On 30/03/2022 22:55, Timo Rothenpieler wrote:
Since I worked closely with Timo on this patch version, I don't feel I should give it an ACK verdict alone. But I believe this is the right patch to include.--- Using libcap-ng nowconfigure.ac | 19 +++++ distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- src/openvpn/init.c | 25 ++++++- src/openvpn/platform.c | 91 +++++++++++++++++++++++ src/openvpn/platform.h | 5 ++ 6 files changed, 140 insertions(+), 4 deletions(-)
I will just suggest a commit message: ---------------------------------------------- platform: Retain CAP_NET_ADMIN when dropping privilegesOn Linux, when dropping privileges, interaction with the network configuration, such as tearing down routes or ovpn-dco interfaces
will fail when --user/--group are used.This patch set sets the CAP_NET_ADMIN capability, which grants the needed privileges during the lifetime of the OpenVPN process when dropping root privileges.
Signed-off-by: Timo Rothenpieler <t...@rothenpieler.org> Reviewed-By: David Sommerseth <dav...@openvpn.net> ---------------------------------------------- I have otherwise tested this patch on a Rocky Linux 8 distribution. Client test cases I ran when testing this was: * from the command line, with and without DCO * via systemd, with and without DCO With these 4 test cases, each of them were run with combinations of * no --user/--group * only --user * only --group * both --user and --groupI've also run a few tests using an --up script which modified /etc/resolv.conf, which also worked as expected with capabilities enabled.
There were no unexpected behavior with this final patch set, with one special exception which is outside the scope of this patch - SELinux.
SELinux on Fedora and RHEL (which Rocky Linux inherits) denies the OpenVPN process when run via systemd to use the SET_PCAP capability. In addition, the SELinux reference policy also denies all interactions with the Generic Netlink interfaces used by ovpn-dco. I will follow up this with the upstream SELinux reference policy maintainers.
Package maintainers needing SELinux can in the mean time, until an updated SELinux policy is available, provide an additional SELinux module which grants the needed privileges to openvpn_t labelled processes.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
