From 736148fdb24c6b45a697e3f2b34600284e7a9aff Mon Sep 17 00:00:00 2001
From: Damien Claisse <d.claisse@criteo.com>
Date: Fri, 20 Dec 2024 13:36:34 +0000
Subject: [PATCH] BUG/MINOR: cfgparse-tcp: relax namespace bind check

Commit 5cbb278 introduced cap_sys_admin support, and enforced checks for
both binds and servers. However, when binding into a namespace, the bind
is done before dropping privileges. Hence, checking that we have
cap_sys_admin capability set in this case is not needed (and it would
decrease security to add it).
For users starting haproxy with other user than root and without
cap_sys_admin, bind should have already failed.
As a consequence, relax runtime check for binds into a namespace.

(cherry picked from commit f0a07f834c001c5b505e84b0f0b103e530e87d1b)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 42086a672888f569e009149130fad7b19b3fd13d)
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 src/cfgparse-tcp.c |    1 -
 1 file changed, 1 deletion(-)

diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c
index 2f68daf..1841c66 100644
--- a/src/cfgparse-tcp.c
+++ b/src/cfgparse-tcp.c
@@ -169,7 +169,6 @@ static int bind_parse_namespace(char **args, int cur_arg, struct proxy *px, stru
 		ha_alert("Cannot open namespace '%s'.\n", args[cur_arg + 1]);
 		return ERR_ALERT | ERR_FATAL;
 	}
-	global.last_checks |= LSTCHK_SYSADM;
 
 	return 0;
 }
-- 
1.7.10.4