> Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
> From: Patrik.Flykt@linux.intel.com
> To: ajbibb@outlook.com
> CC: connman@lists.01.org
> Date: Fri, 19 Feb 2016 11:29:22 +0200
>
>
> Hi,
>
> The below reply got stuck somewhere, I thought it had already been sent
> to the mailing list...
>
> On Wed, 2016-02-10 at 19:30 -0500, Andrew Bibb wrote:
>
> > Lastly I decided to play around with the CapabiliyBoundingSet a bit
> > based on your suggestion. Adding CAP_DAC_READ_SEARCH to the "as
> > shipped" list will allow OpenVPN to connect. I never even knew these
> > existed until this evening, and I only picked that one based on
> > reading the manpage, so the probability of it being the proper one is
> > likely not great. Using CAP_DAC_OVERRIDE also works, but that
> > bypasses write permissions and seems to be overkill.
>
> man paget says about CAP_DAC_READ_SEARCH that it:
> * Bypass file read permission checks and directory read and execute
> permission checks;
> * Invoke open_by_handle_at(2).
>
> Could it be that openvpn does not have read permissions to the config
> file and/or path written to by ConnMan?
>
> Cheers,
>
> Patrik
>
>
>

Patrik,

You nailed it, permissions on my personal home directory were 700, so OpenVPN could never get into ~/.local/share.  Change that one to 711 and Connman with OpenVPN will connect fine (using the default "as shipped" /usr/lib/systemd/system/connman-vpn.service file).


Thank you for all your help.

Andrew