From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=fBft/CJd;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id 1D9E95A0269
	for <passt-dev@passt.top>; Wed, 03 Jun 2026 17:45:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1780501527;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5saQTvcjduY7ICf/Rd2n8KiGRBi2JEtPeN5ftA5HYUg=;
	b=fBft/CJdtDC66YDNrWeOUPH9Ty/pnsbXaBCe+2rYfnUz9AZhT+51lK9cfd2fyNVwU5Sjyo
	6p/YiIZbjpr6bwR2Dy7vkvKuNSvvz3CAT9w2h5w1T/qMeCiO1t5MRmkyoPXGmO4akgkayU
	FG0djmmIMpeRMrySFy61U+++ZwNWrRg=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-56-GnHjH0LtM22lOOG-V0Gq6A-1; Wed, 03 Jun 2026 11:45:25 -0400
X-MC-Unique: GnHjH0LtM22lOOG-V0Gq6A-1
X-Mimecast-MFC-AGG-ID: GnHjH0LtM22lOOG-V0Gq6A_1780501524
Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-45ef0af9517so4775664f8f.3
        for <passt-dev@passt.top>; Wed, 03 Jun 2026 08:45:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780501524; x=1781106324;
        h=date:content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=5saQTvcjduY7ICf/Rd2n8KiGRBi2JEtPeN5ftA5HYUg=;
        b=l+B9DiylAomBW8KdStXSdp1xcC5DinitMgao5iLVCxifRAWpLE9uoyxAahHTabcs2a
         Rre4Ek0prUCZIGuHJLRIgN4UBBaKg6KcCmVHOiLHqDq4dpB+5WK9kCtNM8mAWa90giQG
         3fZ2yS/IVZTklfMIbCf+MbRMpQTWeV4sCU6/RVyp9wYhoMPhDYL4OAg1HxsOhdspUQU8
         xew2U+ZBjViwlVsNWMIOojgO1wSlqXZdbbRa5Vi7Aim4Wd6qOZaJtHC7vr696c+2T4pk
         KK2yyFJ/3ILMmpp7aEFy1U2mNTMb6af1EQFnGafvnA5tv9DH7jrqFVY0TLt/4ZVtYBcP
         5VRA==
X-Forwarded-Encrypted: i=1; AFNElJ+BJs86A4taHj18nW8c5sGhV0zyznvAkLanLpV7DtMIRqTlLRqS2hDHthemnndUlMuqY/9MQie/6Ho=@passt.top
X-Gm-Message-State: AOJu0YySAC5RGLBSrHBT2PrdYzUjPl+BPunA0EMMPChrdEf8LuqeemX/
	PkXpcr2VglvrykZmT7Ah5CzhoZjJIrPCFbqCDVd88a7LAuW91sWjJGo3ziUFGRjzXwPe3x9IXIv
	EiCYIThSoRS8FWArXtOHHqwvflv9cTNRKh+ZOcfZZHdhF6KP5/RvDpA==
X-Gm-Gg: Acq92OGTyu+9Os3BXt6k2B8AGzcbogUXuC3/t7/LEGqW83NpACo9ZDO0dvoQl9G9/FL
	0Zv83nxAIKacOvKuMd4F23daQdoI+8F7Y/6I9/Pj2Who+S+zStCLPzqfRB3i2abGQ5M4jGVx1Hb
	VdvqqEizoWbHS2WDEUytv5tFNaMQA3vQ3tscn2VPrqbiHmrWfEJ33OKhMuILokCjC9JGkBDK3yN
	cBtTAZgZYHFWfXvUqqFf6ApDq9ivieKREOx16xjsg/gqp5Bld2x5S58ZZljwQ3riFsCCUAxPl5m
	6VmFfCxlWa5v6hhpWNnAI5dYWsph1dRi1Gb7Nzwb3vJlLzOYMXqImkEHXUTsam8tQRVx6fPWxcq
	sAOxb3LRKLrRRbOmUrjMxhRHozJb1wC4EJWr15x4dndNE/FM1zWn277weSivt
X-Received: by 2002:a05:600c:5394:b0:490:b65f:8b1 with SMTP id 5b1f17b1804b1-490b65f09c4mr70105915e9.5.1780501524417;
        Wed, 03 Jun 2026 08:45:24 -0700 (PDT)
X-Received: by 2002:a05:600c:5394:b0:490:b65f:8b1 with SMTP id 5b1f17b1804b1-490b65f09c4mr70105305e9.5.1780501523972;
        Wed, 03 Jun 2026 08:45:23 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4601f2dcae2sm9179225f8f.6.2026.06.03.08.45.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Jun 2026 08:45:23 -0700 (PDT)
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: Startup fd to avoid busywaits
Message-ID: <20260603174519.15748f97@elisabeth>
In-Reply-To: <ah_0B3F3RIkvMuTP@zatzit>
References: <CAC-VXLYqvXu+yHsM=DUt-7MSGp_+o8Wt5zgGYzi1gdNvtoRK-A@mail.gmail.com>
	<20260527213924.2586bca5@elisabeth>
	<CAC-VXLY0EF=W2auTuEA-8pxQCSqNsDcw+nXXqpycJpmQ9E=8dw@mail.gmail.com>
	<CAC-VXLYT837fLwaBGPeVKaL3yUzRvcckqxq=xKWXLgvbZK7fwQ@mail.gmail.com>
	<ah_0B3F3RIkvMuTP@zatzit>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Date: Wed, 03 Jun 2026 17:45:21 +0200 (CEST)
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: tQQ0tedkAgsByQHe9DgGtoVcu_t7Gv_xR0EokAaNUY8_1780501524
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: WOIO3G6ZXHIUHN6ZBSXW33SG7XN3UWEZ
X-Message-ID-Hash: WOIO3G6ZXHIUHN6ZBSXW33SG7XN3UWEZ
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Lisanna Dettwyler <lisanna.dettwyler@gmail.com>, passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260603174519.15748f97@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/WOIO3G6ZXHIUHN6ZBSXW33SG7XN3UWEZ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, 3 Jun 2026 19:29:43 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Tue, Jun 02, 2026 at 06:23:29PM -0400, Lisanna Dettwyler wrote:
> > Hi Stefano,
> > 
> > Indeed it would be useful if the capability dropping could be modified or
> > moved until after the net and user namespaces were opened. I'm not that
> > familiar with the codebase so I'm not sure where would be the best spot for
> > that to be moved to or what capability needs to not be dropped.  
> 
> We certainly could delay the capability drop, but whether it's wise is
> a different question.  The longer we leave it, the greater attack
> surface we have while still privileged.
> 
> Waiting until after the namespaces are opened means we've at least
> parsed the command line, which is a fair bit of code.  On the other
> hand we shouldn't have opened listening network sockets yet, so we
> should have relatively little exposure to either external or guest
> traffic.

Right, I guess that's the most fundamental distinction in deciding when
to drop capabilities or enforce whatever kind of restrictions, but the
rest is still nice to have as soon as possible, so here we would really
need to understand what the problem is (I didn't, yet).

For example, Podman passes a pre-made network namespace (via --netns),
and we needed commit 594dce66d3bb ("isolation: keep CAP_SYS_PTRACE when
required") to be able to join it, but I really have no idea why we
could possibly need anything else to join one by PID, and it looks like
that comment about capabilities was added after that commit.

But maybe that issue was caused by some other issue that has been solved
meanwhile? I guess that should be checked first. If it's not solved, a
small stand-alone reproducer would be helpful.

-- 
Stefano