From a2d2428c5fa6bf370486f509b18862c5c7b8b47e Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Tue, 9 Nov 2021 02:39:56 +0100 Subject: [PATCH 2/2] ping6: Avoid binding to non-VRF This fixes permission issue when specifying just address (without VRF) unless having CAP_NET_ADMIN (i.e. root) permission: $ ./builddir/ping/ping -c1 -I lo ::1 ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on opt_strictsource. Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address") Signed-off-by: Petr Vorel (cherry picked from commit f52b582248f1f870e870a9973621805d969906b4) --- ping/ping6_common.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ping/ping6_common.c b/ping/ping6_common.c index 98b5adb..a784be0 100644 --- a/ping/ping6_common.c +++ b/ping/ping6_common.c @@ -236,14 +236,16 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai, memset(ipi, 0, sizeof(*ipi)); ipi->ipi6_ifindex = if_name2index(rts->device); - enable_capability_raw(); - rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE, - rts->device, strlen(rts->device) + 1); - errno_save = errno; - disable_capability_raw(); - - if (rc == -1) - error(2, errno_save, "SO_BINDTODEVICE %s", rts->device); + if (rts->opt_strictsource) { + enable_capability_raw(); + rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE, + rts->device, strlen(rts->device) + 1); + errno_save = errno; + disable_capability_raw(); + + if (rc == -1) + error(2, errno_save, "SO_BINDTODEVICE %s", rts->device); + } } if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) { -- 2.46.0