From 5c383bdf5d196447b416068e441d36e1ef69f407 Mon Sep 17 00:00:00 2001 From: Maisem Ali Date: Wed, 18 Aug 2021 11:44:35 -0700 Subject: [PATCH] wgengine/router: pass in AmbientCaps when calling `ip rule` Signed-off-by: Maisem Ali --- wgengine/router/router_linux.go | 6 +++++- wgengine/router/runner.go | 22 ++++++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go index 1699eb423..279d8c93b 100644 --- a/wgengine/router/router_linux.go +++ b/wgengine/router/router_linux.go @@ -155,7 +155,11 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, linkMon *monitor.Mo } } - return newUserspaceRouterAdvanced(logf, tunname, linkMon, ipt4, ipt6, osCommandRunner{}, supportsV6, supportsV6NAT) + cmd := osCommandRunner{ + ambientCapNetAdmin: distro.Get() == distro.Synology, + } + + return newUserspaceRouterAdvanced(logf, tunname, linkMon, ipt4, ipt6, cmd, supportsV6, supportsV6NAT) } func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, linkMon *monitor.Mon, netfilter4, netfilter6 netfilterRunner, cmd commandRunner, supportsV6, supportsV6NAT bool) (Router, error) { diff --git a/wgengine/router/runner.go b/wgengine/router/runner.go index d3be49070..1d1f44af3 100644 --- a/wgengine/router/runner.go +++ b/wgengine/router/runner.go @@ -13,6 +13,9 @@ import ( "os/exec" "strconv" "strings" + "syscall" + + "golang.org/x/sys/unix" ) // commandRunner abstracts helpers to run OS commands. It exists @@ -23,7 +26,16 @@ type commandRunner interface { output(...string) ([]byte, error) } -type osCommandRunner struct{} +type osCommandRunner struct { + // ambientCapNetAdmin determines whether commands are executed with + // CAP_NET_ADMIN. + // CAP_NET_ADMIN is required when running as non-root and executing cmds + // like `ip rule`. Even if our process has the capability, we need to + // explicitly grant it to the new process. + // We specifically need this for Synology DSM7 where tailscaled no longer + // runs as root. + ambientCapNetAdmin bool +} // errCode extracts and returns the process exit code from err, or // zero if err is nil. @@ -55,7 +67,13 @@ func (o osCommandRunner) output(args ...string) ([]byte, error) { return nil, errors.New("cmd: no argv[0]") } - out, err := exec.Command(args[0], args[1:]...).CombinedOutput() + cmd := exec.Command(args[0], args[1:]...) + if o.ambientCapNetAdmin { + cmd.SysProcAttr = &syscall.SysProcAttr{ + AmbientCaps: []uintptr{unix.CAP_NET_ADMIN}, + } + } + out, err := cmd.CombinedOutput() if err != nil { return nil, fmt.Errorf("running %q failed: %w\n%s", strings.Join(args, " "), err, out) }