CAP_NET_ADMIN linux capability

[notramo]

On Linux, dnscrypt-proxy requires the CAP_NET_ADMIN capability.
This is serious security danger. Quoting from man capabilities

CAP_NET_ADMIN
Perform various network-related operations:
  * interface configuration;
  * administration of IP firewall, masquerading, and accounting;
  * modify routing tables;
  * bind to any address for transparent proxying;
  * set type-of-service (TOS);
  * clear driver statistics;
  * set promiscuous mode;
  * enabling multicasting;
  * use setsockopt(2) to set the following socket options:
    SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
    range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

When the daemon has this capability, it's very dangerous in case a vulnerability is found. Without this capability, an exploit can probably only return false IP addresses for domains. With this capability an exploit can take over network management of the system.

I denied this capability via AppArmor, and dnscrypt-proxy works properly even without it. Why is it set when it's not needed?

[jedisct1]

set type-of-service (TOS)

That may be the reason.

This is not "a serious security danger". This is a capability virtually everything, if not everything on your system has by default.

dnscrypt-proxy doesn't set it nor does anything with Linux capabilities.

[notramo]

By default everything can read everything on a Linux system. Just because something is default it doesn't mean it's secure. I don't consider safe a daemon that when exploited, can mess up my Netfilter firewall.

If I don't need DNSCrypt packets to be prioritized, is it safe to deny this capability, or are there other possible side effects?

[jedisct1]

You can set user_name in order to drop privileges after initialization.

This is far more effective than running the process with root privileges and dropping a handful capabilities.

[notramo]

This capability is needed for setting TOS when running as non-root user. This means that it can configure aforementioned system stuff even as non-root user.