isolation: keep CAP_SYS_PTRACE when required
When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger <pholzing@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Paul Holzinger
Stefano Brivio
parent
5b646b9b10
commit
594dce66d3
1 changed files with 3 additions and 1 deletions
|
|
@ -202,9 +202,11 @@ void isolate_initial(void)
|
||||||
* a mapping from UID 0, which only happens with pasta spawning a child
|
* a mapping from UID 0, which only happens with pasta spawning a child
|
||||||
* from a non-init user namespace (pasta can't run as root), we need to
|
* from a non-init user namespace (pasta can't run as root), we need to
|
||||||
* retain CAP_SETFCAP too.
|
* retain CAP_SETFCAP too.
|
||||||
|
* We also need to keep CAP_SYS_PTRACE in order to join an existing netns
|
||||||
|
* path under /proc/$pid/ns/net which was created in the same userns.
|
||||||
*/
|
*/
|
||||||
if (!ns_is_init() && !geteuid())
|
if (!ns_is_init() && !geteuid())
|
||||||
keep |= BIT(CAP_SETFCAP);
|
keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
|
||||||
|
|
||||||
drop_caps_ep_except(keep);
|
drop_caps_ep_except(keep);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue