init: Fix dropping privileges in nflog runmode

Using the run-as configuration option with the nflog capture method
results in the following error during the startup of suricata:
[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

This is because SCDropMainThreadCaps does not have any capabilities
defined for the nflog runmode (unlike other runmodes). Therefore, apply
the same capabilities to the nflog runmode that are already defined for
the nfqueue runmode. This has been confirmed to allow suricata start
and drop its privileges in the nflog runmode.

Fixes redmine issue #3265.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 1262ecbde0c2130f3fd4ca336cd2646828de9391)

diff --git a/src/util-privs.c b/src/util-privs.c
index 5ce6843eb7d92ad777a6d162689808436fe7cc4d..bed5889b9ad1e70c11d70c145298a4c2bbd9eaab 100644 (file)
--- a/src/util-privs.c
+++ b/src/util-privs.c
@@ -74,9 +74,10 @@ void SCDropMainThreadCaps(uint32_t userid, uint32_t groupid)
                     CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
                     -1);
             break;
+        case RUNMODE_NFLOG:
         case RUNMODE_NFQ:
             capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-                    CAP_NET_ADMIN,          /* needed for nfqueue inline mode */
+                    CAP_NET_ADMIN,          /* needed for nflog and nfqueue inline mode */
                     CAP_SYS_NICE,
                     -1);
             break;