]> git.proxmox.com Git - mirror_iproute2.git/blobdiff - ip/ip.c
projects / mirror_iproute2.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Drop capabilities if not running ip exec vrf with libcap
[mirror_iproute2.git] / ip / ip.c
diff --git a/ip/ip.c b/ip/ip.c
index e66f69700105e82eb55a469b037aaf1107e15c42..e716fed8e8fe6f526c2665f7a5a6492a542bf317 100644 (file)
--- a/ip/ip.c
+++ b/ip/ip.c
@@ -12,7 +12,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <syslog.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -30,7 +29,6 @@ int human_readable;
 int use_iec;
 int show_stats;
 int show_details;
-int resolve_hosts;
 int oneline;
 int brief;
 int json;
@@ -174,6 +172,19 @@ int main(int argc, char **argv)
 {
        char *basename;
        char *batch_file = NULL;
+       int color = 0;
+
+       /* to run vrf exec without root, capabilities might be set, drop them
+        * if not needed as the first thing.
+        * execv will drop them for the child command.
+        * vrf exec requires:
+        * - cap_dac_override to create the cgroup subdir in /sys
+        * - cap_sys_admin to load the BPF program
+        * - cap_net_admin to set the socket into the cgroup
+        */
+       if (argc < 3 || strcmp(argv[1], "vrf") != 0 ||
+                       strcmp(argv[2], "exec") != 0)
+               drop_cap();
 
        basename = strrchr(argv[0], '/');
        if (basename == NULL)
@@ -242,10 +253,6 @@ int main(int argc, char **argv)
                } else if (matches(opt, "-tshort") == 0) {
                        ++timestamp;
                        ++timestamp_short;
-#if 0
-               } else if (matches(opt, "-numeric") == 0) {
-                       rtnl_names_numeric++;
-#endif
                } else if (matches(opt, "-Version") == 0) {
                        printf("ip utility, iproute2-ss%s\n", SNAPSHOT);
                        exit(0);
@@ -275,7 +282,7 @@ int main(int argc, char **argv)
                        }
                        rcvbuf = size;
                } else if (matches(opt, "-color") == 0) {
-                       enable_color();
+                       ++color;
                } else if (matches(opt, "-help") == 0) {
                        usage();
                } else if (matches(opt, "-netns") == 0) {
@@ -295,8 +302,8 @@ int main(int argc, char **argv)
 
        _SL_ = oneline ? "\\" : "\n";
 
-       if (json)
-               check_if_color_enabled();
+       if (color && !json)
+               enable_color();
 
        if (batch_file)
                return batch(batch_file);
Upstream mirror of iproute2