From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Re: [PATCH iproute2] ip: do not drop capabilities if net_admin=i is set Date: Mon, 14 May 2018 21:10:05 -0700 Message-ID: <20180514211005.4f7cb98a@xeon-e3> References: <20180511123956.5638-1-bluca@debian.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, dsahern@gmail.com, luto@amacapital.net To: Luca Boccassi Return-path: Received: from mail-pl0-f54.google.com ([209.85.160.54]:40690 "EHLO mail-pl0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752305AbeEOEKN (ORCPT ); Tue, 15 May 2018 00:10:13 -0400 Received: by mail-pl0-f54.google.com with SMTP id t12-v6so8609399plo.7 for ; Mon, 14 May 2018 21:10:13 -0700 (PDT) In-Reply-To: <20180511123956.5638-1-bluca@debian.org> Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 11 May 2018 13:39:56 +0100 Luca Boccassi wrote: > Users have reported a regression due to ip now dropping capabilities > unconditionally. > zerotier-one VPN and VirtualBox use ambient capabilities in their > binary and then fork out to ip to set routes and links, and this > does not work anymore. > > As a workaround, do not drop caps if CAP_NET_ADMIN (the most common > capability used by ip) is set with the INHERITABLE flag. > Users that want ip vrf exec to work do not need to set INHERITABLE, > which will then only set when the calling program had privileges to > give itself the ambient capability. > > Fixes: ba2fc55b99f8 ("Drop capabilities if not running ip exec vrf with libcap") > > Signed-off-by: Luca Boccassi Applied