Skip to content

Read cap_last_cap before entering target namespace#683

Merged
Mic92 merged 1 commit intomainfrom
no-fuse
Nov 8, 2025
Merged

Read cap_last_cap before entering target namespace#683
Mic92 merged 1 commit intomainfrom
no-fuse

Conversation

@Mic92
Copy link
Copy Markdown
Owner

@Mic92 Mic92 commented Nov 8, 2025

When attaching to systemd units with ProtectProc=invisible, /proc/sys/kernel/cap_last_cap is not accessible from within the namespace. This caused cntr to fail with "No such file or directory" errors.

Fix by reading cap_last_cap in the host namespace (in procfs::status()) before transitioning into the target namespace. The value is stored in ProcStatus and passed to capabilities::drop() when needed.

Fixes: #606

@Mic92
Read cap_last_cap before entering target namespace
d6ba64f 
When attaching to systemd units with ProtectProc=invisible,
/proc/sys/kernel/cap_last_cap is not accessible from within the namespace.
This caused cntr to fail with "No such file or directory" errors.

Fix by reading cap_last_cap in the host namespace (in procfs::status())
before transitioning into the target namespace. The value is stored in
ProcStatus and passed to capabilities::drop() when needed.

Fixes: #606
@Mic92 Mic92 enabled auto-merge November 8, 2025 14:06
@Mic92 Mic92 merged commit 106c17a into main Nov 8, 2025
5 checks passed
@Mic92 Mic92 deleted the no-fuse branch November 8, 2025 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

failing to enter certain systemd units

1 participant

@Mic92