Signed-off-by: Pawel Wieczorkiewicz pwieczorkiewicz@suse.de --- teamd/teamd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/teamd/teamd.c b/teamd/teamd.c index 391b981..aac2511 100644 --- a/teamd/teamd.c +++ b/teamd/teamd.c @@ -1681,7 +1681,7 @@ static void teamd_context_fini(struct teamd_context *ctx)
static int teamd_drop_privileges() { - cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE}; + cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW}; cap_t my_caps; struct passwd *pw = NULL; struct group *grpent = NULL; @@ -1731,9 +1731,9 @@ static int teamd_drop_privileges()
if ((my_caps = cap_init()) == NULL) goto error; - if (cap_set_flag(my_caps, CAP_EFFECTIVE, 2, cv, CAP_SET) < 0) + if (cap_set_flag(my_caps, CAP_EFFECTIVE, ARRAY_SIZE(cv), cv, CAP_SET) < 0) goto error; - if (cap_set_flag(my_caps, CAP_PERMITTED, 2, cv, CAP_SET) < 0) + if (cap_set_flag(my_caps, CAP_PERMITTED, ARRAY_SIZE(cv), cv, CAP_SET) < 0) goto error; if (cap_set_proc(my_caps) < 0) goto error;
Some description here?
Tue, Oct 06, 2015 at 03:05:33PM CEST, pwieczorkiewicz@suse.de wrote:
Signed-off-by: Pawel Wieczorkiewicz pwieczorkiewicz@suse.de
teamd/teamd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/teamd/teamd.c b/teamd/teamd.c index 391b981..aac2511 100644 --- a/teamd/teamd.c +++ b/teamd/teamd.c @@ -1681,7 +1681,7 @@ static void teamd_context_fini(struct teamd_context *ctx)
static int teamd_drop_privileges() {
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE};
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW}; cap_t my_caps; struct passwd *pw = NULL; struct group *grpent = NULL;
@@ -1731,9 +1731,9 @@ static int teamd_drop_privileges()
if ((my_caps = cap_init()) == NULL) goto error;
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, 2, cv, CAP_SET) < 0)
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, ARRAY_SIZE(cv), cv, CAP_SET) < 0) goto error;
- if (cap_set_flag(my_caps, CAP_PERMITTED, 2, cv, CAP_SET) < 0)
- if (cap_set_flag(my_caps, CAP_PERMITTED, ARRAY_SIZE(cv), cv, CAP_SET) < 0) goto error; if (cap_set_proc(my_caps) < 0) goto error;
-- 2.1.4
libteam mailing list libteam@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/libteam
On Tue, 6 Oct 2015 15:15:28 +0200 Jiri Pirko jiri@resnulli.us wrote:
Some description here?
Sure. The CAP_NET_RAW capability is needed in order to facilitate socket(PF_PACKET...) calls as per description in packet(7). That's the requirement for teamd_packet_sock_open() calls. Without it, teamd running as non-root user is unable to add lacp ports.
Tue, Oct 06, 2015 at 03:05:33PM CEST, pwieczorkiewicz@suse.de wrote:
Signed-off-by: Pawel Wieczorkiewicz pwieczorkiewicz@suse.de
teamd/teamd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/teamd/teamd.c b/teamd/teamd.c index 391b981..aac2511 100644 --- a/teamd/teamd.c +++ b/teamd/teamd.c @@ -1681,7 +1681,7 @@ static void teamd_context_fini(struct teamd_context *ctx)
static int teamd_drop_privileges() {
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE};
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
CAP_NET_RAW}; cap_t my_caps; struct passwd *pw = NULL; struct group *grpent = NULL; @@ -1731,9 +1731,9 @@ static int teamd_drop_privileges()
if ((my_caps = cap_init()) == NULL) goto error;
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, 2, cv, CAP_SET) <
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, ARRAY_SIZE(cv),
cv, CAP_SET) < 0) goto error;
- if (cap_set_flag(my_caps, CAP_PERMITTED, 2, cv, CAP_SET) <
- if (cap_set_flag(my_caps, CAP_PERMITTED, ARRAY_SIZE(cv),
cv, CAP_SET) < 0) goto error; if (cap_set_proc(my_caps) < 0) goto error; -- 2.1.4
libteam mailing list libteam@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/libteam
Tue, Oct 06, 2015 at 03:19:21PM CEST, pwieczorkiewicz@suse.de wrote:
On Tue, 6 Oct 2015 15:15:28 +0200 Jiri Pirko jiri@resnulli.us wrote:
Some description here?
Sure. The CAP_NET_RAW capability is needed in order to facilitate socket(PF_PACKET...) calls as per description in packet(7). That's the requirement for teamd_packet_sock_open() calls. Without it, teamd running as non-root user is unable to add lacp ports.
Great, please resend with that :)
Tue, Oct 06, 2015 at 03:05:33PM CEST, pwieczorkiewicz@suse.de wrote:
Signed-off-by: Pawel Wieczorkiewicz pwieczorkiewicz@suse.de
teamd/teamd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/teamd/teamd.c b/teamd/teamd.c index 391b981..aac2511 100644 --- a/teamd/teamd.c +++ b/teamd/teamd.c @@ -1681,7 +1681,7 @@ static void teamd_context_fini(struct teamd_context *ctx)
static int teamd_drop_privileges() {
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE};
- cap_value_t cv[] = {CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
CAP_NET_RAW}; cap_t my_caps; struct passwd *pw = NULL; struct group *grpent = NULL; @@ -1731,9 +1731,9 @@ static int teamd_drop_privileges()
if ((my_caps = cap_init()) == NULL) goto error;
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, 2, cv, CAP_SET) <
- if (cap_set_flag(my_caps, CAP_EFFECTIVE, ARRAY_SIZE(cv),
cv, CAP_SET) < 0) goto error;
- if (cap_set_flag(my_caps, CAP_PERMITTED, 2, cv, CAP_SET) <
- if (cap_set_flag(my_caps, CAP_PERMITTED, ARRAY_SIZE(cv),
cv, CAP_SET) < 0) goto error; if (cap_set_proc(my_caps) < 0) goto error; -- 2.1.4
libteam mailing list libteam@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/libteam
-- Best Regards, Pawel Wieczorkiewicz pwieczorkiewicz@suse.de, Linux System Developer
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 / 90409 Nürnberg / Germany / Phone: +49-911-740 53 - 613
libteam@lists.fedorahosted.org