Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 583806 Details for
Bug 802197
ping failed to set mark on icmp packets
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
A less hacky attempt to fix ping caps
iputils-possible-caps.patch (text/plain), 3.64 KB, created by
Jan Synacek
on 2012-05-11 11:19:02 UTC
(
hide
)
Description:
A less hacky attempt to fix ping caps
Filename:
MIME Type:
Creator:
Jan Synacek
Created:
2012-05-11 11:19:02 UTC
Size:
3.64 KB
patch
obsolete
>diff -aurp iputils-s20101006/ping.c iputils-s20101006.new/ping.c >--- iputils-s20101006/ping.c 2012-05-11 13:09:51.572507964 +0200 >+++ iputils-s20101006.new/ping.c 2012-05-11 13:14:07.743442485 +0200 >@@ -66,10 +66,6 @@ char copyright[] = > #include <netinet/ip.h> > #include <netinet/ip_icmp.h> > >-#ifdef HAVE_CAPABILITIES >-#include <sys/capability.h> >-#endif >- > #ifndef ICMP_FILTER > #define ICMP_FILTER 1 > struct icmp_filter { >@@ -130,7 +126,8 @@ main(int argc, char **argv) > char *target, hnamebuf[MAX_HOSTNAMELEN]; > char rspace[3 + 4 * NROUTES + 1]; /* record route space */ > #ifdef HAVE_CAPABILITIES >- cap_t caps; >+ cap_t cap; >+ cap_flag_value_t capflagval = CAP_CLEAR; > #endif > > char *idn; >@@ -147,13 +144,23 @@ main(int argc, char **argv) > } > > #ifdef HAVE_CAPABILITIES >- /* drop all capabilities unconditionally so even root isn't special anymore */ >- caps = cap_init(); >- if (cap_set_proc(caps) < 0) { >- perror("ping: cap_set_proc"); >- exit(-1); >+ /* if root, keep all capabilities, otherwise check for cap_net_admin >+ * because it may be needed to set packet marks */ >+ if (uid != 0) { >+ if ((cap = cap_get_proc()) == NULL) { >+ perror("ping: cap_get_proc"); >+ exit(-1); >+ } >+ if (cap_get_flag(cap, CAP_NET_ADMIN, CAP_EFFECTIVE, &capflagval) != 0) { >+ perror("ping: cap_get_flag"); >+ exit(-1); >+ } >+ cap_free(cap); >+ >+ /* if CAP_NET_ADMIN is not set, drop all capabilities now */ >+ if (capflagval == CAP_CLEAR) >+ drop_capabilities(); > } >- cap_free(caps); > #endif > > source.sin_family = AF_INET; >@@ -550,7 +557,7 @@ main(int argc, char **argv) > printf("from %s %s: ", inet_ntoa(source.sin_addr), device ?: ""); > printf("%d(%d) bytes of data.\n", datalen, datalen+8+optlen+20); > >- setup(icmp_sock); >+ setup(icmp_sock, capflagval); > > main_loop(icmp_sock, packet, packlen); > } >diff -aurp iputils-s20101006/ping_common.c iputils-s20101006.new/ping_common.c >--- iputils-s20101006/ping_common.c 2012-05-11 13:09:51.549507971 +0200 >+++ iputils-s20101006.new/ping_common.c 2012-05-11 13:04:54.972583778 +0200 >@@ -448,7 +448,7 @@ void sock_setbufs(int icmp_sock, int all > > /* Protocol independent setup and parameter checks. */ > >-void setup(int icmp_sock) >+void setup(int icmp_sock, cap_flag_value_t cap_net_admin_flag) > { > int hold; > struct timeval tv; >@@ -487,6 +487,9 @@ void setup(int icmp_sock) > */ > fprintf(stderr, "Warning: Failed to set mark %d\n", mark); > } >+ >+ if (uid != 0 && cap_net_admin_flag == CAP_SET) >+ drop_capabilities(); > } > > /* Set some SNDTIMEO to prevent blocking forever >diff -aurp iputils-s20101006/ping_common.h iputils-s20101006.new/ping_common.h >--- iputils-s20101006/ping_common.h 2010-10-06 13:59:20.000000000 +0200 >+++ iputils-s20101006.new/ping_common.h 2012-05-11 13:05:03.914581492 +0200 >@@ -17,6 +17,10 @@ > #include <string.h> > #include <netdb.h> > >+#ifdef HAVE_CAPABILITIES >+#include <sys/capability.h> >+#endif >+ > #include <netinet/in.h> > #include <arpa/inet.h> > #include <linux/types.h> >@@ -188,6 +192,15 @@ static inline void advance_ntransmitted( > acked = (__u16)ntransmitted + 1; > } > >+static inline void drop_capabilities(void) >+{ >+ cap_t cap = cap_init(); >+ if (cap_set_proc(cap) < 0) { >+ perror("ping: cap_set_proc"); >+ exit(-1); >+ } >+ cap_free(cap); >+} > > extern int send_probe(void); > extern int receive_error_msg(void); >@@ -196,7 +209,7 @@ extern void install_filter(void); > > extern int pinger(void); > extern void sock_setbufs(int icmp_sock, int alloc); >-extern void setup(int icmp_sock); >+extern void setup(int icmp_sock, cap_flag_value_t cap_net_admin_flag); > extern void main_loop(int icmp_sock, __u8 *buf, int buflen) __attribute__((noreturn)); > extern void finish(void) __attribute__((noreturn)); > extern void status(void);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=583806">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 802197
:
569704
|
583806
|
594132