From: Maximilian Bosch <maximilian@mbosch.me>
Date: Tue, 22 Aug 2023 12:33:07 +0000 (+0200)
Subject: ip-vrf: recommend using CAP_BPF rather than CAP_SYS_ADMIN
X-Git-Tag: v6.5.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df210e83e0fab40209a71c70cd089fc1d66e275e;p=thirdparty%2Fiproute2.git

ip-vrf: recommend using CAP_BPF rather than CAP_SYS_ADMIN

The CAP_SYS_ADMIN capability allows far too much, to quote
`capabilities(7)`:

    Note: this capability is overloaded; see Notes to kernel developers, below.

In the case of `ip-vrf(8)` this is needed to load a BPF program.
According to the same section of the same man-page, using `CAP_BPF` is
preferred if that's the reason for `CAP_SYS_ADMIN`;

    perform  the  same BPF operations as are governed by CAP_BPF (but the latter, weaker capability is preferred for accessing
    that functionality).

Local testing revealed that `ip vrf exec` for an unprivileged user is
sufficient if the `CAP_BPF` capability is given rather than
`CAP_SYS_ADMIN`.

In a previous version of the patch[1] it was mentioned that
CAP_SYS_ADMIN was still required for Linux <5.8, however it was
suggested to not make man-pages dependent on the kernel version. Also,
it was suggested to improve the wording and the formatting of the entire
paragraph mentioning capabilities which was also done.

Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>

[1] https://lore.kernel.org/netdev/e6t4ucjdrcitzneh2imygsaxyb2aasxfn2q2a4zh5yqdx3vold@kutwh5kwixva/T/#m628a1900a7e5012bb87e6cb3c94af6c7281cf2bf

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---

diff --git a/ip/ip.c b/ip/ip.c
index 8424736f2..8c046ef1d 100644
--- a/ip/ip.c
+++ b/ip/ip.c
@@ -175,7 +175,7 @@ int main(int argc, char **argv)
 	 * execv will drop them for the child command.
 	 * vrf exec requires:
 	 * - cap_dac_override to create the cgroup subdir in /sys
-	 * - cap_sys_admin to load the BPF program
+	 * - cap_bpf to load the BPF program
 	 * - cap_net_admin to set the socket into the cgroup
 	 */
 	if (argc < 3 || strcmp(argv[1], "vrf") != 0 ||
diff --git a/man/man8/ip-vrf.8 b/man/man8/ip-vrf.8
index c1c9b958f..946e8f8aa 100644
--- a/man/man8/ip-vrf.8
+++ b/man/man8/ip-vrf.8
@@ -66,14 +66,42 @@ the current shell is associated with another VRF (e.g, Management VRF).
 This command requires the system to be booted with cgroup v2 (e.g. with systemd,
 add systemd.unified_cgroup_hierarchy=1 to the kernel command line).
 
-This command also requires to be ran as root or with the CAP_SYS_ADMIN,
-CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
-capabilities are added to the ip binary program via setcap, the program will
-drop them as the first thing when invoked, unless the command is vrf exec.
+This command also requires to be run as root. Alternatively it
+can be run by an unprivileged user if the following
+.BR capabilities (7)
+are given:
+
+.RS
+.IP \fBCAP_BPF\fP
+To load the BPF program.
+.IP \fBCAP_NET_ADMIN\fP
+To set the socket into the cgroup.
+.IP \fBCAP_DAC_OVERRIDE\fP
+To create the cgroup subdir in /sys.
+.RE
+
+.IP
+If these capabilities are added and if
+.BR ip (8)
+is built with
+.BR libcap (3)
+then these capabilities will be dropped before
+.BR cmd
+is executed by
+.B ip vrf exec.
+For every other unprivileged invocation of
+.BR ip (8)
+all capabilities will be dropped.
+
 .br
-NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
+.B NOTE:
+capabilities will
+.B NOT
+be dropped if
+.B CAP_NET_ADMIN
+is set to
+.B INHERITABLE
 to avoid breaking programs with ambient capabilities that call ip.
-Do not set the INHERITABLE flag on the ip binary itself.
 
 .TP
 .B ip vrf identify [PID] - Report VRF association for process