Monday, June 1, 2015

Filesystem capabilities, kernel configuration, ping and Operation not supported

If you happen to be building your own Linux kernel for some embedded target and are eager to trim down unneeded features and you have been living under a rock (like I had been, until recently), you might end up being surprised by:
usr@host:~$ ping
ping: icmp open socket: Operation not permitted
It turns out that while ping used to be suid root to be able to do its raw socket magic, this has not been the case for quite some time. File capabilities are what is used nowadays. This allows for more fine-grained control over what the binary is allowed to do. And most likely you have this set up on your desktop:
user@host:~$ sudo getcap /bin/ping
[sudo] password for user:
/bin/ping = cap_net_raw+ep
This is cool. But if you compile the kernel yourself there are some options that you need to enable for file system capabilities to work. These turn out to be:
  • extended attributes (e.g. CONFIG_EXT2_FS_XATTRCONFIG_EXT3_FS_XATTR; ext4 as of 4.1.0-rc5 probably has extended attributes always enabled as there's no such option)
The "extended attributes" was the easy part. But it was not obvious to me that I need to enable "Ext4 Security Labels".
In case you were running a system w/o support for filesystem capabilities and want to fix ping after you rebuilt the kernel with capabilities, this is what you want:
sudo setcap cap_net_raw+ep /bin/ping
Most likely obvious, but figuring out what I need to enable in the kernel took me some time. Maybe it helps someone.

P.S. The debian package that contains the setcap and getcap binaries is libcap2-bin.

No comments:

Post a Comment