All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] packet.7: Indicate CAP_NET_BIND_SERVICE capability is required for binding packet sockets
@ 2015-11-25 17:26 Stewart Brodie
  0 siblings, 0 replies; only message in thread
From: Stewart Brodie @ 2015-11-25 17:26 UTC (permalink / raw)
  To: mtk.manpages; +Cc: netdev, linux-man

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]


Adds a note to packet.7 that the calling process must have the
CAP_NET_BIND_SERVICE capability in order to call bind on packet sockets.

The linux/capability.h header file comments for CAP_NET_BIND_SERVICE do not
document this requirement either.  I did take a brief look in the kernel
source code of both the older kernel I'm using and also in 4.4-rc2 but found
no obvious check for this capability check in files in net/packet, but I'm
not familiar with this code at all.

I discovered this after debugging unexpected permission denied errors in
busybox's udhcpc (when it attempts to renew leases).  It is creating the
socket using:  socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_IP))   It is
possible that it is only with certain type and protocol parameters? If so,
this patch would need to be revised to reflect that.

Patch generated against man-pages-4.02.


diff -ur a/man-pages-4.02/man7/packet.7 b/man-pages-4.02/man7/packet.7
--- a/man-pages-4.02/man7/packet.7      2015-08-08 17:24:11.000000000 +0100
+++ b/man-pages-4.02/man7/packet.7      2015-11-24 18:44:37.341815032 +0000
@@ -97,6 +97,12 @@
 and
 .IR sll_ifindex .
 
+Only processes with the
+.B CAP_NET_BIND_SERVICE
+capability may use
+.BR bind (2)
+on packet sockets.
+
 The
 .BR connect (2)
 operation is not supported on packet sockets.


-- 
Stewart Brodie


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: packet.7.diff --]
[-- Type: text/x-patch; name="packet.7.diff", Size: 449 bytes --]

diff -ur a/man-pages-4.02/man7/packet.7 b/man-pages-4.02/man7/packet.7
--- a/man-pages-4.02/man7/packet.7	2015-08-08 17:24:11.000000000 +0100
+++ b/man-pages-4.02/man7/packet.7	2015-11-24 18:44:37.341815032 +0000
@@ -97,6 +97,12 @@
 and
 .IR sll_ifindex .
 
+Only processes with the
+.B CAP_NET_BIND_SERVICE
+capability may use
+.BR bind (2)
+on packet sockets.
+
 The
 .BR connect (2)
 operation is not supported on packet sockets.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2015-11-25 17:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-25 17:26 [PATCH] packet.7: Indicate CAP_NET_BIND_SERVICE capability is required for binding packet sockets Stewart Brodie

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.