183be440fd
Since Linux 5.7 it's possible to set `SO_BINDTODEVICE` via `setsockopt(2)` as unprivileged user if this operation doesn't imply escaping a VRF interface[1]. Dropping the wrapper is actually desirable because `captive-browser` itself doesn't drop capabilities and as a result, the capabilities are passed on to `chromium` itself[2]. For older kernels, this is still necessary, hence the wrapper will only be added nowadays if the kernel is older than 5.7. [1]c427bfec18[2]08450562e5/bind_device_linux.go (L11-L14)and because our setcap wrapper makes all capabilities inheritable.
5.3 KiB
5.3 KiB