Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WireGuard kernelTun: Check Capabilities instead of checking UID #3871

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WireGuard kernelTun: Check Capabilities instead of checking UID #3871

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions infra/conf/wireguard.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"encoding/base64"
"encoding/hex"
"fmt"
"strings"

"github.com/xtls/xray-core/common/errors"
Expand Down Expand Up @@ -119,13 +120,19 @@ func (c *WireGuardConfig) Build() (proto.Message, error) {
}

config.IsClient = c.IsClient
kernelTunSupported, err := wireguard.KernelTunSupported()
if err != nil {
errors.LogWarning(context.Background(), fmt.Sprintf("Failed to check kernel TUN support: %v. This may indicate that your OS doesn't support kernel mode or you lack the necessary permissions. Please ensure you have the required privileges.", err))
config.KernelMode = false
return config, nil
}
if c.KernelMode != nil {
config.KernelMode = *c.KernelMode
if config.KernelMode && !wireguard.KernelTunSupported() {
if config.KernelMode && !kernelTunSupported {
errors.LogWarning(context.Background(), "kernel mode is not supported on your OS or permission is insufficient")
}
} else {
config.KernelMode = wireguard.KernelTunSupported()
config.KernelMode = kernelTunSupported
if config.KernelMode {
errors.LogDebug(context.Background(), "kernel mode is enabled as it's supported and permission is sufficient")
}
Expand Down
4 changes: 2 additions & 2 deletions proxy/wireguard/tun_default.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,6 @@ func createKernelTun(localAddresses []netip.Addr, mtu int, handler promiscuousMo
return nil, errors.New("not implemented")
}

func KernelTunSupported() bool {
return false
func KernelTunSupported() (bool, error) {
return false, nil
}
15 changes: 10 additions & 5 deletions proxy/wireguard/tun_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,10 +231,15 @@ func createKernelTun(localAddresses []netip.Addr, mtu int, handler promiscuousMo
return out, nil
}

func KernelTunSupported() bool {
// run a superuser permission check to check
// if the current user has the sufficient permission
// to create a tun device.
func KernelTunSupported() (bool, error) {
var hdr unix.CapUserHeader
hdr.Version = unix.LINUX_CAPABILITY_VERSION_3
hdr.Pid = 0 // 0 means current process

return unix.Geteuid() == 0 // 0 means root
var data unix.CapUserData
if err := unix.Capget(&hdr, &data); err != nil {
return false, fmt.Errorf("failed to get capabilities: %v", err)
}

return (data.Effective & (1 << unix.CAP_NET_ADMIN)) != 0, nil
}