From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 15 Sep 2020 09:57:17 +0000 (+0200)
Subject: sys_linux: don't keep NET_RAW on new kernels
X-Git-Tag: 4.0-pre4~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=349323dec7f2285d7e802605c8f222d488b99cbe;p=thirdparty%2Fchrony.git

sys_linux: don't keep NET_RAW on new kernels

It seems the NET_RAW capability is no longer needed to bind a socket to
a device since Linux 5.7.
---

diff --git a/sys_linux.c b/sys_linux.c
index af45066d..411ceec5 100644
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -438,12 +438,13 @@ SYS_Linux_DropRoot(uid_t uid, gid_t gid, int clock_control)
   UTI_DropRoot(uid, gid);
 
   /* Keep CAP_NET_BIND_SERVICE if the NTP server sockets may need to be bound.
-     Keep CAP_NET_RAW if an NTP socket may need to be bound to a device.
+     Keep CAP_NET_RAW if an NTP socket may need to be bound to a device on
+     kernels before 5.7.
      Keep CAP_SYS_TIME if the clock control is enabled. */
   if (snprintf(cap_text, sizeof (cap_text), "%s %s %s",
                CNF_GetNTPPort() ? "cap_net_bind_service=ep" : "",
-               CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface() ?
-                 "cap_net_raw=ep" : "",
+               (CNF_GetBindNtpInterface() || CNF_GetBindAcquisitionInterface()) &&
+                 !SYS_Linux_CheckKernelVersion(5, 7) ? "cap_net_raw=ep" : "",
                clock_control ? "cap_sys_time=ep" : "") >= sizeof (cap_text))
     assert(0);