diff options
| author |   Julian Orth <ju.orth@gmail.com> | 2018-09-11 19:17:48 +0200 |
|---|---|---|
| committer | Julian Orth <ju.orth@gmail.com> | 2018-12-15 17:19:05 +0100 |
| commit | c862d7df67f26d86bb0de2ea863231d48d1396e9 (patch) | |
| tree | 4a68aaa2545c9b9f0a98b7a9fe0eb8ae0e0c0f50 /src/uapi/wireguard.h | |
| parent | netlink: allow specifying the device namespace (diff) | |
| download | wireguard-monolithic-historical-c862d7df67f26d86bb0de2ea863231d48d1396e9.tar.xz wireguard-monolithic-historical-c862d7df67f26d86bb0de2ea863231d48d1396e9.zip | |
netlink: restrict access to the UDP socket
To interact with the UDP socket the caller must either be in the
network namespace of the socket or have CAP_NET_ADMIN in that network
namespace.
Diffstat (limited to 'src/uapi/wireguard.h')
| -rw-r--r-- | src/uapi/wireguard.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/uapi/wireguard.h b/src/uapi/wireguard.h index bcfcf4f..8b60ad1 100644 --- a/src/uapi/wireguard.h +++ b/src/uapi/wireguard.h @@ -30,6 +30,9 @@ * socket. The caller must have CAP_NET_ADMIN in the namespace of the Wireguard * device. * + * If the caller is not in the transit namespace and does not have CAP_NET_ADMIN + * in the transit namespace, then the WGDEVICE_A_LISTEN_PORT is not returned. + * * The kernel will then return several messages (NLM_F_MULTI) containing the * following tree of nested items: * @@ -92,6 +95,10 @@ * of the netlink socket. The caller must have CAP_NET_ADMIN in the namespace of * the Wireguard device. * + * If WGDEVICE_A_LISTEN_PORT is provided and the calling process is not in the + * transit namespace, then the calling process must have CAP_NET_ADMIN the + * transit namespace. + * * WGDEVICE_A_IFINDEX: NLA_U32 * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMESIZ - 1 * WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current |