summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Schiffer <mschiffer@universe-factory.net>2016-02-22 21:51:31 +0100
committerMatthias Schiffer <mschiffer@universe-factory.net>2016-02-22 21:56:34 +0100
commitaac5eefccd859e5bed50a3772d90f20d46c575fa (patch)
treef32dbbf17cabe1f323e8b03491ffc11e950fac68
parent55aa537fb54a9c01820d4638babccdc8f8a0ef04 (diff)
downloadfastd-aac5eefccd859e5bed50a3772d90f20d46c575fa.tar
fastd-aac5eefccd859e5bed50a3772d90f20d46c575fa.zip
Retain CAP_NET_ADMIN if a packet mark is configured and dynamic binds are required
-rw-r--r--src/capabilities.c8
-rw-r--r--src/types.h2
2 files changed, 8 insertions, 2 deletions
diff --git a/src/capabilities.c b/src/capabilities.c
index f72b7f9..5e02df3 100644
--- a/src/capabilities.c
+++ b/src/capabilities.c
@@ -76,7 +76,13 @@ static void try_cap(cap_value_t cap) {
/** Returns true if CAP_NET_ADMIN should be retained */
static bool need_cap_net_admin(void) {
- return !fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE;
+ if (!fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE)
+ return true;
+
+ if (!(ctx.sock_default_v4 || ctx.sock_default_v6) && conf.packet_mark)
+ return true;
+
+ return false;
}
/** Returns true if CAP_NET_RAW should be retained */
diff --git a/src/types.h b/src/types.h
index 0792e1b..523efa2 100644
--- a/src/types.h
+++ b/src/types.h
@@ -74,7 +74,7 @@ typedef enum fastd_drop_caps {
DROP_CAPS_OFF, /**< The capabilities aren't dropped at all */
DROP_CAPS_ON, /**< The capabilities are dropped after executing the on-up command */
DROP_CAPS_EARLY, /**< The capabilities are dropped before executing the on-up command */
- DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is always dropped */
+ DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is dropped even when TUN/TAP interfaces need to be opened */
} fastd_drop_caps_t;
/** Types of file descriptors to poll on */