resolve: Skip creating stubs if missing CAP_NET_BIND_SERVICE

If we don't have CAP_NET_BIND_SERVICE, we won't be able to bind the stub listener socket, so let's skip creating it and log a warning. We do the same for the extra stubs if they're configured on privileged ports. (cherry picked from commit 0398c084efba664e44625d82f2be72e18c952678) (cherry picked from commit ab877f7072728420e49d179bca310a698cf9994c) (cherry picked from commit 2a36784277756c3a5e424efdd671a7a33bc8e128)
2025-03-11 04:58:19 +03:00 · 2023-01-26 22:20:01 +01:00 · 2023-01-26 22:20:01 +01:00 · b5ab57bd6f
commit b5ab57bd6f
parent 92bed29fdd
1 changed files with 9 additions and 0 deletions
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@ -3,6 +3,7 @@
 #include <net/if_arp.h>
 #include <netinet/tcp.h>

+#include "capability-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "missing_network.h"
@ -1240,6 +1241,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty
        if (*event_source)
                return sd_event_source_get_io_fd(*event_source);

+        if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) {
+                log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.",
+                            dns_stub_listener_extra_port(l));
+                return 0;
+        }
+
        if (l->family == AF_INET)
                sa = (union sockaddr_union) {
                        .in.sin_family = l->family,
@ -1335,6 +1342,8 @@ int manager_dns_stub_start(Manager *m) {

        if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
                log_debug("Not creating stub listener.");
+        else if (!have_effective_cap(CAP_NET_BIND_SERVICE))
+                log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53.");
        else {
                static const struct {
                        uint32_t addr;