Just upgraded a few boxes to kernel 4.8.8-100.fc23. It seems this latest kernel (or maybe 1 or 2 versions going back 1-2 months) changed something.
I have a script that generates pings (using SOCK_RAW to make its own packets) that I run as root. Worked fine until now. In the new kernel I get "Operation not permitted" on the socket() call. Digging around the net, I found that I need to do:
setcap cap_net_raw+p /foo/myscript
Then when I run it, it works fine.
Ok, great, but *** I'm running the script as root ***!!! Huh? Since when did root need to specify capabilities to run stuff as root? What is this, Windows?
Is there some major paradigm change in the latest kernels where this is a "feature" and not a bug? Just wanted to do a sanity check before I file a bz.
Oh ya, selinux is disabled, so that's not the problem. Lots of chatter on the net about this problem but everyone talking about it is talking about the non-root use case. It would appear my issue is something brand new.
Aside: As for the script, I'm doing really wacky stuff on purpose, and I really needed direct control over the packet, so I can't just abandon SOCK_RAW.