#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
-#include <syslog.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
int use_iec;
int show_stats;
int show_details;
-int resolve_hosts;
int oneline;
int brief;
int json;
{
char *basename;
char *batch_file = NULL;
+ int color = 0;
+
+ /* to run vrf exec without root, capabilities might be set, drop them
+ * if not needed as the first thing.
+ * execv will drop them for the child command.
+ * vrf exec requires:
+ * - cap_dac_override to create the cgroup subdir in /sys
+ * - cap_sys_admin to load the BPF program
+ * - cap_net_admin to set the socket into the cgroup
+ */
+ if (argc < 3 || strcmp(argv[1], "vrf") != 0 ||
+ strcmp(argv[2], "exec") != 0)
+ drop_cap();
basename = strrchr(argv[0], '/');
if (basename == NULL)
} else if (matches(opt, "-tshort") == 0) {
++timestamp;
++timestamp_short;
-#if 0
- } else if (matches(opt, "-numeric") == 0) {
- rtnl_names_numeric++;
-#endif
} else if (matches(opt, "-Version") == 0) {
printf("ip utility, iproute2-ss%s\n", SNAPSHOT);
exit(0);
}
rcvbuf = size;
} else if (matches(opt, "-color") == 0) {
- enable_color();
+ ++color;
} else if (matches(opt, "-help") == 0) {
usage();
} else if (matches(opt, "-netns") == 0) {
_SL_ = oneline ? "\\" : "\n";
- if (json)
- check_if_color_enabled();
+ if (color && !json)
+ enable_color();
if (batch_file)
return batch(batch_file);