init: Fix dropping privileges in nflog runmode

Using the run-as configuration option with the nflog capture method results in the following error during the startup of suricata: [ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed This is because SCDropMainThreadCaps does not have any capabilities defined for the nflog runmode (unlike other runmodes). Therefore, apply the same capabilities to the nflog runmode that are already defined for the nfqueue runmode. This has been confirmed to allow suricata start and drop its privileges in the nflog runmode. Fixes redmine issue OISF#3265. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
jlucovsky · Feb 7, 2020 · 1262ecb · 1262ecb
1 parent 7810f22
commit 1262ecb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/util-privs.c b/src/util-privs.c
@@ -74,9 +74,10 @@ void SCDropMainThreadCaps(uint32_t userid, uint32_t groupid)
                     CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
                     -1);
             break;
+        case RUNMODE_NFLOG:
         case RUNMODE_NFQ:
             capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-                    CAP_NET_ADMIN,          /* needed for nfqueue inline mode */
+                    CAP_NET_ADMIN,          /* needed for nflog and nfqueue inline mode */
                     CAP_SYS_NICE,
                     -1);
             break;