Index: /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp (revision 16049) +++ /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp (revision 16050) @@ -610,11 +610,11 @@ * keep the cap_net_raw capability for ICMP sockets for the NAT stack. */ + if (g_uCaps != 0) + { # ifdef USE_LIB_PCAP - /* XXX cap_net_bind_service */ - if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep"))) - prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0); + /* XXX cap_net_bind_service */ + if (!cap_set_proc(cap_from_text("all-eip cap_net_raw+ep"))) + prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0); # else - if (g_uCaps != 0) - { cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr)); cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap)); @@ -626,6 +626,6 @@ if (!capset(hdr, cap)) prctl(PR_SET_KEEPCAPS, /*keep=*/1, 0, 0, 0); - } -# endif +# endif /* !USE_LIB_PCAP */ + } # elif defined(RT_OS_SOLARIS) @@ -673,22 +673,29 @@ /* - * CAP_NET_RAW. - * Default: enabled. - * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'. - */ - pszOpt = getenv("VBOX_HARD_CAP_NET_RAW"); - if ( !pszOpt - || memcmp(pszOpt, "0", sizeof("0")) != 0) - g_uCaps = CAP_TO_MASK(CAP_NET_RAW); - - /* - * CAP_NET_BIND_SERVICE. - * Default: disabled. - * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'. - */ - pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE"); - if ( pszOpt - && memcmp(pszOpt, "0", sizeof("0")) != 0) - g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE); + * Do _not_ perform any capability-related system calls for root processes + * (leaving g_uCaps at 0). + */ + if (getuid() != 0) + { + /* + * CAP_NET_RAW. + * Default: enabled. + * Can be disabled with 'export VBOX_HARD_CAP_NET_RAW=0'. + */ + pszOpt = getenv("VBOX_HARD_CAP_NET_RAW"); + if ( !pszOpt + || memcmp(pszOpt, "0", sizeof("0")) != 0) + g_uCaps = CAP_TO_MASK(CAP_NET_RAW); + + /* + * CAP_NET_BIND_SERVICE. + * Default: disabled. + * Can be enabled with 'export VBOX_HARD_CAP_NET_BIND_SERVICE=1'. + */ + pszOpt = getenv("VBOX_HARD_CAP_NET_BIND_SERVICE"); + if ( pszOpt + && memcmp(pszOpt, "0", sizeof("0")) != 0) + g_uCaps |= CAP_TO_MASK(CAP_NET_BIND_SERVICE); + } # endif } @@ -762,11 +769,11 @@ * Re-enable the cap_net_raw capability which was disabled during setresuid. */ + if (g_uCaps != 0) + { # ifdef USE_LIB_PCAP - /** @todo Warn if that does not work? */ - /* XXX cap_net_bind_service */ - cap_set_proc(cap_from_text("cap_net_raw+ep")); + /** @todo Warn if that does not work? */ + /* XXX cap_net_bind_service */ + cap_set_proc(cap_from_text("cap_net_raw+ep")); # else - if (g_uCaps != 0) - { cap_user_header_t hdr = (cap_user_header_t)alloca(sizeof(*hdr)); cap_user_data_t cap = (cap_user_data_t)alloca(sizeof(*cap)); @@ -778,6 +785,6 @@ /** @todo Warn if that does not work? */ capset(hdr, cap); - } -# endif +# endif /* !USE_LIB_PCAP */ + } # endif }