Retain all caps when invoked by uid 0#205
Retain all caps when invoked by uid 0#205cgwalters wants to merge 1 commit intocontainers:masterfrom
Conversation
|
The change makes sense to me. |
|
But this will still cause https://pagure.io/releng/issue/6550 to regress though, right? Since we're still unconditionally calling |
|
That's true, though actually cde7fab already triggered this since we started dropping caps for the init process. It's pretty tempting to patch systemd to stop doing that seccomp filter for |
…lter In <containers#101>, specifically commit cde7fab we started dropping all capabilities, even if the caller was privileged. This broke rpm-ostree, which runs RPM scripts using bwrap, and some of those scripts depend on capabilities (mostly `CAP_DAC_OVERRIDE`). Fix this by retaining capabilities by default if the caller's uid is zero. I considered having the logic be to simply retain any capabilities the invoking process has (imagine filecaps binaries like `ping` or `/usr/bin/gnome-keyring-daemon` using bwrap) but we currently explicitly abort in that scenario to catch broken packages which used file capabilites for bwrap itself (we switched to suid). For now this works, and if down the line there's a real-world use case for capability-bearing non-zero-uid processes to invoke bwrap *and* retain those privileges, we can revisit. Another twist here is that we need to do some gymnastics to first avoid calling `capset()` if we don't need to, as that can fail due to systemd installing a seccomp filter that denies it (for dubious reasons). Then we also need to ignore `EPERM` when dropping caps in the init process. (I considered unilaterally handling `EPERM`, but it seems nicer to avoid calling `capset()` unless we need to) Closes: containers#197
cgwalters
force-pushed
the
privileged-caps
branch
from
85af710 to
98667f6
Compare
|
Updated to work around this. Good catch! Tested with: |
|
Makes sense to me to, and the patch looks good. Some issue with the CI though |
|
bot, retest this please |
|
We had some issues with the Fedora Registry last week, though that should be resolved now. |
|
@rh-atomic-bot r=alexlarsson 98667f6 |
|
☀️ Test successful - status-redhatci |
In containers/bubblewrap#205, the issue that we were seeing with `bubblewrap` (containers/bubblewrap#101) was fixed. As such, we can thaw out `bubblewrap` and continue to track git master.
In containers/bubblewrap#205, the issue that we were seeing with `bubblewrap` (containers/bubblewrap#101) was fixed. As such, we can thaw out `bubblewrap` and continue to track git master.
5 participants
In #101, specifically
commit cde7fab we started dropping
all capabilities, even if the caller was privileged.
This broke rpm-ostree, which runs RPM scripts using bwrap, and some
of those scripts depend on capabilities (mostly
CAP_DAC_OVERRIDE).Fix this by retaining capabilities by default if the caller's uid is zero.
I considered having the logic be to simply retain any capabilities the invoking
process has (imagine filecaps binaries like
pingor/usr/bin/gnome-keyring-daemonusing bwrap) but we currently explicitly abortin that scenario to catch broken packages which used file capabilites for bwrap
itself (we switched to suid). For now this works, and if down the line there's a
real-world use case for capability-bearing non-zero-uid processes to invoke
bwrap and retain those privileges, we can revisit.
Closes: #197