TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-12 05:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine/router: pass in AmbientCaps when calling ip rule

Browse Source 
Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali
2021-08-18 11:44:35 -07:00
committed by Maisem Ali
parent 56db3e2548
commit 5c383bdf5d
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
wgengine/router/router_linux.go
View File

@@ -155,7 +155,11 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, linkMon *monitor.Mo
} }
} }
return newUserspaceRouterAdvanced(logf, tunname, linkMon, ipt4, ipt6, osCommandRunner{}, supportsV6, supportsV6NAT) cmd := osCommandRunner{
ambientCapNetAdmin: distro.Get() == distro.Synology,
}
return newUserspaceRouterAdvanced(logf, tunname, linkMon, ipt4, ipt6, cmd, supportsV6, supportsV6NAT)
} }
func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, linkMon *monitor.Mon, netfilter4, netfilter6 netfilterRunner, cmd commandRunner, supportsV6, supportsV6NAT bool) (Router, error) { func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, linkMon *monitor.Mon, netfilter4, netfilter6 netfilterRunner, cmd commandRunner, supportsV6, supportsV6NAT bool) (Router, error) {

22
wgengine/router/runner.go
View File

@@ -13,6 +13,9 @@ import (
"os/exec" "os/exec"
"strconv" "strconv"
"strings" "strings"
"syscall"
"golang.org/x/sys/unix"
) )
// commandRunner abstracts helpers to run OS commands. It exists // commandRunner abstracts helpers to run OS commands. It exists
@@ -23,7 +26,16 @@ type commandRunner interface {
output(...string) ([]byte, error) output(...string) ([]byte, error)
} }
type osCommandRunner struct{} type osCommandRunner struct {
// ambientCapNetAdmin determines whether commands are executed with
// CAP_NET_ADMIN.
// CAP_NET_ADMIN is required when running as non-root and executing cmds
// like `ip rule`. Even if our process has the capability, we need to
// explicitly grant it to the new process.
// We specifically need this for Synology DSM7 where tailscaled no longer
// runs as root.
ambientCapNetAdmin bool
}
// errCode extracts and returns the process exit code from err, or // errCode extracts and returns the process exit code from err, or
// zero if err is nil. // zero if err is nil.
@@ -55,7 +67,13 @@ func (o osCommandRunner) output(args ...string) ([]byte, error) {
return nil, errors.New("cmd: no argv[0]") return nil, errors.New("cmd: no argv[0]")
} }
out, err := exec.Command(args[0], args[1:]...).CombinedOutput() cmd := exec.Command(args[0], args[1:]...)
if o.ambientCapNetAdmin {
cmd.SysProcAttr = &syscall.SysProcAttr{
AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
}
}
out, err := cmd.CombinedOutput()
if err != nil { if err != nil {
return nil, fmt.Errorf("running %q failed: %w\n%s", strings.Join(args, " "), err, out) return nil, fmt.Errorf("running %q failed: %w\n%s", strings.Join(args, " "), err, out)
} }