sys_linux: don't keep NET_RAW on new kernels

It seems the NET_RAW capability is no longer needed to bind a socket to
a device since Linux 5.7.

diff --git a/sys_linux.c b/sys_linux.c
index af45066d68b94d1427afa3e487b615785e9cdda2..411ceec5eb904724beda2bb99849160ff911a9f0 100644 (file)
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -438,12 +438,13 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
   UTI_DropRoot(uid, gid);
 
   /* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound.
-     Keep CAP_NET_RAW if an NTP socket may need to be bound to a device.
+     Keep CAP_NET_RAW if an NTP socket may need to be bound to a device on
+     kernels before 5.7.
      Keep CAP_SYS_TIME if the clock control is enabled. */
   if (snprintf(cap_text, sizeof (cap_text), "%s %s %s",
                CNF_GetNTPPort() ? "cap_net_bind_service=ep" : "",
-               CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface() ?
-                 "cap_net_raw=ep" : "",
+               (CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface()) &&
+                 !SYS_Linux_CheckKernelVersion(5, 7) ? "cap_net_raw=ep" : "",
                clock_control ? "cap_sys_time=ep" : "") >= sizeof (cap_text))
     assert(0);