8

I'm trying to write a tun/tap program in Rust. Since I don't want it to run as root I've added CAP_NET_ADMIN to the binary's capabilities:

$sudo setcap cap_net_admin=eip target/release/tunnel
$getcap target/release/tunnel
target/release/tunnel = cap_net_admin+eip

However, this is not working. Everything I've read says that this is the only capability required to create tuns, but the program gets an EPERM on the ioctl. In strace, I see this error:

openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_CLOEXEC) = 3
fcntl(3, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
ioctl(3, TUNSETIFF, 0x7ffcdac7c7c0)     = -1 EPERM (Operation not permitted)

I've verified that the binary runs successfully with full root permissions, but I don't want this to require sudo to run. Why is CAP_NET_ADMIN not sufficient here?

For reference, I'm on Linux version 4.15.0-45 there are only a few ways I see that this ioctl can return EPERM in the kernel (https://elixir.bootlin.com/linux/v4.15/source/drivers/net/tun.c#L2194) and at least one of them seems to be satisfied. I'm not sure how to probe the others:

if (!capable(CAP_NET_ADMIN))
    return -EPERM;
...
if (tun_not_capable(tun))
    return -EPERM;
...
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
    return -EPERM;
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Teague Lasser
  • 83
  • 1
  • 4
  • if [that](https://unix.stackexchange.com/a/506774/308316)'s not it, please complete your question with the exact parameters you're passing to `ioctl(TUNSETIFF)` via the `ifreq` struct. –  Mar 17 '19 at 07:13

3 Answers3

5

I guess that the filesystem your target/release/tunnel binary resides on is mounted with the nosuid option. That will also affect file capabilities, not just the setuid bit.

Also, you won't be able to strace a set-capabilities or setuid binary as you do -- the kernel will ignore the file capabilities when calling execve() from a ptraced process:

$ getcap tapy
tapy = cap_net_admin+eip
$ ./tapy
tapy: {tap1}
^C
$ strace -e trace=ioctl ./tapy
ioctl(3, TUNSETIFF, 0x7ffdc5b2fef0)     = -1 EPERM (Operation not permitted)
tapy: ioctl TUNSETIFF: Operation not permitted
+++ exited with 1 +++
2

I experienced the same issue when writing a Rust program that spawns a tunctl process for creating and managing TUN/TAP interfaces.

For instance:

let tunctl_status = Command::new("tunctl")
            .args(&["-u", "user", "-t", "tap0"])
            .stdout(Stdio::null())
            .status()?;

failed with:

$ ./target/debug/nio
TUNSETIFF: Operation not permitted
tunctl failed to create tap network device.

even though the NET_ADMIN file capability was set:

$ sudo setcap cap_net_admin=+ep ./target/debug/nio
$ getcap ./target/debug/nio                       
./target/debug/nio cap_net_admin=ep

The manual states:

Because inheritable capabilities are not generally preserved across execve(2) when running as a non-root user, applications that wish to run helper programs with elevated capabilities should consider using ambient capabilities, described below.

To cover the case of execve() system calls, I used ambient capabilities.

Ambient (since Linux 4.3) This is a set of capabilities that are preserved across an execve(2) of a program that is not privileged. The ambient capability set obeys the invariant that no capability can ever be ambient if it is not both permitted and inheritable.

Example solution: For convenience, I use the caps-rs library.

// Check if `NET_ADMIN` is in permitted set.
let perm_net_admin = caps::has_cap(None, CapSet::Permitted, Capability::CAP_NET_ADMIN);
match perm_net_admin {
    Ok(is_in_perm) => {
        if !is_in_perm {
            eprintln!("Error: The capability 'NET_ADMIN' is not in the permitted set!");
            std::process::exit(1)
        }
    }
    Err(e) => {
        eprintln!("Error: {:?}", e);
        std::process::exit(1)
    }
}


// Note: The ambient capability set obeys the invariant that no capability can ever be ambient if it is not both permitted and inheritable.
caps::raise(
    None,
    caps::CapSet::Inheritable,
    caps::Capability::CAP_NET_ADMIN,
)
.unwrap_or_else(fail_due_to_caps_err);

caps::raise(None, caps::CapSet::Ambient, caps::Capability::CAP_NET_ADMIN)
    .unwrap_or_else(fail_due_to_caps_err);

Finally, setting the NET_ADMIN file capability suffices:

$ sudo setcap cap_net_admin=+ep ./target/debug/nio
Matthias A. Eckhart
  • 136
  • 5
0

While CAP_NET_ADMIN gives you permission to modify network configurations such as iptables, interfaces etc. for actual tapping and net i/o read you'll have to add the CAP_NET_RAW capability in addition to CAP_NET_ADMIN.

Together, they will grant you the ability you are seeking.

Fco Javier Balón
  • 1,144
  • 2
  • 11
  • 31
dalimama
  • 101
  • 2