From 07db6dfac060d474b73f9b963435f4b6472e3f48 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 11 Aug 2021 14:47:59 -0400
Subject: [PATCH] fix(firewalld): keep linux capability CAP_SYS_MODULE

When firewalld calls ip6tables it may implicitly load the ip6_tables, et
al kernel modules. As such we need to retain CAP_SYS_MODULE so that
implicit module is allowed. Otherwise we get EPERM from the kernel.

This only affects the -legacy variants and the top level table/chain
modules. The userspace binaries will modprobe the kernel modules.
Extensions, e.g. xt_conntrack, are implicitly loaded by the kernel based
on the rules being added and thus not subject to linux capabilities
checks.

The -nft variants are unaffected because they use the nftables
infrastructure which has implicit module loading in the kernel similar
to the iptables extensions (xt_* modules).

Fixes: rhbz 1990271
Fixes: fb0532e8a200 ("feat(firewalld): drop linux capabilities")
(cherry picked from commit 13801962073f478c68d818b314091badcf8b5614)
(cherry picked from commit d3cd7e088f946c75593b0569bd658266b2e9329d)
---
 src/firewalld.in | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/firewalld.in b/src/firewalld.in
index abcbe3508f86..b1c886c6f02f 100755
--- a/src/firewalld.in
+++ b/src/firewalld.in
@@ -136,6 +136,7 @@ def startup(args):
         # attempt to drop Linux capabilities to a minimal set:
         #   - CAP_NET_ADMIN
         #   - CAP_NET_RAW
+        #   - CAP_SYS_MODULE
         try:
             import capng
             capng.capng_clear(capng.CAPNG_SELECT_BOTH)
@@ -143,8 +144,10 @@ def startup(args):
                                capng.CAP_NET_ADMIN)
             capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
                                capng.CAP_NET_RAW)
+            capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE | capng.CAPNG_PERMITTED | capng.CAPNG_BOUNDING_SET,
+                               capng.CAP_SYS_MODULE)
             capng.capng_apply(capng.CAPNG_SELECT_BOTH)
-            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW.")
+            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")
         except ImportError:
             pass
 
-- 
2.31.1