Drop capabilities if not running ip exec vrf with libcap

ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands like ping as non-root or non-cap-enabled due to this requirement. To allow users and administrators to safely add the required capabilities to the binary, drop all capabilities on start if not invoked with "vrf exec". Update the manpage with the requirements. Signed-off-by: Luca Boccassi <bluca@debian.org> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
author: Luca Boccassi <bluca@debian.org> 2018-03-27 18:48:55 +0100
committer: Stephen Hemminger <stephen@networkplumber.org> 2018-03-27 11:48:23 -0700
commit: ba2fc55b99f8363c80ce36681bc1ec97690b66f5 (patch)
tree: 2627ee909111f1291b72caa53aa8d60e27139120 /configure
parent: b2038cc0b2403e8c5126cfcf45f6ee48ac549ad0 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/configure b/configure
index f7c2d7a7..5ef5cd4c 100755
--- a/configure
+++ b/configure
@@ -336,6 +336,20 @@ EOF
     rm -f $TMPDIR/strtest.c $TMPDIR/strtest
 }
 
+check_cap()
+{
+	if ${PKG_CONFIG} libcap --exists
+	then
+		echo "HAVE_CAP:=y" >>$CONFIG
+		echo "yes"
+
+		echo 'CFLAGS += -DHAVE_LIBCAP' `${PKG_CONFIG} libcap --cflags` >>$CONFIG
+		echo 'LDLIBS +=' `${PKG_CONFIG} libcap --libs` >> $CONFIG
+	else
+		echo "no"
+	fi
+}
+
 quiet_config()
 {
 	cat <<EOF
@@ -410,6 +424,9 @@ check_berkeley_db
 echo -n "need for strlcpy: "
 check_strlcpy
 
+echo -n "libcap support: "
+check_cap
+
 echo >> $CONFIG
 echo "%.o: %.c" >> $CONFIG
 echo '	$(QUIET_CC)$(CC) $(CFLAGS) $(EXTRA_CFLAGS) -c -o $@ $<' >> $CONFIG
author	Luca Boccassi <bluca@debian.org>	2018-03-27 18:48:55 +0100
committer	Stephen Hemminger <stephen@networkplumber.org>	2018-03-27 11:48:23 -0700
commit	ba2fc55b99f8363c80ce36681bc1ec97690b66f5 (patch)
tree	2627ee909111f1291b72caa53aa8d60e27139120 /configure
parent	b2038cc0b2403e8c5126cfcf45f6ee48ac549ad0 (diff)