On 01/03/2025 09:38, tito wrote:
couldn't you check if the capability is available?
Why? It is just as problematic as the euid() == 0 test. One could be root without CAP_NET_RAW. One could be non-root with CAP_NET_RAW. One could be constrained by any other kernel-side policy... Instead, I recommend that you don't assume you cannot (or can) send packets. Try to open (and if you want/need to, connect()) the socket, and if that succeeds, try to send the packets. Should you get EPERM or EACCES back on any of those syscalls, you report that you don't have permission to send RAW packets. Maybe you will also need to cover more errors than just EPERM and EACCES, but the idea that "don't assume you cannot do it, try and report errors instead" still holds. You could differentiate socket() and connect() as "cannot create raw socket", and send()/sendto()/write() as "cannot send raw packets", for better user experience. Please remember to handle EPERM results as "permission denied": Linux can return EPERM for send()/sendto() due to local firewall rules in many cases. socket() may return EPERM in several operating systems (maybe also Linux), etc. Suggestions: (for EACESS, EPERM on socket(), connect()): "cannot open raw socket: permission denied. You might need root or CAP_NET_RAW for this to work". and (for EPERM, EACCES on sendto()/send()/write()): "cannot send packet: permission denied. You might need root or CAP_NET_RAW for this to work. Also check local firewall rules" -- Henrique de Moraes Holschuh _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
