Refuse to run when ipset has been given file capabilities
(e.g. setcap cap_net_admin+ep) or is setuid/setgid.

Running networking administration tools with elevated privileges via
file capabilities exposes the same risks as setuid: any environment
variable or file-descriptor manipulation the kernel does not scrub can
be leveraged by an unprivileged caller.

Add a guard at the very top of main() that calls _exit(111) when
getuid() != geteuid(), getgid() != getegid(), or
getauxval(AT_SECURE) is set.

This follows the same pattern recently applied to iptables
(commit a2a733e9f0da) and nftables (commit badb2474ca8b).

Signed-off-by: Alan Ross <alan@sleuthco.ai>
---
 src/ipset.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ipset.c b/src/ipset.c
index d7733bf..fff1ca6 100644
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -11,11 +11,13 @@
 #include <stdio.h>			/* fprintf */
 #include <stdlib.h>			/* exit */
 #include <string.h>			/* strcmp */
+#include <unistd.h>			/* getuid, getgid, _exit */
 
 #include <config.h>
 #include <libipset/ipset.h>		/* ipset library */
 #include <libipset/xlate.h>		/* translate to nftables */
 #include <libgen.h>
+#include <sys/auxv.h>			/* getauxval */
 
 int
 main(int argc, char *argv[])
@@ -23,6 +25,11 @@ main(int argc, char *argv[])
 	struct ipset *ipset;
 	int ret;
 
+	/* Refuse to run under setuid/setgid or file capabilities */
+	if (getuid() != geteuid() || getgid() != getegid() ||
+	    getauxval(AT_SECURE))
+		_exit(111);
+
 	/* Load set types */
 	ipset_load_types();
 
-- 
2.43.0