From: Christian Franke <nobody@nowhere.ws>
Date: Wed, 13 May 2015 11:59:18 +0000 (+0200)
Subject: lib/privs: Don't use CAP_NET_BROADCAST
X-Git-Tag: frr-2.0-rc1~979
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=1b32203911d5d0fe6197019f2e25027f5a5f2ad4;p=matthieu%2Ffrr.git

lib/privs: Don't use CAP_NET_BROADCAST

From what I can tell, CAP_NET_BROADCAST has never been required for any
functionality in the Linux kernel, so we do not really need it.

However, it causes breakage in contexts where Quagga is started with a
limited set of capabilities, e.g. in Docker, because these may not
include CAP_NET_BROADCAST and in the case of Docker do not even support
adding CAP_NET_BROADCAST.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---

diff --git a/lib/privs.c b/lib/privs.c
index 3355f24a73..8cfd8dfd5e 100644
--- a/lib/privs.c
+++ b/lib/privs.c
@@ -102,8 +102,7 @@ static struct
 #ifdef HAVE_LCAPS /* Quagga -> Linux capabilities mappings */
   [ZCAP_SETID] = 	{ 2, (pvalue_t []) { CAP_SETGID,
                                              CAP_SETUID 		}, },
-  [ZCAP_BIND] =		{ 2, (pvalue_t []) { CAP_NET_BIND_SERVICE,
-                                             CAP_NET_BROADCAST 		}, },
+  [ZCAP_BIND] =		{ 2, (pvalue_t []) { CAP_NET_BIND_SERVICE	}, },
   [ZCAP_NET_ADMIN] =	{ 1, (pvalue_t []) { CAP_NET_ADMIN		}, },
   [ZCAP_NET_RAW] = 	{ 1, (pvalue_t []) { CAP_NET_RAW		}, },
   [ZCAP_CHROOT] = 	{ 1, (pvalue_t []) { CAP_SYS_CHROOT,		}, },