mptcp.service systemd unit file does not grant CAP_NET_ADMIN capability #28
Description
Describe the bug
The multipath-tcp.org kernel's "netlink" path manager requires processes that invoke commands over its generic netlink API to have the CAP_NET_ADMIN capability. However, the mptcpd mptcp.service file doesn't explicitly grant that capability since it runs mptcpd under an unprivileged dynamically created user (DynamicUser=yes), resulting in mptcpd being in incapable of successfully issuing path management commands to the kernel.
To Reproduce
Steps to reproduce the behavior:
Server
- Set up a host, such as a virtual machine, as an MPTCP server with multiple network interfaces. Make sure the multipath-tcp.org kernel is built with the
mptcp_netlinkpath manager enabled. - Build and install mptcpd (e.g.
./configure; make; sudo make install) sudo systemctl daemon-reloadsudo systemctl restart mptcp- Execute an MPTCP capable process that listens for connections.
Client
- Set up a host, such as a virtual machine, as an MPTCP client. Make sure the kernel is built with MPTCP support enabled.
- Execute an MPTCP capable process that establishes a connection with the process listening for connection on the server host.
Server
The server host's log will show "operation not permitted" errors from mptcpd. The errors occur because the mptcpd process doesn't have the CAP_NET_ADMIN capability needed for sending MPTCP generic netlink API commands to the kernel. See the Screenshots section below for a system journal excerpt showing the errors.
Expected behavior
MPTCP generic netlink API commands emanating from a mptcpd process started by systemd should not be rejected due to lack of privileges.
Screenshots
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Jun 06 10:18:03 vm-server mptcpd[20672]: Path manager command error: Operation not permitted
Desktop (please complete the following information):
- Linux Kernel: 4.19 (multipath-tcp.org kernel built for an Ubuntu system)
- Compiler: 8.3.0
Additional context
The mptcp.service unit file explicitly avoids starting mptcpd as the root user by setting DynamicUser=yes to minimize security risks.