Drop capabilities if not running ip exec vrf with libcap

[mirror_iproute2.git] / ip / ip.c

diff --git a/ip/ip.c b/ip/ip.c
index 123f18133a2e5e90a8169018dac572f012cf0db0..e716fed8e8fe6f526c2665f7a5a6492a542bf317 100644 (file)
--- a/ip/ip.c
+++ b/ip/ip.c
@@ -12,7 +12,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <syslog.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -30,9 +29,9 @@ int human_readable;
 int use_iec;
 int show_stats;
 int show_details;
-int resolve_hosts;
 int oneline;
 int brief;
+int json;
 int timestamp;
 const char *_SL_;
 int force;
@@ -51,7 +50,8 @@ static void usage(void)
 "       ip [ -force ] -batch filename\n"
 "where  OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |\n"
 "                   tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |\n"
-"                   netns | l2tp | fou | tcp_metrics | token | netconf }\n"
+"                   netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |\n"
+"                   vrf | sr }\n"
 "       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |\n"
 "                    -h[uman-readable] | -iec |\n"
 "                    -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |\n"
@@ -84,6 +84,8 @@ static const struct cmd {
        { "link",       do_iplink },
        { "l2tp",       do_ipl2tp },
        { "fou",        do_ipfou },
+       { "ila",        do_ipila },
+       { "macsec",     do_ipmacsec },
        { "tunnel",     do_iptunnel },
        { "tunl",       do_iptunnel },
        { "tuntap",     do_iptuntap },
@@ -97,6 +99,8 @@ static const struct cmd {
        { "mrule",      do_multirule },
        { "netns",      do_netns },
        { "netconf",    do_ipnetconf },
+       { "vrf",        do_ipvrf},
+       { "sr",         do_seg6 },
        { "help",       do_help },
        { 0 }
 };
@@ -168,6 +172,19 @@ int main(int argc, char **argv)
 {
        char *basename;
        char *batch_file = NULL;
+       int color = 0;
+
+       /* to run vrf exec without root, capabilities might be set, drop them
+        * if not needed as the first thing.
+        * execv will drop them for the child command.
+        * vrf exec requires:
+        * - cap_dac_override to create the cgroup subdir in /sys
+        * - cap_sys_admin to load the BPF program
+        * - cap_net_admin to set the socket into the cgroup
+        */
+       if (argc < 3 || strcmp(argv[1], "vrf") != 0 ||
+                       strcmp(argv[2], "exec") != 0)
+               drop_cap();
 
        basename = strrchr(argv[0], '/');
        if (basename == NULL)
@@ -236,10 +253,6 @@ int main(int argc, char **argv)
                } else if (matches(opt, "-tshort") == 0) {
                        ++timestamp;
                        ++timestamp_short;
-#if 0
-               } else if (matches(opt, "-numeric") == 0) {
-                       rtnl_names_numeric++;
-#endif
                } else if (matches(opt, "-Version") == 0) {
                        printf("ip utility, iproute2-ss%s\n", SNAPSHOT);
                        exit(0);
@@ -253,6 +266,8 @@ int main(int argc, char **argv)
                        batch_file = argv[1];
                } else if (matches(opt, "-brief") == 0) {
                        ++brief;
+               } else if (matches(opt, "-json") == 0) {
+                       ++json;
                } else if (matches(opt, "-rcvbuf") == 0) {
                        unsigned int size;
 
@@ -267,7 +282,7 @@ int main(int argc, char **argv)
                        }
                        rcvbuf = size;
                } else if (matches(opt, "-color") == 0) {
-                       enable_color();
+                       ++color;
                } else if (matches(opt, "-help") == 0) {
                        usage();
                } else if (matches(opt, "-netns") == 0) {
@@ -287,6 +302,9 @@ int main(int argc, char **argv)
 
        _SL_ = oneline ? "\\" : "\n";
 
+       if (color && !json)
+               enable_color();
+
        if (batch_file)
                return batch(batch_file);