OS-5537 lxbrand capset failure prevents dnsmasq from startingrelease-20160721

Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com> Approved by: Jerry Jelinek <jerry.jelinek@joyent.com>
author: Patrick Mooney <pmooney@pfmooney.com> 2016-07-21 15:33:54 +0000
committer: Patrick Mooney <pmooney@pfmooney.com> 2016-07-21 16:57:38 +0000
commit: 3471df2870ffc5f94d4307efde133d0403020de0 (patch)
tree: 2ee26f87e29f1b650de5b88d6e026a54f53d3b8f
parent: 20b67019efdd4dfa910ee550b78517b17e85db06 (diff)
download: illumos-joyent-release-20160721.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/usr/src/lib/brand/lx/lx_brand/common/capabilities.c b/usr/src/lib/brand/lx/lx_brand/common/capabilities.c
index 74f28232e0..ba6b587a92 100644
--- a/usr/src/lib/brand/lx/lx_brand/common/capabilities.c
+++ b/usr/src/lib/brand/lx/lx_brand/common/capabilities.c
@@ -113,9 +113,13 @@ static const char *lx_cap_map_setuid[] = { PRIV_PROC_SETID, NULL };
 static const char *lx_cap_map_linux_immutable[] = { PRIV_FILE_FLAG_SET, NULL };
 static const char *lx_cap_map_bind_service[] = { PRIV_NET_PRIVADDR, NULL };
 static const char *lx_cap_map_net_admin[] = {
-	PRIV_SYS_IPC_CONFIG,
-	PRIV_SYS_DL_CONFIG,
+	PRIV_SYS_IP_CONFIG,
 	NULL
+	/*
+	 * It would probably make sense to include PRIV_SYS_DL_CONFIG, but that
+	 * privilege is not extended to non-global zones by default.  A more
+	 * sophisticated capabilities translation layer could make it optional.
+	 */
 };
 static const char *lx_cap_map_net_raw[] = {
 	PRIV_NET_RAWACCESS,
author	Patrick Mooney <pmooney@pfmooney.com>	2016-07-21 15:33:54 +0000
committer	Patrick Mooney <pmooney@pfmooney.com>	2016-07-21 16:57:38 +0000
commit	3471df2870ffc5f94d4307efde133d0403020de0 (patch)
tree	2ee26f87e29f1b650de5b88d6e026a54f53d3b8f
parent	20b67019efdd4dfa910ee550b78517b17e85db06 (diff)
download	illumos-joyent-release-20160721.tar.gz