From 3a568febfa8e6fadf2eb93248eabfe20871c8cfb Mon Sep 17 00:00:00 2001
From: Tomasz Grzegowski <tomasz.grzegowski@nordsec.com>
Date: Fri, 20 Dec 2024 10:09:27 +0000
Subject: [PATCH] Disble drop prrivileges

---
 .github/workflows/tests.yml |  8 +++-----
 xray/run.py                 | 16 ++++++++++------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 4da2aa5..5d89452 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -58,9 +58,8 @@ jobs:
       - name: Setup
         working-directory: xray
         run: |
-          sudo apt-get update
-          sudo apt-get install -y wireguard
-          sudo apt install -y wireguard-go
+          sudo apt update
+          sudo apt install -y wireguard wireguard-go
           python -m pip install --upgrade pip
           pip install pipenv
           pipenv install
@@ -68,8 +67,7 @@ jobs:
         working-directory: xray
         run: |
           pipenv run python run.py --wg native --ascii --save-output
-          # pipenv run python run.py --wg wggo --ascii --save-output
-          # pipenv run python run.py --wg neptun --ascii --save-output
+          pipenv run python run.py --wg neptun --ascii --save-output --disable-drop-privileges
       - name: Upload graph results
         uses: actions/upload-artifact@v4
         with:
diff --git a/xray/run.py b/xray/run.py
index 363f7fb..71a51a7 100755
--- a/xray/run.py
+++ b/xray/run.py
@@ -44,7 +44,7 @@ def from_str(s):
             raise Exception(f"{s} is not a valid wireguard type")
 
 
-def setup_wireguard(wg, build_neptun):
+def setup_wireguard(wg, build_neptun, disable_drop_privileges):
     if wg == Wireguard.Native:
         run_command(f"sudo ip link add dev {WG_IFC_NAME} type wireguard")
     elif wg == Wireguard.WgGo:
@@ -59,7 +59,10 @@ def setup_wireguard(wg, build_neptun):
     else:
         if build_neptun:
             run_command(f"cargo build --release -p neptun-cli")
-        run_command(f"sudo ../target/release/neptun-cli {WG_IFC_NAME}")
+        run_command(
+            f"sudo ../target/release/neptun-cli {WG_IFC_NAME}"
+            + (" --disable-drop-privileges" if disable_drop_privileges else "")
+        )
     run_command(f"sudo ip link set dev {WG_IFC_NAME} mtu 1420")
     run_command(f"sudo ip link set dev {WG_IFC_NAME} up")
     run_command(
@@ -90,9 +93,9 @@ def stop_tcpdump(tcpdump):
 
 def destroy_wireguard(wg):
     if wg == Wireguard.NepTUN:
-        run_command("killall -9 neptun-cli")
+        run_command("sudo killall -9 neptun-cli")
     elif wg == Wireguard.BoringTun:
-        run_command("killall -9 boringtun-cli")
+        run_command("sudo killall -9 boringtun-cli")
     else:
         run_command(f"sudo ip link delete {WG_IFC_NAME}")
 
@@ -105,6 +108,7 @@ def main():
     parser.add_argument("--nobuild-neptun", action="store_true")
     parser.add_argument("--nobuild-xray", action="store_true")
     parser.add_argument("--save-output", action="store_true")
+    parser.add_argument("--disable-drop-privileges", action="store_true")
     parser.add_argument("--ascii", action="store_true")
     args = parser.parse_args()
 
@@ -128,7 +132,7 @@ def main():
     except:  # noqa: E722
         pass
 
-    setup_wireguard(wg, build_neptun)
+    setup_wireguard(wg, build_neptun, args.disable_drop_privileges)
     tcpdump = start_tcpdump(get_test_path(wg.name, test_type, count) + ".pcap")
 
     succeeded = True
@@ -148,7 +152,7 @@ def main():
             count,
             test_type,
             args.ascii,
-            args.save_output
+            args.save_output,
         )