public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
* [PATCH 00/10] Fixes and cleanups for capability handling
@ 2022-10-11  5:40 David Gibson
  2022-10-11  5:40 ` [PATCH 01/10] test: Move slower tests to end of test run David Gibson
                   ` (10 more replies)
  0 siblings, 11 replies; 33+ messages in thread
From: David Gibson @ 2022-10-11  5:40 UTC (permalink / raw)
  To: Stefano Brivio; +Cc: passt-dev, David Gibson

Our current handling of capabilities isn't quite right.  In
particular, drop_caps() attempts to remove capabilities from the
bounding set, which usually won't work, and even if it does won't have
the effect we want.

This series corrects that, as well as making some other fixes and
cleanups in adjacent code.

David Gibson (10):
  test: Move slower tests to end of test run
  pasta: More general way of starting spawned shell as a login shell
  pasta_start_ns() always ends in parent context
  Remove unhelpful drop_caps() call in pasta_start_ns()
  Clarify various self-isolation steps
  Replace FWRITE with a function
  isolation: Replace drop_caps() with a version that actually does
    something
  isolation: Prevent any child processes gaining capabilities
  isolation: Only configure UID/GID mappings in userns when spawning
    shell
  Rename pasta_setup_ns() to pasta_spawn_cmd()

 conf.c      |   3 +-
 isolation.c | 199 ++++++++++++++++++++++++++++++++++++++++++++++------
 isolation.h |   6 +-
 passt.c     |   8 +--
 pasta.c     |  72 +++++++++++--------
 pasta.h     |   3 +-
 test/run    |  20 +++---
 util.c      |  33 +++++++++
 util.h      |  13 +---
 9 files changed, 275 insertions(+), 82 deletions(-)

-- 
2.37.3


^ permalink raw reply	[flat|nested] 33+ messages in thread

end of thread, other threads:[~2022-10-13 23:42 UTC | newest]

Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-11  5:40 [PATCH 00/10] Fixes and cleanups for capability handling David Gibson
2022-10-11  5:40 ` [PATCH 01/10] test: Move slower tests to end of test run David Gibson
2022-10-11  5:40 ` [PATCH 02/10] pasta: More general way of starting spawned shell as a login shell David Gibson
2022-10-13  2:16   ` Stefano Brivio
2022-10-13  8:22     ` David Gibson
2022-10-13  9:48       ` Stefano Brivio
2022-10-13 23:24         ` David Gibson
2022-10-11  5:40 ` [PATCH 03/10] pasta_start_ns() always ends in parent context David Gibson
2022-10-11  5:40 ` [PATCH 04/10] Remove unhelpful drop_caps() call in pasta_start_ns() David Gibson
2022-10-11  5:40 ` [PATCH 05/10] Clarify various self-isolation steps David Gibson
2022-10-13  2:17   ` Stefano Brivio
2022-10-13  8:31     ` David Gibson
2022-10-13 12:49   ` Stefano Brivio
2022-10-13 23:25     ` David Gibson
2022-10-11  5:40 ` [PATCH 06/10] Replace FWRITE with a function David Gibson
2022-10-13  2:17   ` Stefano Brivio
2022-10-13  8:51     ` David Gibson
2022-10-11  5:40 ` [PATCH 07/10] isolation: Replace drop_caps() with a version that actually does something David Gibson
2022-10-13  2:18   ` Stefano Brivio
2022-10-13  9:44     ` David Gibson
2022-10-13  4:01   ` Stefano Brivio
2022-10-13 13:08     ` Stefano Brivio
2022-10-13 16:37       ` Stefano Brivio
2022-10-13 23:42         ` David Gibson
2022-10-11  5:40 ` [PATCH 08/10] isolation: Prevent any child processes gaining capabilities David Gibson
2022-10-13  2:17   ` Stefano Brivio
2022-10-13  9:33     ` David Gibson
2022-10-13  9:50       ` Stefano Brivio
2022-10-11  5:40 ` [PATCH 09/10] isolation: Only configure UID/GID mappings in userns when spawning shell David Gibson
2022-10-13  2:18   ` Stefano Brivio
2022-10-13  9:36     ` David Gibson
2022-10-11  5:40 ` [PATCH 10/10] Rename pasta_setup_ns() to pasta_spawn_cmd() David Gibson
2022-10-13  2:44 ` [PATCH 00/10] Fixes and cleanups for capability handling Stefano Brivio

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).