From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=cjhPD3Ja;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id DFC065A026F
	for <passt-dev@passt.top>; Tue, 07 Oct 2025 18:02:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1759852958;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5Hc+Uhas/ivLRUGYhCBphVp+o5F4qbeXtLb0dzG2ykI=;
	b=cjhPD3Jag9AMQCs1yW/7FMYmULJHJJI52WJHRIP6E86Y/ZEQ9tPhLFDUPaAuHsk8IXMeXK
	fNzoG7rxSGkfNZpVpSjTUuuhLWFCtztwbxou6lFyutkwybyOCD6Mev5qU+KoHUgEQJTHe2
	2CpmGKWR7LhMvg09lq+VSUJZkM8/vc4=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-516-VlSUTDfKOYKRPY-tceVI_Q-1; Tue, 07 Oct 2025 12:02:37 -0400
X-MC-Unique: VlSUTDfKOYKRPY-tceVI_Q-1
X-Mimecast-MFC-AGG-ID: VlSUTDfKOYKRPY-tceVI_Q_1759852956
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-3ecdf7b5c46so3086373f8f.2
        for <passt-dev@passt.top>; Tue, 07 Oct 2025 09:02:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759852956; x=1760457756;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=5Hc+Uhas/ivLRUGYhCBphVp+o5F4qbeXtLb0dzG2ykI=;
        b=jA+6foAShYY9J5QxTg00ZUJ6Y3Baf+DtJgcw2TXjrgXq7oN1aekPzBZGNDIqrlVkzF
         gRlkv8juiuX+vX/U0vhyFfK/2XC2+FqCAQpM89lKcpfNvceK2U9BUxxJzNgK/RluQk2t
         uYRC3WMMIqiGTZ51F4GChgTA6JkeU4ANc10DPDK6/ybap6T8iVXgOdUOm/YZ5jUFVAp9
         rWdXQDU6i3qZd3k6t1tN2pBPZJVenI1sys08JzbLhuS5wyatdMMfXR063HSoUQA++Vgc
         oweK1SCbqHGuWvkR8VJs5AzDpKS7ZWYjMC94ZwWetOvimfF2LgT07FLiD9gFYoNsMIUl
         MaIQ==
X-Gm-Message-State: AOJu0YxpLnbJeTxSX9k5v5Tww0PpLRNPIVxWHDNkIod5WQcCAHcviRJl
	T5Zrly8n7zgFBWWgFSN3+M0YbsO1/bn3IzK+zL3Lya8kWnHXKCKF0ZlOGcFkv5QIXClUJGLbtes
	I9iDy2PL4HxdmKY3TiRviNU/W4vC8mkJ5fHFirilZlkUha2xhk8dYgg==
X-Gm-Gg: ASbGnctjj4oFRwP/n23wcHsFpI2t7V97QovgUwpiVN6Xnl9+a7eWeanQ5u8V2VoHKz1
	MBQZgnK8k8QqvbPWvgkRK6wPiXKDUiYyzrtzixsAlGTP9wpL2hjzR61BzQk2RBeq6qGGLScA19N
	J55uOUEumtqtnZO8UXpsyhom/NKnOu+xwJS3Hze9xgacMFS2ml4haycT2Mw5q8InYk4dFEuBVYM
	WSi7HCkyfUFqTgcj2f5wc/5O09/ltDnCywR8UO65r/ns+zLgM4HHI7JAFn37lXQb03tMAbpwM6T
	u3uG7/VFA2ty5vwZ4gIc17fm4GFDBCugAkdT3kj9SaGPCMYGnICRYvEI
X-Received: by 2002:a05:6000:40df:b0:3ee:15c6:9a6b with SMTP id ffacd0b85a97d-425671af2d1mr10448396f8f.48.1759852955809;
        Tue, 07 Oct 2025 09:02:35 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFTOZo5zUXShpS58HqlRcuS4yz31tYmHV9/JhFQhWZ6rypfnAWu+JgTgMdV0aVE1B5Yb4OACw==
X-Received: by 2002:a05:6000:40df:b0:3ee:15c6:9a6b with SMTP id ffacd0b85a97d-425671af2d1mr10448348f8f.48.1759852955094;
        Tue, 07 Oct 2025 09:02:35 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4255d8ab909sm25469494f8f.19.2025.10.07.09.02.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Oct 2025 09:02:34 -0700 (PDT)
Date: Tue, 7 Oct 2025 18:02:32 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Cole Robinson <crobinso@redhat.com>, David Gibson
 <david@gibson.dropbear.id.au>
Subject: Re: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially
Message-ID: <20251007180232.328feebc@elisabeth>
In-Reply-To: <8635494bf4747935bc2179bdb37c8c2cbbe4ed55.1759839307.git.crobinso@redhat.com>
References: <8635494bf4747935bc2179bdb37c8c2cbbe4ed55.1759839307.git.crobinso@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: 0XBm3QyyMGF8LEVnHA0H2YdPGVSEX2VxfvIWL1wL8Kg_1759852956
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: RH5VOZD2MKKWNE75JRS2XFAHCZM5VYVT
X-Message-ID-Hash: RH5VOZD2MKKWNE75JRS2XFAHCZM5VYVT
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, "Richard W.M. Jones" <rjones@redhat.com>, Yumei Huang <yuhuang@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20251007180232.328feebc@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/RH5VOZD2MKKWNE75JRS2XFAHCZM5VYVT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

[Cc: Yumei as this is somewhat related to
 https://archives.passt.top/passt-dev/20250926011714.5978-1-yuhuang@redhat.com/,
 and David as he wrote most of this part]

On Tue,  7 Oct 2025 08:16:39 -0400
Cole Robinson <crobinso@redhat.com> wrote:

> Reproducer that I'd expect to work
> 
>   $ cd $HOME
>   $ sudo passt --runas $UID --socket foo.sock
>   Failed to bind UNIX domain socket: Permission denied
> 
> A more practical example is for libguestfs apps when run as user=root.
> 
> + libguestfs connects to libvirt qemu:///system
> + libvirt qemu:///system defaults to user=qemu.
>   + chowns passt runtime dir to user=qemu
> + libguestfs instead requests the VM run as user=root
>   + patches in progress but we are blocked by this issue
> + passt is launched as root, but can't open socket in passt dir.
> 
> Obviously libvirt needs improvements too.
> But it seems like this is a defect as well.

Thanks for the patch! I think it's absolutely unproblematic to keep
CAP_DAC_OVERRIDE for a moment at the beginning. Did you figure out
exactly why it's needed by the way?

> Signed-off-by: Cole Robinson <crobinso@redhat.com>

Should we add:

Link: https://github.com/libguestfs/libguestfs/pull/218

? Or it's misleading, or you omitted it for any other reason?

> ---
>  isolation.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/isolation.c b/isolation.c
> index bbcd23b..b25f349 100644
> --- a/isolation.c
> +++ b/isolation.c
> @@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv)
>  	 * We have to keep CAP_SETUID and CAP_SETGID at this stage, so
>  	 * that we can switch user away from root.
>  	 *
> +	 * CAP_DAC_OVERRIDE may be required for socket setup when combined
> +	 * with --runas.
> +	 *
>  	 * We have to keep some capabilities for the --netns-only case:
>  	 *  - CAP_SYS_ADMIN, so that we can setns() to the netns.
>  	 *  - Keep CAP_NET_ADMIN, so that we can configure interfaces
> @@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv)
>  	 * isolate_prefork().
>  	 */
>  	keep = BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) |
> -	       BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN);
> +	       BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE);
>  
>  	/* Since Linux 5.12, if we want to update /proc/self/uid_map to create
>  	 * a mapping from UID 0, which only happens with pasta spawning a child

-- 
Stefano