isolation: keep CAP_SYS_PTRACE when required
When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger <pholzing@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
5b646b9b10
commit
594dce66d3
1 changed files with 3 additions and 1 deletions
|
@ -202,9 +202,11 @@ void isolate_initial(void)
|
|||
* a mapping from UID 0, which only happens with pasta spawning a child
|
||||
* from a non-init user namespace (pasta can't run as root), we need to
|
||||
* retain CAP_SETFCAP too.
|
||||
* We also need to keep CAP_SYS_PTRACE in order to join an existing netns
|
||||
* path under /proc/$pid/ns/net which was created in the same userns.
|
||||
*/
|
||||
if (!ns_is_init() && !geteuid())
|
||||
keep |= BIT(CAP_SETFCAP);
|
||||
keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
|
||||
|
||||
drop_caps_ep_except(keep);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue