This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
setsockopt fails in glibc/resolv/res_send.c/reopen
- From: shmukul <sh dot mukul at gmail dot com>
- To: libc-help at sourceware dot org
- Date: Thu, 3 Jan 2019 13:48:19 -0800
- Subject: setsockopt fails in glibc/resolv/res_send.c/reopen
Hi All,
I am adding following in the res_send.c (ver 2.24) in reopen() to bind the
device to a VRF, however setsockopt fails with -1 (EPERM). Not sure why
setsockopt returns an error "Operation not permitted"
Ping is run as a root, appreciate any help.
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "mgmt\0", 5) = -1 EPERM
(Operation not permitted)
diffs
====
Index: git/resolv/res_send.c
===================================================================
--- git.orig/resolv/res_send.c 2019-01-02 14:48:48.039711299 -0800
+++ git/resolv/res_send.c 2019-01-02 14:52:42.518445187 -0800
@@ -118,6 +118,8 @@
/* From ev_streams.c. */
+char vrf_name[16];
+
static inline void
__attribute ((always_inline))
evConsIovec(void *buf, size_t cnt, struct iovec *vec) {
@@ -982,6 +984,7 @@
static int
reopen (res_state statp, int *terrno, int ns)
{
+ int rc=0;
if (EXT(statp).nssocks[ns] == -1) {
struct sockaddr *nsap = get_nsaddr (statp, ns);
socklen_t slen;
@@ -1003,6 +1006,18 @@
Perror(statp, stderr, "socket(dg)", errno);
return (-1);
}
+ if (setuid(geteuid())) {
+ Perror(statp, stderr, "setuid)", errno);
+ //return -1;
+ }
+
+ memset(vrf_name, 0, sizeof(vrf_name));
+ strncpy(vrf_name, "mgmt", 5);
+ rc = setsockopt(EXT(statp).nssocks[ns], SOL_SOCKET,
SO_BINDTODEVICE, vrf_name, (sizeof(vrf_name) + 1));
+ if(rc <0) {
+ printf("Mukul setsockopt failed rc %d,
%s/%s/%d\n", rc, __FILE__, __FUNCTION__, __LINE__);
+ }
+
/*
* On a 4.3BSD+ machine (client and server,
@@ -1020,6 +1035,10 @@
__res_iclose(statp, false);
return (0);
}
+ if (setuid(getuid())) {
+ Perror(statp, stderr, "setuid)", errno);
+ //return -1;
+ }
}
return 1;
strace
=====
root@CLX3001:~# strace ping -I mgmt bamboo
execve("/bin/ping", ["ping", "-I", "mgmt", "bamboo"], [/* 17 vars */]) = 0
brk(NULL) = 0x61d000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4efbab3000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18964, ...}) = 0
mmap(NULL, 18964, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4efbaae000
close(3) = 0
open("/lib/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\31\340\220>\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=25648, ...}) = 0
mmap(0x3e90e00000, 2118232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x3e90e00000
mprotect(0x3e90e04000, 2097152, PROT_NONE) = 0
mmap(0x3e91004000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x3e91004000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\3\242\220>\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1690488, ...}) = 0
mmap(0x3e90a00000, 3791264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x3e90a00000
mprotect(0x3e90b94000, 2097152, PROT_NONE) = 0
mmap(0x3e90d94000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x194000) = 0x3e90d94000
mmap(0x3e90d9a000, 14752, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3e90d9a000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4efbaac000
arch_prctl(ARCH_SET_FS, 0x7f4efbaac700) = 0
mprotect(0x608000, 4096, PROT_READ) = 0
mprotect(0x3e91004000, 4096, PROT_READ) = 0
mprotect(0x3e90d94000, 16384, PROT_READ) = 0
mprotect(0x3e90822000, 4096, PROT_READ) = 0
munmap(0x7f4efbaae000, 18964) = 0
brk(NULL) = 0x61d000
brk(0x63e000) = 0x63e000
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0},
{1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ,
1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ,
0}) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0,
1<<CAP_NET_ADMIN|1<<CAP_NET_RAW, 0}) = 0
prctl(PR_SET_KEEPCAPS, 1) = 0
getuid() = 0
setuid(0) = 0
prctl(PR_SET_KEEPCAPS, 0) = 0
getuid() = 0
geteuid() = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {0,
1<<CAP_NET_ADMIN|1<<CAP_NET_RAW, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {1<<CAP_NET_RAW,
1<<CAP_NET_ADMIN|1<<CAP_NET_RAW, 0}) = 0
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
capget({_LINUX_CAPABILITY_VERSION_3, 0}, {1<<CAP_NET_RAW,
1<<CAP_NET_ADMIN|1<<CAP_NET_RAW, 0}) = 0
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0,
1<<CAP_NET_ADMIN|1<<CAP_NET_RAW, 0}) = 0
getpid() = 22190
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=43, ...}) = 0
read(4, "search\tcalix.local\nnameserver 17"..., 4096) = 43
read(4, "", 4096) = 0
close(4) = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=43, ...}) = 0
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=43, ...}) = 0
read(4, "search\tcalix.local\nnameserver 17"..., 4096) = 43
read(4, "", 4096) = 0
close(4) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=485, ...}) = 0
read(4, "# /etc/nsswitch.conf\n#\n# Example"..., 1024) = 485
read(4, "", 1024) = 0
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=18964, ...}) = 0
mmap(NULL, 18964, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f4efbaae000
close(4) = 0
open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240!\0\0\0\0\0\0"..., 832)
= 832
fstat(4, {st_mode=S_IFREG|0755, st_size=47528, ...}) = 0
mmap(NULL, 2168600, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) =
0x7f4efb89a000
mprotect(0x7f4efb8a4000, 2097152, PROT_NONE) = 0
mmap(0x7f4efbaa4000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0xa000) = 0x7f4efbaa4000
mmap(0x7f4efbaa6000, 22296, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4efbaa6000
close(4) = 0
mprotect(0x7f4efbaa4000, 4096, PROT_READ) = 0
munmap(0x7f4efbaae000, 18964) = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=26, ...}) = 0
read(4, "order hosts,bind\nmulti on\n", 1024) = 26
read(4, "", 1024) = 0
close(4) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0
read(4, "127.0.0.1\tlocalhost.localdomain\t"..., 1024) = 291
read(4, "", 1024) = 0
close(4) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=18964, ...}) = 0
mmap(NULL, 18964, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f4efbaae000
close(4) = 0
open("/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\17\0\0\0\0\0\0"...,
832) = 832
fstat(4, {st_mode=S_IFREG|0755, st_size=22824, ...}) = 0
mmap(NULL, 2117848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) =
0x7f4efb694000
mprotect(0x7f4efb699000, 2093056, PROT_NONE) = 0
mmap(0x7f4efb898000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x4000) = 0x7f4efb898000
close(4) = 0
open("/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 4
read(4,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220:`\226>\0\0\0"..., 832)
= 832
fstat(4, {st_mode=S_IFREG|0755, st_size=87400, ...}) = 0
mmap(0x3e96600000, 2189952, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
4, 0) = 0x3e96600000
mprotect(0x3e96614000, 2093056, PROT_NONE) = 0
mmap(0x3e96813000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x13000) = 0x3e96813000
mmap(0x3e96815000, 6784, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3e96815000
close(4) = 0
mprotect(0x3e96813000, 4096, PROT_READ) = 0
mprotect(0x7f4efb898000, 4096, PROT_READ) = 0
munmap(0x7f4efbaae000, 18964) = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=43, ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(1, "In function reopen\n", 19In function reopen
) = 19
socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
geteuid() = 0
setuid(0) = 0
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "mgmt\0", 5) = -1 EPERM
(Operation not permitted)
write(1, " VRF to bind to is mgmtMukul set"..., 79 VRF to bind to is
mgmtMukul setsockopt failed rc -1, res_send.c/reopen/1020/1
) = 79
connect(4, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("172.23.41.10")}, 16) = -1 ENETUNREACH (Network is
unreachable)
close(4) = 0
write(1, "In function reopen\n", 19In function reopen
) = 19
socket(AF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 4
geteuid() = 0
setuid(0) = 0
setsockopt(4, SOL_SOCKET, SO_BINDTODEVICE, "mgmt\0", 5) = -1 EPERM
(Operation not permitted)
write(1, " VRF to bind to is mgmtMukul set"..., 79 VRF to bind to is
mgmtMukul setsockopt failed rc -1, res_send.c/reopen/1020/1
) = 79
connect(4, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("172.23.41.10")}, 16) = -1 ENETUNREACH (Network is
unreachable)
close(4) = 0
write(2, "ping: unknown host bamboo\n", 26ping: unknown host bamboo
) = 26
exit_group(2) = ?
+++ exited with 2 +++
root@CLX3001:~#