Reputation: 6793
Dropped Capability Not Removing Permissions
I have built a C++ binary and called setcap cap_net_raw,cap_setpcap+pe on it, granting the NET_RAW and SET_PCAP capabilities. I have verified these capabilities are present in the binary by successfully creating a socket(AF_PACKET, SOCK_RAW, ...). Without calling setcap, the socket function returns a permission error.
For security reasons, I'd like to drop the NET_RAW capability once I've acquired the socket. This is why I also set the SET_PCAP capability, so I can call prctl(PR_CAPBSET_DROP, CAP_NET_RAW, ...). After making this call, prctl(PR_CAPBSET_READ, CAP_NET_RAW, ...) indicates I no longer have the NET_RAW permission. HOWEVER, I can still call socket(..., SOCK_RAW, ...) successfully! Even if I close the existing raw socket, I can later still create a new one.
Is there something else I need to do to remove my process's permissions to create a new raw socket?
Upvotes: 1
Views: 223
Answers (0)
Related Questions
- Using capsh to drop all capabilities
- File capabilities do not transfer to process once executed
- Why can't you drop a capability from the bounding set without CAP_SETPCAP?
- docker dropping capabilities not working as expected?
- Can't drop privileges with suid binary?
- Linux inheritable capability cleared on program start
- losing capabilities after setuid()
- problems setting Linux Capabilities using Python
- privileged docker container cannot drop capabilities?
- Linux: Unexpected rights during execution