Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Linux capabilities check #1270

Merged
merged 3 commits into from
Jan 2, 2022
Merged

Improve Linux capabilities check #1270

merged 3 commits into from
Jan 2, 2022

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Jan 2, 2022

By submitting this pull request, I confirm the following:

  • I have read and understood the contributors guide.
  • I have checked that another pull request for this purpose does not exist.
  • I have considered, and confirmed that this submission will be valuable to others.
  • I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
  • I give this submission freely, and claim no ownership to its content.

How familiar are you with the codebase?:

10

Do not warn about missing capabilities during startup. The embedded dnsmasq does the same but in a better (config-aware) way, i.e. it will not complain about missing CAP_NET_ADMIN when DHCP is not enabled. As its warnings are now much more present in all logs, we don't need to do the check twice.

Further/related changes:

  • The existing checks remain there but are only used in debug mode (DEBUG_CAPS)
  • Check for both E and P flag as we need both for TCP workers
  • Remove check for CAP_IPC_LOCK as we are not using mlock()

DL6ER added 3 commits January 2, 2022 14:57
@DL6ER
Check E(ffective) in addition of P(ermitted) capabilities flag. E is …
a5af39f 
…what the kernel actually checks, P is a limiting superset for the capabilities that could be added to the E and I(nheritable) sets. We need both as TCP workers will be forks.

Signed-off-by: DL6ER <[email protected]>
@DL6ER
Do not warn about missing capabilities during startup. The embedded d…
646e709 
…nsmasq does the same but config-aware, i.e. it will not complain about missing CAP_NET_ADMIN when DHCP is not used. As its warnings are now much more present in all logs, we don't need to do the check twice. The existing checks remain there but are only used in debug mode (DEBUG_CAPS).

Signed-off-by: DL6ER <[email protected]>
@DL6ER
Remove check for CAP_IPC_LOCK as we are not using mlock() anywhere in…
3634ba2 
… the code

Signed-off-by: DL6ER <[email protected]>
@DL6ER DL6ER merged commit 6621dd1 into development Jan 2, 2022
@DL6ER DL6ER deleted the fix/capabilites_check branch January 2, 2022 14:36
@PromoFaux PromoFaux mentioned this pull request Jan 4, 2022
Merged
@pralor-bot
Copy link

This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-ftl-v5-13-web-v5-10-and-core-v5-8-released/52254/1

This was referenced Jan 5, 2022
Merged
Closed
Merged
Merged
Merged
This was referenced Jan 16, 2022
Merged
Merged
@renovate renovate bot mentioned this pull request Jan 26, 2022
Closed
1 task
@renovate renovate bot mentioned this pull request Mar 7, 2022
Merged
1 task
@renovate renovate bot mentioned this pull request Apr 9, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dschaper dschaper dschaper approved these changes

@PromoFaux PromoFaux Awaiting requested review from PromoFaux

@yubiuser yubiuser Awaiting requested review from yubiuser

Assignees
No one assigned
Labels
Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DL6ER @pralor-bot @dschaper