diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-01-26 22:20:01 +0100 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2023-01-26 22:29:05 +0100 |
commit | 0398c084efba664e44625d82f2be72e18c952678 (patch) | |
tree | b314deb850bc6a8733c511bb39a5969ac700ccb1 /src | |
parent | 2642d22adc66771bd8bbb4187dc3de5472d04ad6 (diff) | |
download | systemd-0398c084efba664e44625d82f2be72e18c952678.tar.gz |
resolve: Skip creating stubs if missing CAP_NET_BIND_SERVICE
If we don't have CAP_NET_BIND_SERVICE, we won't be able to bind
the stub listener socket, so let's skip creating it and log a warning.
We do the same for the extra stubs if they're configured on privileged
ports.
Diffstat (limited to 'src')
-rw-r--r-- | src/resolve/resolved-dns-stub.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index facd95aeb8..3a7d6977f6 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -3,6 +3,7 @@ #include <net/if_arp.h> #include <netinet/tcp.h> +#include "capability-util.h" #include "errno-util.h" #include "fd-util.h" #include "missing_network.h" @@ -1237,6 +1238,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty if (*event_source) return sd_event_source_get_io_fd(*event_source); + if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) { + log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.", + dns_stub_listener_extra_port(l)); + return 0; + } + if (l->family == AF_INET) sa = (union sockaddr_union) { .in.sin_family = l->family, @@ -1332,6 +1339,8 @@ int manager_dns_stub_start(Manager *m) { if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO) log_debug("Not creating stub listener."); + else if (!have_effective_cap(CAP_NET_BIND_SERVICE)) + log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53."); else { static const struct { uint32_t addr; |