On Sat, Mar 01, 2025 at 12:11:57PM -0300, Henrique de Moraes Holschuh wrote: > On 01/03/2025 09:38, tito wrote: > > couldn't you check if the capability is available? > > Why? It is just as problematic as the euid() == 0 test. One could be > root without CAP_NET_RAW. One could be non-root with CAP_NET_RAW. One > could be constrained by any other kernel-side policy... > > Instead, I recommend that you don't assume you cannot (or can) send packets. > > Try to open (and if you want/need to, connect()) the socket, and if that > succeeds, try to send the packets. Should you get EPERM or EACCES back > on any of those syscalls, you report that you don't have permission to > send RAW packets. > > Maybe you will also need to cover more errors than just EPERM and > EACCES, but the idea that "don't assume you cannot do it, try and report > errors instead" still holds. > > You could differentiate socket() and connect() as "cannot create raw > socket", and send()/sendto()/write() as "cannot send raw packets", for > better user experience. > > Please remember to handle EPERM results as "permission denied": Linux > can return EPERM for send()/sendto() due to local firewall rules in many > cases. socket() may return EPERM in several operating systems (maybe > also Linux), etc. > > > Suggestions: > > (for EACESS, EPERM on socket(), connect()): > "cannot open raw socket: permission denied. You might need root or > CAP_NET_RAW for this to work". > > and > > (for EPERM, EACCES on sendto()/send()/write()): > "cannot send packet: permission denied. You might need root or > CAP_NET_RAW for this to work. Also check local firewall rules" > > > -- > Henrique de Moraes Holschuh > _______________________________________________ > busybox mailing list > [email protected] > https://lists.busybox.net/mailman/listinfo/busybox I agree with Henrique and Tito.
The kernel should check permissions, as it determines whether the call will succeed. Nadav _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
