From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Miyw1xfF; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 87EA75A0619 for ; Wed, 08 Oct 2025 17:01:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1759935700; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Tl38wuXPbNvF1fAAqvtwO15FRdhvNbXuCNegVBGCEX4=; b=Miyw1xfFwNjMCe5u5KRCCVegzaR5y1vhz3ok538Ep0TG5RlORwrlywD1SEQvfVJDKvbvBf PnaoSK/AoaYsuJKfy/apCjg4pKTi61sdd1rIJb8hx22KUNy8aP3Bk4viPKslCkdHWbscaD 3JdENo9Mm6Jkbz4Gf6m5wPtWdMWe4Pw= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-482-2EyI0eSNMiKi5LmUEnqHfg-1; Wed, 08 Oct 2025 11:01:39 -0400 X-MC-Unique: 2EyI0eSNMiKi5LmUEnqHfg-1 X-Mimecast-MFC-AGG-ID: 2EyI0eSNMiKi5LmUEnqHfg_1759935698 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 663771800290; Wed, 8 Oct 2025 15:01:37 +0000 (UTC) Received: from colepc.redhat.com (unknown [10.22.66.151]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7E7E41800452; Wed, 8 Oct 2025 15:01:35 +0000 (UTC) From: Cole Robinson To: passt-dev@passt.top Subject: [PATCH v2] isolation: keep CAP_DAC_OVERRIDE initially Date: Wed, 8 Oct 2025 11:01:33 -0400 Message-ID: <38d6578a1d8dd10e96b0f1d8e6a29ff5db17f57d.1759935556.git.crobinso@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: u36uWpQfO6vzASWsBopqrFFTfsvrR0Y75wpQs-rSCL4_1759935698 X-Mimecast-Originator: redhat.com Content-type: text/plain Content-Transfer-Encoding: 8bit X-MailFrom: crobinso@redhat.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: 3IUWDTNPYZYGDR7XKQNSLMKZIK6V7BQC X-Message-ID-Hash: 3IUWDTNPYZYGDR7XKQNSLMKZIK6V7BQC X-Mailman-Approved-At: Wed, 08 Oct 2025 17:06:29 +0200 CC: sbrivio@redhat.com, david@gibson.dropbear.id.au, Cole Robinson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Reproducer that I'd expect to work: $ cd $HOME $ sudo passt --runas $UID --socket foo.sock Failed to bind UNIX domain socket: Permission denied A more practical example is for libguestfs apps when run as user=root: + libguestfs connects to libvirt qemu:///system + libvirt qemu:///system defaults to user=qemu + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu + libguestfs instead requests the VM run as user=root + patches in progress but we are blocked by this issue + passt is launched as root, but because CAP_DAC_OVERRIDE has been dropped, passt fails to create socket in qemu owned /run/libvirt/qemu/passt Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial. This might look sketchy, but isolate_initial already keeps CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off. Reviewed-by: David Gibson Signed-off-by: Cole Robinson --- v2: improve commit message isolation.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/isolation.c b/isolation.c index bbcd23b..b25f349 100644 --- a/isolation.c +++ b/isolation.c @@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv) * We have to keep CAP_SETUID and CAP_SETGID at this stage, so * that we can switch user away from root. * + * CAP_DAC_OVERRIDE may be required for socket setup when combined + * with --runas. + * * We have to keep some capabilities for the --netns-only case: * - CAP_SYS_ADMIN, so that we can setns() to the netns. * - Keep CAP_NET_ADMIN, so that we can configure interfaces @@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv) * isolate_prefork(). */ keep = BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) | - BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN); + BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE); /* Since Linux 5.12, if we want to update /proc/self/uid_map to create * a mapping from UID 0, which only happens with pasta spawning a child -- 2.51.0