MEDIUM: capabilities: enable support for Linux capabilities
For a while there has been the constraint of having to run as root for
transparent proxying, and we're starting to see some cases where QUIC is
not running in socket-per-connection mode due to the missing capability
that would be needed to bind a privileged port. It's not realistic to
ask all QUIC users on port 443 to run as root, so instead let's provide
a basic support for capabilities at least on linux. The ones currently
supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The
mechanism was made OS-specific with a dedicated file because it really
is. It can be easily refined later for other OSes if needed.
A new keyword "setcaps" is added to the global section, to enumerate the
capabilities that must be kept when switching from root to non-root. This
is ignored in other situations though. HAProxy has to be built with
USE_LINUX_CAP=1 for this to be supported, which is enabled by default
for linux-glibc, linux-glibc-legacy and linux-musl.
A good way to test this is to start haproxy with such a config:
global
uid 1000
setcap cap_net_bind_service
frontend test
mode http
timeout client 3s
bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt
and run it under "sudo strace -e trace=bind,setuid", then connecting
there from an H3 client. The bind() syscall must succeed despite the
user id having been switched.
(cherry picked from commit bd84387beb26591e4dd4b77ecf970a584244973b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/Makefile b/Makefile
index d08edb4..40eb875 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,7 @@
# USE_TPROXY : enable transparent proxy. Automatic.
# USE_LINUX_TPROXY : enable full transparent proxy. Automatic.
# USE_LINUX_SPLICE : enable kernel 2.6 splicing. Automatic.
+# USE_LINUX_CAP : enable Linux capabilities.
# USE_LIBCRYPT : enable encrypted passwords using -lcrypt
# USE_CRYPT_H : set it if your system requires including crypt.h
# USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names.
@@ -304,7 +305,7 @@
# specific entries if present before them.
use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER USE_POLL \
USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \
- USE_TPROXY USE_LINUX_TPROXY \
+ USE_TPROXY USE_LINUX_TPROXY USE_LINUX_CAP \
USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \
USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_SSL USE_LUA \
USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \
@@ -346,7 +347,7 @@
ifeq ($(TARGET),linux-glibc)
set_target_defaults = $(call default_opts, \
USE_POLL USE_TPROXY USE_LIBCRYPT USE_DL USE_RT USE_CRYPT_H USE_NETFILTER \
- USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY \
+ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY USE_LINUX_CAP \
USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \
USE_GETADDRINFO USE_BACKTRACE USE_SHM_OPEN)
INSTALL = install -v
@@ -356,7 +357,7 @@
ifeq ($(TARGET),linux-glibc-legacy)
set_target_defaults = $(call default_opts, \
USE_POLL USE_TPROXY USE_LIBCRYPT USE_DL USE_RT USE_CRYPT_H USE_NETFILTER \
- USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY \
+ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY USE_LINUX_CAP \
USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_GETADDRINFO)
INSTALL = install -v
endif
@@ -365,7 +366,7 @@
ifeq ($(TARGET),linux-musl)
set_target_defaults = $(call default_opts, \
USE_POLL USE_TPROXY USE_LIBCRYPT USE_DL USE_RT USE_CRYPT_H USE_NETFILTER \
- USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY \
+ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_LINUX_TPROXY USE_LINUX_CAP \
USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \
USE_GETADDRINFO USE_SHM_OPEN)
INSTALL = install -v
@@ -806,6 +807,10 @@
OPTIONS_OBJS += src/namespace.o
endif
+ifneq ($(USE_LINUX_CAP),)
+ OPTIONS_OBJS += src/linuxcap.o
+endif
+
ifneq ($(USE_OT),)
include addons/ot/Makefile
endif