Adds a note to packet.7 that the calling process must have the CAP_NET_BIND_SERVICE capability in order to call bind on packet sockets. The linux/capability.h header file comments for CAP_NET_BIND_SERVICE do not document this requirement either. I did take a brief look in the kernel source code of both the older kernel I'm using and also in 4.4-rc2 but found no obvious check for this capability check in files in net/packet, but I'm not familiar with this code at all. I discovered this after debugging unexpected permission denied errors in busybox's udhcpc (when it attempts to renew leases). It is creating the socket using: socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_IP)) It is possible that it is only with certain type and protocol parameters? If so, this patch would need to be revised to reflect that. Patch generated against man-pages-4.02. diff -ur a/man-pages-4.02/man7/packet.7 b/man-pages-4.02/man7/packet.7 --- a/man-pages-4.02/man7/packet.7 2015-08-08 17:24:11.000000000 +0100 +++ b/man-pages-4.02/man7/packet.7 2015-11-24 18:44:37.341815032 +0000 @@ -97,6 +97,12 @@ and .IR sll_ifindex . +Only processes with the +.B CAP_NET_BIND_SERVICE +capability may use +.BR bind (2) +on packet sockets. + The .BR connect (2) operation is not supported on packet sockets. -- Stewart Brodie
diff -ur a/man-pages-4.02/man7/packet.7 b/man-pages-4.02/man7/packet.7 --- a/man-pages-4.02/man7/packet.7 2015-08-08 17:24:11.000000000 +0100 +++ b/man-pages-4.02/man7/packet.7 2015-11-24 18:44:37.341815032 +0000 @@ -97,6 +97,12 @@ and .IR sll_ifindex . +Only processes with the +.B CAP_NET_BIND_SERVICE +capability may use +.BR bind (2) +on packet sockets. + The .BR connect (2) operation is not supported on packet sockets.
