debian/usr.lib.ipsec.charon

@@ -28,6 +28,7 @@
   capability chown,
   capability setgid,
   capability setuid,
+  capability setpcap,
 
   # libcharon-extra-plugins: xauth-pam
   capability audit_write,

debian/usr.sbin.charon-systemd

@@ -28,6 +28,7 @@
   capability chown,
   capability setgid,
   capability setuid,
+  capability setpcap,
 
   # libcharon-extra-plugins: xauth-pam
   capability audit_write,
@@ -60,7 +61,7 @@
   /run/charon.*             rw,
   /run/pcscd/pcscd.comm     rw,
 
-  /usr/lib/ipsec/charon     rmix,
+  /usr/sbin/charon-systemd  rmix,
   /usr/lib/ipsec/imcvs/     r,
   /usr/lib/ipsec/imcvs/**   rm,
 

debian/usr.sbin.swanctl

 #include <tunables/global>
 
-/usr/sbin/swanctl {
+/usr/sbin/swanctl flags=(attach_disconnected) {
   #include <abstractions/base>
 
   # Allow /etc/swanctl/x509ca/ files to symlink to system-wide ca-certificates
@@ -21,6 +21,9 @@
   # Allow communication with VICI plugin UNIX domain socket
   /run/charon.vici              rw,
 
+  # Allow reading own binary
+  /usr/sbin/swanctl             r,
+
   # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
   # plugins are actually used by swanctl.  The following can be removed if
   # plugin loading is disabled.