summaryrefslogtreecommitdiffstats
path: root/src/network/networkd-manager.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/network/networkd-manager.c')
-rw-r--r--src/network/networkd-manager.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index 2c2956f465..6063834a20 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -16,6 +16,7 @@
#include "bus-log-control-api.h"
#include "bus-polkit.h"
#include "bus-util.h"
+#include "capability-util.h"
#include "common-signal.h"
#include "conf-parser.h"
#include "constants.h"
@@ -603,6 +604,7 @@ int manager_new(Manager **ret, bool test_mode) {
.duid_product_uuid.type = DUID_TYPE_UUID,
.dhcp_server_persist_leases = true,
.ip_forwarding = { -1, -1, },
+ .cgroup_fd = -EBADF,
};
*ret = TAKE_PTR(m);
@@ -615,11 +617,15 @@ Manager* manager_free(Manager *m) {
if (!m)
return NULL;
+ sysctl_remove_monitor(m);
+
free(m->state_file);
HASHMAP_FOREACH(link, m->links_by_index)
(void) link_stop_engines(link, true);
+ hashmap_free(m->sysctl_shadow);
+
m->request_queue = ordered_set_free(m->request_queue);
m->remove_request_queue = ordered_set_free(m->remove_request_queue);
@@ -692,6 +698,18 @@ int manager_start(Manager *m) {
assert(m);
+ (void) sysctl_add_monitor(m);
+
+ /* Loading BPF programs requires CAP_SYS_ADMIN and CAP_BPF.
+ * Drop the capabilities here, regardless if the load succeeds or not. */
+ r = drop_capability(CAP_SYS_ADMIN);
+ if (r < 0)
+ log_warning_errno(r, "Failed to drop CAP_SYS_ADMIN: %m, ignoring.");
+
+ r = drop_capability(CAP_BPF);
+ if (r < 0)
+ log_warning_errno(r, "Failed to drop CAP_BPF: %m, ignoring.");
+
manager_set_sysctl(m);
r = manager_request_static_address_labels(m);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 01:41:59 +0100