77 lines
2.7 KiB
Diff
77 lines
2.7 KiB
Diff
From 4264c8481a025fa7b413be1e892d30235237348b Mon Sep 17 00:00:00 2001
|
|
From: Luca Boccassi <bluca@debian.org>
|
|
Date: Fri, 11 May 2018 13:39:56 +0100
|
|
Subject: [PATCH] ip: do not drop capabilities if net_admin=i is set
|
|
|
|
Users have reported a regression due to ip now dropping capabilities
|
|
unconditionally.
|
|
zerotier-one VPN and VirtualBox use ambient capabilities in their
|
|
binary and then fork out to ip to set routes and links, and this
|
|
does not work anymore.
|
|
|
|
As a workaround, do not drop caps if CAP_NET_ADMIN (the most common
|
|
capability used by ip) is set with the INHERITABLE flag.
|
|
Users that want ip vrf exec to work do not need to set INHERITABLE,
|
|
which will then only set when the calling program had privileges to
|
|
give itself the ambient capability.
|
|
|
|
Fixes: ba2fc55b99f8 ("Drop capabilities if not running ip exec vrf with libcap")
|
|
|
|
Signed-off-by: Luca Boccassi <bluca@debian.org>
|
|
(cherry picked from commit 9b13cc98f5952f62b825461727c8170d37a4037d)
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
lib/utils.c | 15 ++++++++++++---
|
|
man/man8/ip-vrf.8 | 4 ++++
|
|
2 files changed, 16 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/lib/utils.c b/lib/utils.c
|
|
index 803bcc45f2f24..7d3fe9c91d3df 100644
|
|
--- a/lib/utils.c
|
|
+++ b/lib/utils.c
|
|
@@ -1492,14 +1492,23 @@ void drop_cap(void)
|
|
/* don't harmstring root/sudo */
|
|
if (getuid() != 0 && geteuid() != 0) {
|
|
cap_t capabilities;
|
|
+ cap_value_t net_admin = CAP_NET_ADMIN;
|
|
+ cap_flag_t inheritable = CAP_INHERITABLE;
|
|
+ cap_flag_value_t is_set;
|
|
|
|
capabilities = cap_get_proc();
|
|
if (!capabilities)
|
|
exit(EXIT_FAILURE);
|
|
- if (cap_clear(capabilities) != 0)
|
|
- exit(EXIT_FAILURE);
|
|
- if (cap_set_proc(capabilities) != 0)
|
|
+ if (cap_get_flag(capabilities, net_admin, inheritable,
|
|
+ &is_set) != 0)
|
|
exit(EXIT_FAILURE);
|
|
+ /* apps with ambient caps can fork and call ip */
|
|
+ if (is_set == CAP_CLEAR) {
|
|
+ if (cap_clear(capabilities) != 0)
|
|
+ exit(EXIT_FAILURE);
|
|
+ if (cap_set_proc(capabilities) != 0)
|
|
+ exit(EXIT_FAILURE);
|
|
+ }
|
|
cap_free(capabilities);
|
|
}
|
|
#endif
|
|
diff --git a/man/man8/ip-vrf.8 b/man/man8/ip-vrf.8
|
|
index 1a42cebe1aef4..c1c9b958f6800 100644
|
|
--- a/man/man8/ip-vrf.8
|
|
+++ b/man/man8/ip-vrf.8
|
|
@@ -70,6 +70,10 @@ This command also requires to be ran as root or with the CAP_SYS_ADMIN,
|
|
CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
|
|
capabilities are added to the ip binary program via setcap, the program will
|
|
drop them as the first thing when invoked, unless the command is vrf exec.
|
|
+.br
|
|
+NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
|
|
+to avoid breaking programs with ambient capabilities that call ip.
|
|
+Do not set the INHERITABLE flag on the ip binary itself.
|
|
|
|
.TP
|
|
.B ip vrf identify [PID] - Report VRF association for process
|
|
--
|
|
2.17.0
|
|
|