From patchwork Wed Aug 17 03:18:17 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Timo Rothenpieler <timo@rothenpieler.org>
X-Patchwork-Id: 2687
Return-Path: <arne@rfc2549.org>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director11.mail.ord1d.rsapps.net ([172.27.255.54])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id aCjTI8cl/mIzNQAAIUCqbw
	(envelope-from <arne@rfc2549.org>)
	for <patchwork@openvpn.net>; Thu, 18 Aug 2022 07:43:03 -0400
Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.54])
	by director11.mail.ord1d.rsapps.net with LMTP
	id aCuUI8cl/mKhXQAAvGGmqA
	(envelope-from <arne@rfc2549.org>)
	for <patchwork@openvpn.net>; Thu, 18 Aug 2022 07:43:03 -0400
Received: from smtp8.gate.iad3a ([172.27.255.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy14.mail.iad3a.rsapps.net with LMTPS
	id AK6+GtIl/mLiIAAA1+b4IQ
	(envelope-from <arne@rfc2549.org>)
	for <patchwork@openvpn.net>; Thu, 18 Aug 2022 07:43:14 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: patchwork@openvpn.net
X-Originating-Ip: [192.26.174.232]
Authentication-Results: smtp8.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="192.26.174.232";
 spf=pass smtp.mailfrom="arne@rfc2549.org" smtp.helo="mail.blinkt.de";
 dkim=none (message not signed) header.d=none; dmarc=none (p=nil;
 dis=none) header.from=rothenpieler.org
X-Suspicious-Flag: NO
X-Classification-ID: a1c6f2fc-1eea-11ed-9ece-525400b8fe03-1-1
Received: from [192.26.174.232] ([192.26.174.232:47980] helo=mail.blinkt.de)
	by smtp8.gate.iad3a.rsapps.net (envelope-from <arne@rfc2549.org>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 26/08-25646-D452EF26; Thu, 18 Aug 2022 07:41:01 -0400
Received: from [195.70.183.100] (helo=[192.168.12.111])
	by mail.blinkt.de with esmtpsa  (TLS1.3) tls TLS_AES_128_GCM_SHA256
	(Exim 4.95 (FreeBSD))
	(envelope-from <arne@rfc2549.org>)
	id 1oOdtT-0000SC-W6
	for patchwork@openvpn.net;
	Thu, 18 Aug 2022 13:41:00 +0200
Resent-From: Arne Schwabe <arne@rfc2549.org>
Resent-To: patchwork@openvpn.net
Resent-Date: Thu, 18 Aug 2022 13:40:58 +0200
Resent-Message-ID: <3d7ca3ed-befd-9742-840e-dd3f32a9681f@rfc2549.org>
Received: from mail.blinkt.de ([unix socket])
	 by mail.blinkt.de (Cyrus 3.4.4) with LMTPA;
	 Wed, 17 Aug 2022 15:19:33 +0200
X-Cyrus-Session-Id: mail.blinkt.de-1660742373-77876-2-17641801878178825117
X-Sieve: CMU Sieve 3.0
Received: from lists.sourceforge.net ([216.105.38.7])
	by mail.blinkt.de with esmtps  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95 (FreeBSD))
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1oOIxJ-000KFz-35
	for arne@rfc2549.org;
	Wed, 17 Aug 2022 15:19:33 +0200
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1oOIwI-0003mL-BS;
	Wed, 17 Aug 2022 13:18:30 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <timo@rothenpieler.org>) id 1oOIwG-0003mF-Fb
 for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Aug 2022 13:18:28 +0000
Received: from btbn.de ([136.243.74.85])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1oOIwF-0002UZ-Or for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Aug 2022 13:18:28 +0000
Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id
 7F36A2D7E0A; Wed, 17 Aug 2022 15:18:21 +0200 (CEST)
From: Timo Rothenpieler <timo@rothenpieler.org>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 17 Aug 2022 15:18:17 +0200
Message-Id: <20220817131817.467-1-timo@rothenpieler.org>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Headers-End: 1oOIwF-0002UZ-Or
Subject: [Openvpn-devel] [PATCH] dco: disable DCO if --user specified but
 unable to retain capabilities
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-Spam-Bar: +
X-getmail-retrieved-from-mailbox: Inbox

---
 src/openvpn/dco.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
Acked-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index caa4ce32..b7db23f4 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -44,6 +44,10 @@
 #include "ssl_ncp.h"
 #include "tun.h"
 
+#ifdef HAVE_LIBCAPNG
+#include <cap-ng.h>
+#endif
+
 static int
 dco_install_key(struct tls_multi *multi, struct key_state *ks,
                 const uint8_t *encrypt_key, const uint8_t *encrypt_iv,
@@ -247,6 +251,28 @@ dco_check_option_conflict_platform(int msglevel, const struct options *o)
         }
     }
 #endif /* if defined(TARGET_LINUX) */
+
+#if defined(HAVE_LIBCAPNG)
+    /* DCO can't operate without CAP_NET_ADMIN. To retain it when switching user
+     * we need CAP_SETPCAP. CAP_NET_ADMIN also needs to be part of the permitted set
+     * of capabilities in order to retain it.
+     */
+    if (o->username)
+    {
+        if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
+        {
+            msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
+                "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
+            return false;
+        }
+        if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
+        {
+            msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
+                "Disabling data channel offload");
+            return false;
+        }
+    }
+#endif /* if defined(HAVE_LIBCAPNG) */
     return true;
 }