diff options
author | Matthias Schiffer <mschiffer@universe-factory.net> | 2016-02-22 21:51:31 +0100 |
---|---|---|
committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2016-02-22 21:56:34 +0100 |
commit | aac5eefccd859e5bed50a3772d90f20d46c575fa (patch) | |
tree | f32dbbf17cabe1f323e8b03491ffc11e950fac68 /src | |
parent | 55aa537fb54a9c01820d4638babccdc8f8a0ef04 (diff) | |
download | fastd-aac5eefccd859e5bed50a3772d90f20d46c575fa.tar fastd-aac5eefccd859e5bed50a3772d90f20d46c575fa.zip |
Retain CAP_NET_ADMIN if a packet mark is configured and dynamic binds are required
Diffstat (limited to 'src')
-rw-r--r-- | src/capabilities.c | 8 | ||||
-rw-r--r-- | src/types.h | 2 |
2 files changed, 8 insertions, 2 deletions
diff --git a/src/capabilities.c b/src/capabilities.c index f72b7f9..5e02df3 100644 --- a/src/capabilities.c +++ b/src/capabilities.c @@ -76,7 +76,13 @@ static void try_cap(cap_value_t cap) { /** Returns true if CAP_NET_ADMIN should be retained */ static bool need_cap_net_admin(void) { - return !fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE; + if (!fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE) + return true; + + if (!(ctx.sock_default_v4 || ctx.sock_default_v6) && conf.packet_mark) + return true; + + return false; } /** Returns true if CAP_NET_RAW should be retained */ diff --git a/src/types.h b/src/types.h index 0792e1b..523efa2 100644 --- a/src/types.h +++ b/src/types.h @@ -74,7 +74,7 @@ typedef enum fastd_drop_caps { DROP_CAPS_OFF, /**< The capabilities aren't dropped at all */ DROP_CAPS_ON, /**< The capabilities are dropped after executing the on-up command */ DROP_CAPS_EARLY, /**< The capabilities are dropped before executing the on-up command */ - DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is always dropped */ + DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is dropped even when TUN/TAP interfaces need to be opened */ } fastd_drop_caps_t; /** Types of file descriptors to poll on */ |