github.com/psiphon-labs/psiphon-tunnel-core@v2.0.28+incompatible/psiphon/common/networkConfig_linux.go (about) 1 /* 2 * Copyright (c) 2020, Psiphon Inc. 3 * All rights reserved. 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation, either version 3 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package common 21 22 import ( 23 "github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/errors" 24 "github.com/syndtr/gocapability/capability" 25 ) 26 27 func configureNetworkConfigSubprocessCapabilities() error { 28 29 // If this process has CAP_NET_ADMIN, make it available to be inherited 30 // be child processes via ambient mechanism described here: 31 // https://github.com/torvalds/linux/commit/58319057b7847667f0c9585b9de0e8932b0fdb08 32 // 33 // The ambient mechanism is available in Linux kernel 4.3 and later. 34 35 // When using capabilities, this process should have CAP_NET_ADMIN in order 36 // to create tun devices. And the subprocess operations such as using "ifconfig" 37 // and "iptables" for network config require the same CAP_NET_ADMIN capability. 38 39 cap, err := capability.NewPid(0) 40 if err != nil { 41 return errors.Trace(err) 42 } 43 44 if cap.Get(capability.EFFECTIVE, capability.CAP_NET_ADMIN) { 45 46 cap.Set(capability.INHERITABLE|capability.AMBIENT, capability.CAP_NET_ADMIN) 47 48 err = cap.Apply(capability.AMBIENT) 49 if err != nil { 50 return errors.Trace(err) 51 } 52 } 53 54 return nil 55 }