From 8e130882fca93097f39972b0e720fa27d2d70094 Mon Sep 17 00:00:00 2001
From: yrutschle <git1@rutschle.net>
Date: Sun, 9 May 2021 15:46:25 +0200
Subject: [PATCH] sslh-fork drops all capabilities after connecting to server
 side

---
 ChangeLog   | 5 ++++-
 common.h    | 1 +
 sslh-fork.c | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3711598..d83975a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,7 +20,10 @@ vNEXT:
 	Warn about unknown settings in the configuration
 	file.
 
-	Added per-protocol `transparent` option.
+	Added per-protocol `transparent` option. The option
+	requires CAP_NET_ADMIN to work. sslh-fork drops the
+	capability after creating the server-side
+	transparent socket.
 
 v1.21: 11JUL2020
 	WARNING:
diff --git a/common.h b/common.h
index e743766..54199cd 100644
--- a/common.h
+++ b/common.h
@@ -136,6 +136,7 @@ int check_access_rights(int in_socket, const char* service);
 void setup_signals(void);
 void setup_syslog(const char* bin_name);
 void drop_privileges(const char* user_name, const char* chroot_path);
+void set_capabilities(int cap_net_admin);
 void write_pid_file(const char* pidfile);
 void log_message(int type, const char* msg, ...);
 void dump_connection(struct connection *cnx);
diff --git a/sslh-fork.c b/sslh-fork.c
index 4ff2ca9..0ac678b 100644
--- a/sslh-fork.c
+++ b/sslh-fork.c
@@ -114,6 +114,8 @@ void start_shoveler(int in_socket)
    out_socket = connect_addr(&cnx, in_socket);
    CHECK_RES_DIE(out_socket, "connect");
 
+   set_capabilities(0);
+
    cnx.q[1].fd = out_socket;
 
    get_connection_desc(&desc, &cnx);