shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-03 01:17:45 +03:00
Code

resolve: Skip creating stubs if missing CAP_NET_BIND_SERVICE

Browse Source 
If we don't have CAP_NET_BIND_SERVICE, we won't be able to bind
the stub listener socket, so let's skip creating it and log a warning.

We do the same for the extra stubs if they're configured on privileged
ports.

(cherry picked from commit 0398c084ef)
(cherry picked from commit ab877f7072)
This commit is contained in:
Daan De Meyer 2023-01-26 22:20:01 +01:00 committed by Luca Boccassi
parent 5037e0d27b
commit 2a36784277
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/resolve/resolved-dns-stub.c
View File

@ -3,6 +3,7 @@
#include <net/if_arp.h>
#include <netinet/tcp.h>
#include "capability-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "missing_network.h"
@ -1240,6 +1241,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty
if (*event_source)
return sd_event_source_get_io_fd(*event_source);
if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) {
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.",
dns_stub_listener_extra_port(l));
return 0;
}
if (l->family == AF_INET)
sa = (union sockaddr_union) {
.in.sin_family = l->family,
@ -1335,6 +1342,8 @@ int manager_dns_stub_start(Manager *m) {
if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
log_debug("Not creating stub listener.");
else if (!have_effective_cap(CAP_NET_BIND_SERVICE))
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53.");
else {
static const struct {
uint32_t addr;