From 594dce66d3bbe30fa3f7ccce8b8eebb0bf3e7f2e Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Fri, 23 Jun 2023 10:25:32 +0200 Subject: [PATCH] isolation: keep CAP_SYS_PTRACE when required When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger Signed-off-by: Stefano Brivio --- isolation.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/isolation.c b/isolation.c index 19932bf..1866724 100644 --- a/isolation.c +++ b/isolation.c @@ -202,9 +202,11 @@ void isolate_initial(void) * a mapping from UID 0, which only happens with pasta spawning a child * from a non-init user namespace (pasta can't run as root), we need to * retain CAP_SETFCAP too. + * We also need to keep CAP_SYS_PTRACE in order to join an existing netns + * path under /proc/$pid/ns/net which was created in the same userns. */ if (!ns_is_init() && !geteuid()) - keep |= BIT(CAP_SETFCAP); + keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE); drop_caps_ep_except(keep); }