https://bugzilla.suse.com/show_bug.cgi?id=1177499 https://bugzilla.suse.com/show_bug.cgi?id=1177499#c2 --- Comment #2 from Michal Suchanek --- :~/home:michals/python-python-prctl> cp /usr/bin/ping . :~/home:michals/python-python-prctl> ./ping -c1 localhost PING localhost(localhost (::1)) 56 data bytes 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.072 ms --- localhost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.072/0.072/0.072/0.000 ms so indeed ping is the wrong test - it no longer needs any special capability. -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1177499 https://bugzilla.suse.com/show_bug.cgi?id=1177499#c4 Anthony Iliopoulos changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ailiopoulos@suse.com --- Comment #4 from Anthony Iliopoulos --- PR_SET_NO_NEW_PRIVS works fine, but ping indeed doesn't need any special capabilities anymore, so the test fails. This has been actually possible for a long time, since commit c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind"), but it was restricted by default (see commit msg for details, basically /proc/sys/net/ipv4/ping_group_range needs to allow uid ranges). This seems to have been changed recently in TW to allow this to all users: /usr/lib/sysctl.d/50-default.conf:net.ipv4.ping_group_range = 0 2147483647 rpm -qf /usr/lib/sysctl.d/50-default.conf aaa_base-84.87+git20200918.331aa2f-1.1.x86_64 Wed Sep 9 06:51:29 UTC 2020 - Ludwig Nussel * sysctl.d/50-default.conf: allow everybody to create IPPROTO_ICMP sockets (bsc#1174504) -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1177499 https://bugzilla.suse.com/show_bug.cgi?id=1177499#c6 --- Comment #6 from Anthony Iliopoulos --- (In reply to Michal Suchanek from comment #5)

Replacing the command with dumpcap from wireshark does not work either - the test fails with EPERM

'dumpcap', '-i', 'lo', '-a', 'duration:1'

that's because dumpcap is by default installed with 0750/-rwxr-x--- perms, and I presume the test user doesn't belong to the "wireshark" group. you can try to reproduce the ping issue to confirm that the prctl is functioning as expected: # restrict unprivileged icmp socket creation echo 1 0 | sudo tee /proc/sys/net/ipv4/ping_group_range dev@localhost:~> ping -c1 localhost PING localhost(localhost (::1)) 56 data bytes 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.049 ms --- localhost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.049/0.049/0.049/0.000 ms dev@localhost:~> setpriv --nnp ping -c1 localhost ping: socket: Operation not permitted Anyway, I'd assume that relying on a package binary that is expected to have filecaps may not be the most reliable method for testing this. It's probably best to have a test.c that prints its own cap bits (via libcap), that gets compiled and has some cap bits set on it (which is a problem I suppose since it requires root), or just make this binary into an rpm package as a dependency. -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1177499 https://bugzilla.suse.com/show_bug.cgi?id=1177499#c8 --- Comment #8 from Michal Suchanek --- Read the previous comment: everything works as designed but there is no reasonable way to test this in our build environment. At best we could probably create a test package that contains a binary which is installed with some capabilities and fails when the capabilities are missing. -- You are receiving this mail because: You are the assignee for the bug.