From 776bac7b90516fde4dea084554028efd95d43321 Mon Sep 17 00:00:00 2001
From: Adam Warner <me@adamwarner.co.uk>
Date: Wed, 24 Aug 2022 21:27:38 +0100
Subject: [PATCH] [Experimental] Move the capability setting back to
 bash_functions from the pihole-FTL service

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
---
 .../etc/s6-overlay/s6-rc.d/pihole-FTL/run     | 33 -----------------
 src/scripts/bash_functions.sh                 | 36 +++++++++++++++++++
 src/scripts/start.sh                          |  1 +
 3 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/src/s6/debian-root/etc/s6-overlay/s6-rc.d/pihole-FTL/run b/src/s6/debian-root/etc/s6-overlay/s6-rc.d/pihole-FTL/run
index aac13d3..22f08a3 100755
--- a/src/s6/debian-root/etc/s6-overlay/s6-rc.d/pihole-FTL/run
+++ b/src/s6/debian-root/etc/s6-overlay/s6-rc.d/pihole-FTL/run
@@ -1,38 +1,5 @@
 #!/command/with-contenv bash
 
-# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
-# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
-# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
-
-/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
-/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
-/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
-/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
-/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
-
-if [[ ${CAP_STR} ]]; then
-    # We have the (some of) the above caps available to us - apply them to pihole-FTL
-    setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
-
-    if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
-        # DHCP is requested but NET_ADMIN is not available.
-        echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
-        echo "      Please add cap_net_admin to the container's capabilities or disable DHCP."
-        DHCP_ACTIVE='false'
-        change_setting "DHCP_ACTIVE" "false"
-    fi
-
-    if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
-        echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
-        echo "       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
-        exit 1
-    fi
-else
-    echo "WARNING: Unable to set capabilities for pihole-FTL."
-    echo "         Please ensure that the container has the required capabilities."
-    exit 1
-fi
-
 s6-echo "Starting pihole-FTL ($FTL_CMD) as ${DNSMASQ_USER}"
 # Remove possible leftovers from previous pihole-FTL processes
 rm -f /dev/shm/FTL-* 2> /dev/null
diff --git a/src/scripts/bash_functions.sh b/src/scripts/bash_functions.sh
index 9d742dc..755160d 100644
--- a/src/scripts/bash_functions.sh
+++ b/src/scripts/bash_functions.sh
@@ -30,6 +30,42 @@ changeFTLsetting() {
     addOrEditKeyValPair "${FTLconf}" "${1}" "${2}"
 }
 
+fix_capabilities() {
+    # Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
+    # Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
+    # FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
+
+    /sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
+    /sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
+    /sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
+    /sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
+    /sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
+
+    if [[ ${CAP_STR} ]]; then
+        # We have the (some of) the above caps available to us - apply them to pihole-FTL
+        setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
+
+        if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
+            # DHCP is requested but NET_ADMIN is not available.
+            echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
+            echo "      Please add cap_net_admin to the container's capabilities or disable DHCP."
+            DHCP_ACTIVE='false'
+            change_setting "DHCP_ACTIVE" "false"
+        fi
+
+        if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
+            echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
+            echo "       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
+            exit 1
+        fi
+    else
+        echo "WARNING: Unable to set capabilities for pihole-FTL."
+        echo "         Please ensure that the container has the required capabilities."
+        exit 1
+    fi
+}
+
+
 # shellcheck disable=SC2034
 ensure_basic_configuration() {
 
diff --git a/src/scripts/start.sh b/src/scripts/start.sh
index 62c36a2..6007c27 100755
--- a/src/scripts/start.sh
+++ b/src/scripts/start.sh
@@ -18,6 +18,7 @@ echo " ::: Starting docker specific checks & setup for docker pihole/pihole"
 
 # Initial checks
 # ===========================
+fix_capabilities
 validate_env || exit 1
 ensure_basic_configuration