Bug #3873
openNET_RAW capability dropped for NFQ mode when uid/gid is specified
Description
When using suricata with any uid/gid specified and nfq mode, the following code is run. As a result, NET_RAW capability is dropped.
https://github.com/OISF/suricata/blob/fa2b46cdc3f539a31e917c3b63ede70309bcc0b0/src/util-privs.c#L78
However, when a reject rule is executed, libnet_init gets called via below code path and fails the worker thread.
https://github.com/OISF/suricata/blob/ac491c6e8daf9a982e4ff6de743de916646a4b16/src/respond-reject-libnet11.c#L109
Please add NET_RAW to the capabilities for NFQ mode as well if libnet is to be used.
Log snippet:
2020-08-10T14:14:22.841972792Z [112] 10/8/2020 -- 14:14:22 - (respond-reject-libnet11.c:101) <Error> (RejectSendLibnet11L3IPv4TCP) -- [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed: libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted
2020-08-10T14:14:22.841979391Z
2020-08-10T14:14:22.841983169Z [109] 10/8/2020 -- 14:14:22 - (tm-threads.c:2087) <Error> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread W-NFQ#0 failed
Updated by Philippe Antoine about 1 year ago
- Assignee set to Community Ticket
- Label Hardening added
Updated by Philippe Antoine about 1 month ago
- Status changed from New to Feedback
Is this still a problem in 8 ?
Updated by Philippe Antoine about 1 month ago
- Status changed from Feedback to New
- Affected Versions 8.0.0 added
- Affected Versions deleted (
5.0.3)
I guess it is still a problem
I do not think the problem is restricted to NFQ, but rather to the use of reject rules+libnet with a source where we do not keep NET_RAW