From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202510 header.b=Lbbl+dOE; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id C1C755A061D for ; Wed, 08 Oct 2025 02:39:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202510; t=1759883936; bh=hpvDUVhm3f3tge4K/COVDWAhynY8rnGiN8YuJXbbB5Y=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Lbbl+dOEjcMqpZg2KPDrQ/8fNNQqujJLSjplHBGIUo+RfrLeCYjZwjz/OrRJDHD7m lRrmHWLVqqedKaOAkCPdFsuVyxLIqjk+I26Ri/EXmDA/3k5ueNBJFgguHt/S+9SFOn YnTnC0yCwVNZCtD++sv04x7NVx01/9msRHWH4jdmfZRwsMSKTl5SPIwLB4Pqwngli3 1Hb8ibGR3zWX+7fx+v+V5veBisxaRQ4E6AzZsHBQnnEA1qlWoX2hGZmF34DUzaEg49 vhq5/YRy3d/SDjSCqZJh1krXwKBwnLVBDlucfvgAgp1BVfk2phJqzeSynN8c8AYPku +eC5ut6LSh6ZA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4chDdr6dlpz4wCd; Wed, 8 Oct 2025 11:38:56 +1100 (AEDT) Date: Wed, 8 Oct 2025 11:15:45 +1100 From: David Gibson To: Cole Robinson Subject: Re: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially Message-ID: References: <8635494bf4747935bc2179bdb37c8c2cbbe4ed55.1759839307.git.crobinso@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="KQiW2KdRVxV6PDqQ" Content-Disposition: inline In-Reply-To: <8635494bf4747935bc2179bdb37c8c2cbbe4ed55.1759839307.git.crobinso@redhat.com> Message-ID-Hash: TTGV5F4B2RSYTAZVWNUAX4WFHUXI6CE2 X-Message-ID-Hash: TTGV5F4B2RSYTAZVWNUAX4WFHUXI6CE2 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, "Richard W.M. Jones" X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --KQiW2KdRVxV6PDqQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 07, 2025 at 08:16:39AM -0400, Cole Robinson wrote: > Reproducer that I'd expect to work >=20 > $ cd $HOME > $ sudo passt --runas $UID --socket foo.sock > Failed to bind UNIX domain socket: Permission denied >=20 > A more practical example is for libguestfs apps when run as user=3Droot. >=20 > + libguestfs connects to libvirt qemu:///system > + libvirt qemu:///system defaults to user=3Dqemu. > + chowns passt runtime dir to user=3Dqemu > + libguestfs instead requests the VM run as user=3Droot > + patches in progress but we are blocked by this issue > + passt is launched as root, but can't open socket in passt dir. >=20 > Obviously libvirt needs improvements too. > But it seems like this is a defect as well. >=20 > Signed-off-by: Cole Robinson Reviewed-by: David Gibson I was momentarily dismayed by keeping such a powerful capability... then I realised we already keep CAP_SETUID and CAP_SYS_ADMIN. As the comment says, it's not clear if dropping the relatively few and weak capabilities we do here is useful, but we might as well - the "real" drop of capabilities is in isolate_user(). > --- > isolation.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) >=20 > diff --git a/isolation.c b/isolation.c > index bbcd23b..b25f349 100644 > --- a/isolation.c > +++ b/isolation.c > @@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv) > * We have to keep CAP_SETUID and CAP_SETGID at this stage, so > * that we can switch user away from root. > * > + * CAP_DAC_OVERRIDE may be required for socket setup when combined > + * with --runas. > + * > * We have to keep some capabilities for the --netns-only case: > * - CAP_SYS_ADMIN, so that we can setns() to the netns. > * - Keep CAP_NET_ADMIN, so that we can configure interfaces > @@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv) > * isolate_prefork(). > */ > keep =3D BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) | > - BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN); > + BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE); > =20 > /* Since Linux 5.12, if we want to update /proc/self/uid_map to create > * a mapping from UID 0, which only happens with pasta spawning a child > --=20 > 2.51.0 >=20 --=20 David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson --KQiW2KdRVxV6PDqQ Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmjlrTAACgkQzQJF27ox 2GfZCxAAgnXAxByQfe+x0XvUep3zOyAmo89/DuqwSFsq93TgrO2Thwh25+wBA4tW rBpCXlR8HPiYmTqm6tVgX3l2r2mOxLoyvshoVQfLBQhHW0Z246GPVn0MFxDb+MDh 6E+QBzGfWLuxct7mPpMioNWjuMpBVUAGlXyTGEMrqoiMPRPzFdT2GUDSi6cgqnW2 2ek+7GatMBUWCiXcBCjQJ3biBJpWhm8J8MXi62JkvtCRfeoOsHm3DJUdcAsG/Tfd VdU0K2pu6fc0TNZdU1oZFqmdTUb+E3ARYF/8LxNX19yxwAXq9e6rfBZkASmmFtD6 6O8gNNMpdxh3zIm3P1Ia50RXl11xFuMJlu9Rfp1Locwmn+mXJl62zyhS9FX4AVmN DcCOibQyw+iLmuCEFCnvBnwzHafMmtLF2YcfzwETq59IyVdJXFq80iNGxlyjUI20 Y4onlTFEYWQg+m0iS8ZpmE20mHOVRRAuRGCc4V5kvXv6Mcrc3ljabDUE/xj71nq2 /SAe/vK9WMpYthWG9b44fsb8FgZCbihMzJ+1xUppuDdSCBx4KUTAN3VjXQJL6qGC 9Ef4kGlC/MiVAZWCGuJFgNfQnfMHB2ObydU05oO1g/WDfny+D4RKgb0RGEcKxsQo AcoiJFO2iM3ic6o6JUPzzSd+8S2oBUwB8xRiJzBGpJFGrWAON94= =f35i -----END PGP SIGNATURE----- --KQiW2KdRVxV6PDqQ--