guest: allow unprivileged users to use ping

slp · alyssarosenzweig · commit fb6ef35b50c3 · 2024-09-27T13:04:49.000-04:00
By default, the kernel doesn't allow unprivileged users to create ICMP
Echo sockets, which can lead to confusing messages like this one:

$ ping 1.1.1.1
ping: socktype: SOCK_DGRAM
ping: socket: Address family not supported by protocol

Most distros adjust "ipv4/ping_group_range" to allow unprivileged users
to use "ping" without relying on setuid, so do the same for krun guests.

Signed-off-by: Sergio Lopez &lt;slp@redhat.com&gt;
diff --git a/crates/krun/src/guest/net.rs b/crates/krun/src/guest/net.rs
@@ -1,4 +1,5 @@
 use std::fs;
+use std::io::Write;
 use std::os::unix::process::ExitStatusExt as _;
 use std::process::Command;
 
@@ -10,6 +11,17 @@ use crate::utils::env::find_in_path;
 use crate::utils::fs::find_executable;
 
 pub fn configure_network() -> Result<()> {
+    // Allow unprivileged users to use ping, as most distros do by default.
+    {
+        let mut file = fs::File::options()
+            .write(true)
+            .open("/proc/sys/net/ipv4/ping_group_range")
+            .context("Failed to open ipv4/ping_group_range for writing")?;
+
+        file.write_all(format!("{} {}", 0, 2147483647).as_bytes())
+            .context("Failed to extend ping group range")?;
+    }
+
     {
         let hostname =
             fs::read_to_string("/etc/hostname").context("Failed to read `/etc/hostname`")?;
