
 	 */
 	mutex_t *mutex;
 #endif
+
+	char *chroot;
 };
 
 #ifndef WIN32
@@ -279,6 +281,14 @@ METHOD(capabilities_t, set_gid, void,
 	this->gid = gid;
 }
 
+METHOD(capabilities_t, set_chroot, void,
+	private_capabilities_t *this, const char *chroot)
+{
+	if (this->chroot)
+		free(this->chroot);
+	this->chroot = strdup(chroot);
+}
+
 METHOD(capabilities_t, resolve_uid, bool,
 	private_capabilities_t *this, char *username)
 {
@@ -434,6 +444,18 @@ METHOD(capabilities_t, drop, bool,
 			 this->uid);
 		return FALSE;
 	}
+	if (this->chroot) {
+		if (chdir(this->chroot) == -1) {
+			DBG1(DBG_LIB, "chroot to %s failed: %s",
+			     this->chroot, strerror(errno));
+			return FALSE;
+		}
+		if (chroot(this->chroot) == -1) {
+			DBG1(DBG_LIB, "chroot to %s failed: %s",
+			     this->chroot, strerror(errno));
+			return FALSE;
+		}
+	}
 	if (this->gid && setgid(this->gid) != 0)
 	{
 		DBG1(DBG_LIB, "change to unprivileged group %u failed: %s",
@@ -489,6 +511,7 @@ METHOD(capabilities_t, destroy, void,
 #ifdef CAPABILITIES_LIBCAP
 	cap_free(this->caps);
 #endif /* CAPABILITIES_LIBCAP */
+	free(this->chroot);
 	free(this);
 }
 
@@ -507,6 +530,7 @@ capabilities_t *capabilities_create()
 			.get_gid = _get_gid,
 			.set_uid = _set_uid,
 			.set_gid = _set_gid,
+			.set_chroot = _set_chroot,
 			.resolve_uid = _resolve_uid,
 			.resolve_gid = _resolve_gid,
 			.drop = _drop,
diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h
index c7bdfa347..52b5bbd4f 100644
--- a/src/libstrongswan/utils/capabilities.h
+++ b/src/libstrongswan/utils/capabilities.h
@@ -133,6 +133,8 @@ struct capabilities_t {
 	 * Destroy a capabilities_t.
 	 */
 	void (*destroy)(capabilities_t *this);
+
+	void (*set_chroot)(capabilities_t *this, const char *root);
 };
 
 /**
-- 
2.17.1