WireGuard kernelTun: Check Capabilities instead of checking UID (#3871)

https://github.com/XTLS/Xray-core/pull/3871#issuecomment-2412820323 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
2025-04-30 17:38:41 +00:00 · 2024-10-15 11:30:29 +08:00 · 2024-10-15 11:30:29 +08:00 · 19f3f709b2
commit 19f3f709b2
parent 6a70ae6408
3 changed files with 27 additions and 11 deletions
--- a/proxy/wireguard/tun_linux.go
+++ b/proxy/wireguard/tun_linux.go
@ -231,10 +231,15 @@ func createKernelTun(localAddresses []netip.Addr, mtu int, handler promiscuousMo
 	return out, nil
 }

-func KernelTunSupported() bool {
-	// run a superuser permission check to check
-	// if the current user has the sufficient permission
-	// to create a tun device.
+func KernelTunSupported() (bool, error) {
+	var hdr unix.CapUserHeader
+	hdr.Version = unix.LINUX_CAPABILITY_VERSION_3
+	hdr.Pid = 0 // 0 means current process

-	return unix.Geteuid() == 0 // 0 means root
+	var data unix.CapUserData
+	if err := unix.Capget(&hdr, &data); err != nil {
+		return false, fmt.Errorf("failed to get capabilities: %v", err)
+	}
+
+	return (data.Effective & (1 << unix.CAP_NET_ADMIN)) != 0, nil
 }