On Fri, 11 May 2018 13:39:56 +0100
Luca Boccassi <bl...@debian.org> wrote:
> Users have reported a regression due to ip now dropping capabilities
> unconditionally.
> zerotier-one VPN and VirtualBox use ambient capabilities in their
> binary and then fork out to ip to set routes and links, and this
> does not work anymore.
>
> As a workaround, do not drop caps if CAP_NET_ADMIN (the most common
> capability used by ip) is set with the INHERITABLE flag.
> Users that want ip vrf exec to work do not need to set INHERITABLE,
> which will then only set when the calling program had privileges to
> give itself the ambient capability.
>
> Fixes: ba2fc55b99f8 ("Drop capabilities if not running ip exec vrf with
> libcap")
>
> Signed-off-by: Luca Boccassi <bl...@debian.org>
Applied
