lib/privs: Don't use CAP_NET_BROADCAST

From what I can tell, CAP_NET_BROADCAST has never been required for any
functionality in the Linux kernel, so we do not really need it.

However, it causes breakage in contexts where Quagga is started with a
limited set of capabilities, e.g. in Docker, because these may not
include CAP_NET_BROADCAST and in the case of Docker do not even support
adding CAP_NET_BROADCAST.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>

diff --git a/lib/privs.c b/lib/privs.c
index 3355f24a73499ed2ad2dc54ce1806fdfbd839be7..8cfd8dfd5e401154a1125858c14fb7e8712964ad 100644 (file)
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -102,8 +102,7 @@ static struct
 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
   [ZCAP_SETID] =       { 2, (pvalue_t []) { CAP_SETGID,
                                              CAP_SETUID                }, },
-  [ZCAP_BIND] =                { 2, (pvalue_t []) { CAP_NET_BIND_SERVICE,
-                                             CAP_NET_BROADCAST                 }, },
+  [ZCAP_BIND] =                { 2, (pvalue_t []) { CAP_NET_BIND_SERVICE       }, },
   [ZCAP_NET_ADMIN] =   { 1, (pvalue_t []) { CAP_NET_ADMIN              }, },
   [ZCAP_NET_RAW] =     { 1, (pvalue_t []) { CAP_NET_RAW                }, },
   [ZCAP_CHROOT] =      { 1, (pvalue_t []) { CAP_SYS_CHROOT,            }, },