Revert "main: refuse to run under file capabilities"

This reverts commit badb2474ca8bd6427255cf0a9886cdca49a5c3b7.

The new iptables 1.8.12 release is broken on docker, pinpointed to the
getauxval() change that apparently can be nonzero in presence of LSMs.

That makes getauxval() useless for the purpose of detecting a setcap
binary.  As nftables contains a change just like iptables, it is safe to
assume nftables is broken as well.

So revert this.

Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1830
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/main.c b/src/main.c
index af49bec62b64bafb47a73ac42dcd367e55f1851d..29b0533dee7c9325cda78654d1a210f26f8aea24 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -17,7 +17,6 @@
 #include <getopt.h>
 #include <fcntl.h>
 #include <sys/types.h>
-#include <sys/auxv.h>
 
 #include <nftables/libnftables.h>
 #include <utils.h>
@@ -372,8 +371,8 @@ int main(int argc, char * const *argv)
        char *filename = NULL;
        unsigned int len;
 
-       /* nftables cannot be used with setuid/setcap in a safe way. */
-       if (getuid() != geteuid() || getauxval(AT_SECURE))
+       /* nftables cannot be used with setuid in a safe way. */
+       if (getuid() != geteuid())
                _exit(111);
 
        if (!nft_options_check(argc, argv))