summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/capabilities.c2
-rw-r--r--src/config.y4
-rw-r--r--src/fastd.c2
-rw-r--r--src/lex.c1
-rw-r--r--src/types.h1
5 files changed, 8 insertions, 2 deletions
diff --git a/src/capabilities.c b/src/capabilities.c
index 1feabba..f72b7f9 100644
--- a/src/capabilities.c
+++ b/src/capabilities.c
@@ -76,7 +76,7 @@ static void try_cap(cap_value_t cap) {
/** Returns true if CAP_NET_ADMIN should be retained */
static bool need_cap_net_admin(void) {
- return !fastd_config_persistent_ifaces();
+ return !fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE;
}
/** Returns true if CAP_NET_RAW should be retained */
diff --git a/src/config.y b/src/config.y
index a064d97..2e111ff 100644
--- a/src/config.y
+++ b/src/config.y
@@ -84,6 +84,7 @@
%token TOK_ESTABLISH
%token TOK_FATAL
%token TOK_FLOAT
+%token TOK_FORCE
%token TOK_FORWARD
%token TOK_FROM
%token TOK_GROUP
@@ -244,6 +245,9 @@ drop_capabilities_enabled:
TOK_EARLY {
$$ = DROP_CAPS_EARLY;
}
+ | TOK_FORCE {
+ $$ = DROP_CAPS_FORCE;
+ }
| boolean {
$$ = $1 ? DROP_CAPS_ON : DROP_CAPS_OFF;
}
diff --git a/src/fastd.c b/src/fastd.c
index 37b00f9..1c4a00f 100644
--- a/src/fastd.c
+++ b/src/fastd.c
@@ -571,7 +571,7 @@ static inline void init(int argc, char *argv[]) {
exit_errno("status: close");
}
- if (conf.drop_caps == DROP_CAPS_EARLY)
+ if (conf.drop_caps == DROP_CAPS_EARLY || conf.drop_caps == DROP_CAPS_FORCE)
drop_caps();
if (ctx.iface)
diff --git a/src/lex.c b/src/lex.c
index 375fba9..5f4e14a 100644
--- a/src/lex.c
+++ b/src/lex.c
@@ -80,6 +80,7 @@ static const keyword_t keywords[] = {
{ "establish", TOK_ESTABLISH },
{ "fatal", TOK_FATAL },
{ "float", TOK_FLOAT },
+ { "force", TOK_FORCE },
{ "forward", TOK_FORWARD },
{ "from", TOK_FROM },
{ "group", TOK_GROUP },
diff --git a/src/types.h b/src/types.h
index 240a1bb..0792e1b 100644
--- a/src/types.h
+++ b/src/types.h
@@ -74,6 +74,7 @@ typedef enum fastd_drop_caps {
DROP_CAPS_OFF, /**< The capabilities aren't dropped at all */
DROP_CAPS_ON, /**< The capabilities are dropped after executing the on-up command */
DROP_CAPS_EARLY, /**< The capabilities are dropped before executing the on-up command */
+ DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is always dropped */
} fastd_drop_caps_t;
/** Types of file descriptors to poll on */