From da0e5dcbbb3b7b118b45f45eea9213ea57ca0b9c Mon Sep 17 00:00:00 2001
From: Timo Sigurdsson <public_timo.s@silentcreek.de>
Date: Mon, 3 Feb 2020 23:17:17 +0100
Subject: [PATCH] init: Fix dropping privileges in nflog runmode

Using the run-as configuration option with the nflog capture method
results in the following error during the startup of suricata:
[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

This is because SCDropMainThreadCaps does not have any capabilities
defined for the nflog runmode (unlike other runmodes). Therefore, apply
the same capabilities to the nflog runmode that are already defined for
the nfqueue runmode. This has been confirmed to allow suricata start
and drop its privileges in the nflog runmode.

Fixes redmine issue #3265.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 1262ecbde0c2130f3fd4ca336cd2646828de9391)
---
 src/util-privs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/util-privs.c b/src/util-privs.c
index 1689272f16..009709d4a2 100644
--- a/src/util-privs.c
+++ b/src/util-privs.c
@@ -74,9 +74,10 @@ void SCDropMainThreadCaps(uint32_t userid, uint32_t groupid)
                     CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
                     -1);
             break;
+        case RUNMODE_NFLOG:
         case RUNMODE_NFQ:
             capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-                    CAP_NET_ADMIN,          /* needed for nfqueue inline mode */
+                    CAP_NET_ADMIN,          /* needed for nflog and nfqueue inline mode */
                     CAP_SYS_NICE,
                     -1);
             break;
-- 
2.47.2