diff --git a/isolation.c b/isolation.c index 19932bf..1866724 100644 --- a/isolation.c +++ b/isolation.c @@ -202,9 +202,11 @@ void isolate_initial(void) * a mapping from UID 0, which only happens with pasta spawning a child * from a non-init user namespace (pasta can't run as root), we need to * retain CAP_SETFCAP too. + * We also need to keep CAP_SYS_PTRACE in order to join an existing netns + * path under /proc/$pid/ns/net which was created in the same userns. */ if (!ns_is_init() && !geteuid()) - keep |= BIT(CAP_SETFCAP); + keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); drop_caps_ep_except(keep); }