From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: Lisanna Dettwyler <lisanna.dettwyler@gmail.com>,
passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
Subject: Re: Startup fd to avoid busywaits
Date: Wed, 03 Jun 2026 17:45:21 +0200 (CEST) [thread overview]
Message-ID: <20260603174519.15748f97@elisabeth> (raw)
In-Reply-To: <ah_0B3F3RIkvMuTP@zatzit>
On Wed, 3 Jun 2026 19:29:43 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:
> On Tue, Jun 02, 2026 at 06:23:29PM -0400, Lisanna Dettwyler wrote:
> > Hi Stefano,
> >
> > Indeed it would be useful if the capability dropping could be modified or
> > moved until after the net and user namespaces were opened. I'm not that
> > familiar with the codebase so I'm not sure where would be the best spot for
> > that to be moved to or what capability needs to not be dropped.
>
> We certainly could delay the capability drop, but whether it's wise is
> a different question. The longer we leave it, the greater attack
> surface we have while still privileged.
>
> Waiting until after the namespaces are opened means we've at least
> parsed the command line, which is a fair bit of code. On the other
> hand we shouldn't have opened listening network sockets yet, so we
> should have relatively little exposure to either external or guest
> traffic.
Right, I guess that's the most fundamental distinction in deciding when
to drop capabilities or enforce whatever kind of restrictions, but the
rest is still nice to have as soon as possible, so here we would really
need to understand what the problem is (I didn't, yet).
For example, Podman passes a pre-made network namespace (via --netns),
and we needed commit 594dce66d3bb ("isolation: keep CAP_SYS_PTRACE when
required") to be able to join it, but I really have no idea why we
could possibly need anything else to join one by PID, and it looks like
that comment about capabilities was added after that commit.
But maybe that issue was caused by some other issue that has been solved
meanwhile? I guess that should be checked first. If it's not solved, a
small stand-alone reproducer would be helpful.
--
Stefano
prev parent reply other threads:[~2026-06-03 15:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 17:08 Lisanna Dettwyler
2026-05-27 19:39 ` Paul Holzinger
2026-05-27 19:39 ` Stefano Brivio
2026-06-02 18:51 ` Lisanna Dettwyler
2026-06-02 22:23 ` Lisanna Dettwyler
2026-06-03 9:29 ` David Gibson
2026-06-03 15:45 ` Stefano Brivio [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603174519.15748f97@elisabeth \
--to=sbrivio@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=lisanna.dettwyler@gmail.com \
--cc=passt-dev@passt.top \
--cc=pholzing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).