From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZTCZToeH;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id A7C015A0619
	for <passt-dev@passt.top>; Wed, 08 Oct 2025 17:06:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1759936012;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=1fQBJtyf+cpL2nfuf4b25Jzb6LQXymU/eibyM3VVDVE=;
	b=ZTCZToeHjTXFhBkAeF8Miudc5bBsu8FSZGkVmhLA+tC2k6IXAvdayLkDXUgCATuwJtL74i
	rFNXBvZ3kvu9+i/QDYheBKO1pLo4oPZ6eqja7/+ush7mHMB5/aFhcjDPK9ZJ/4REfVNCaU
	n7hBa3hSdoJfOTEF8O1fmHuUn0nVjJA=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-340-laQdrqr2PM-k7MVtWYrk_g-1; Wed, 08 Oct 2025 11:06:50 -0400
X-MC-Unique: laQdrqr2PM-k7MVtWYrk_g-1
X-Mimecast-MFC-AGG-ID: laQdrqr2PM-k7MVtWYrk_g_1759936010
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-46fa88b5760so5353065e9.3
        for <passt-dev@passt.top>; Wed, 08 Oct 2025 08:06:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759936009; x=1760540809;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=1fQBJtyf+cpL2nfuf4b25Jzb6LQXymU/eibyM3VVDVE=;
        b=LVfmqgTdBO5sWynWDzoa2OX4bhPNjE9LLqT46AcRIGo3zgsCrmdKLiQAbv/6CvLMfn
         bqMjzMVqdj23qVDqDhrogUVSjWWrGj0RPSTk9YkoK9sav0iZrC5fawa/3DNv29teggUu
         TDWUd14a8h2eYHnGqSupfPM6SoLm3FBh6g8WgMCnT9EXvFA5RcLFmbr2KtLWsodP53k0
         YzZnVEnGh+dtGw+OQ0u1zxRFJV+EzAUkV5HhX7M4quwGseJ/UDH52QLovA2ACrzueFgj
         3B61fQNBzfRGfejfK0JucFlGovsdcY4J9ibHjv6VE8i6E9eDU25KRRkOH9qzLEIPxRUx
         Z/OQ==
X-Forwarded-Encrypted: i=1; AJvYcCWBUYrHFtdSTwPH6FMI7Bf8e+z6MvGBfeC6mCGKrpcr0jnVYhN6X32i8ygte5g4s6z+BzaNQfZz9LY=@passt.top
X-Gm-Message-State: AOJu0YyWoaVf9Tgqb/r8HcNjCNd5bQ8c3WvEPQphY1ymi0TUn8xsEnfe
	Kjcl5qP4tKjcOmiOu/0Wi71ktteMGw13bSgGsvMCjh/JUdfgnPe8Gv9VL96IaIBnb8b6WIGrYda
	FN7m1vXqE7xSS+Xq4eR5IJh4IWAo1+KVxnMWCdNEnxbIf+mduB+TSDQ==
X-Gm-Gg: ASbGncudtGFGueH20kISinXsstfxe9Hd0M2Ay9JwbDQMoDxXhPCMqcisi7qvuv+0k+u
	8t3daNv4hZr5oOaul8sz8NO+lNg6KU86olEL60tD/kb0zjQw4HbQKouYK9Ok+jaQ92i/BAg4vsJ
	8QXfSsxAs5FjevAzS6K8We9LQF8mqy9UpJfzTvzLadQKOPhUvngUnSld5WJBG/pZRav8C93PDCm
	fGAQN0WBtR6ubgkEEgv4ykUPNLoLngC3Gb6g3jGfHmIlKxy4D/FPnswnlj404by11e1CO7P6ntF
	4+8S67jbJNbPIKsgtZW+kgCY7Kpz6gxtJkwyxJbvsezyNGCHB4c7LBeb+n8u7UgpDXP4sK6uGQ=
	=
X-Received: by 2002:a05:600c:3b07:b0:45d:d97c:236c with SMTP id 5b1f17b1804b1-46fa9af80aemr25996645e9.21.1759936009488;
        Wed, 08 Oct 2025 08:06:49 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG2KwVK7w0nc6qlNF6DtU+GPPGLyfBCu+TkNzQgd5FERKxIGEHSqgNZZ6bvJh0XafyVtB1jCQ==
X-Received: by 2002:a05:600c:3b07:b0:45d:d97c:236c with SMTP id 5b1f17b1804b1-46fa9af80aemr25996375e9.21.1759936009049;
        Wed, 08 Oct 2025 08:06:49 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4255d8f017esm31014872f8f.47.2025.10.08.08.06.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 08 Oct 2025 08:06:48 -0700 (PDT)
Date: Wed, 8 Oct 2025 17:06:47 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Cole Robinson <crobinso@redhat.com>
Subject: Re: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially
Message-ID: <20251008170647.7ad18ac9@elisabeth>
In-Reply-To: <f6daf21b-5d60-46dd-afbe-35531ab89f62@redhat.com>
References: <8635494bf4747935bc2179bdb37c8c2cbbe4ed55.1759839307.git.crobinso@redhat.com>
	<20251007180232.328feebc@elisabeth>
	<229a2d1d-f899-4eae-a23c-d0613d6f2593@redhat.com>
	<20251007184913.43e897a8@elisabeth>
	<f6daf21b-5d60-46dd-afbe-35531ab89f62@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: qyLfPaYhpk1TUBaUjcAN5o0l8kEgBsojhK9u57eyQqU_1759936010
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: R6LZGKG57C2AJKCPGQQ2EZR2IIRMYYMW
X-Message-ID-Hash: R6LZGKG57C2AJKCPGQQ2EZR2IIRMYYMW
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>, passt-dev@passt.top, "Richard W.M. Jones" <rjones@redhat.com>, Yumei Huang <yuhuang@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20251008170647.7ad18ac9@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/R6LZGKG57C2AJKCPGQQ2EZR2IIRMYYMW/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 8 Oct 2025 11:01:59 -0400
Cole Robinson <crobinso@redhat.com> wrote:

> On 10/7/25 12:49 PM, Stefano Brivio wrote:
> > On Tue, 7 Oct 2025 12:43:30 -0400
> > Cole Robinson <crobinso@redhat.com> wrote:
> >   
> >> On 10/7/25 12:02 PM, Stefano Brivio wrote:  
> >>> [Cc: Yumei as this is somewhat related to
> >>>  https://archives.passt.top/passt-dev/20250926011714.5978-1-yuhuang@redhat.com/,
> >>>  and David as he wrote most of this part]
> >>>
> >>> On Tue,  7 Oct 2025 08:16:39 -0400
> >>> Cole Robinson <crobinso@redhat.com> wrote:
> >>>     
> >>>> Reproducer that I'd expect to work
> >>>>
> >>>>   $ cd $HOME
> >>>>   $ sudo passt --runas $UID --socket foo.sock
> >>>>   Failed to bind UNIX domain socket: Permission denied
> >>>>
> >>>> A more practical example is for libguestfs apps when run as user=root.
> >>>>
> >>>> + libguestfs connects to libvirt qemu:///system
> >>>> + libvirt qemu:///system defaults to user=qemu.
> >>>>   + chowns passt runtime dir to user=qemu
> >>>> + libguestfs instead requests the VM run as user=root
> >>>>   + patches in progress but we are blocked by this issue
> >>>> + passt is launched as root, but can't open socket in passt dir.
> >>>>
> >>>> Obviously libvirt needs improvements too.
> >>>> But it seems like this is a defect as well.    
> >>>
> >>> Thanks for the patch! I think it's absolutely unproblematic to keep
> >>> CAP_DAC_OVERRIDE for a moment at the beginning. Did you figure out
> >>> exactly why it's needed by the way?
> >>>     
> >>
> >> Last line in the list above should read:
> >>
> >> + passt is launched as root, but can't open socket in passt dir
> >>   because it's owned by qemu.qemu  
> > 
> > ...at this point, can you perhaps come up with a complete commit message
> > also including the details Rich explained / reported?
> > 
> > No need to repost. On the other hand it's a single patch so if you
> > have a moment you might as well...
> 
> v2 sent now

Thanks!

-- 
Stefano