Remove unhelpful drop_caps() call in pasta_start_ns()
drop_caps() has a number of bugs which mean it doesn't do what you'd expect. However, even if we fixed those, the call in pasta_start_ns() doesn't do anything useful: * In the common case, we're UID 0 at this point. In this case drop_caps() doesn't accomplish anything, because even with capabilities dropped, we are still privileged. * When attaching to an existing namespace with --userns or --netns-only we might not be UID 0. In this case it's too early to drop all capabilities: we need at least CAP_NET_ADMIN to configure the tap device in the namespace. Remove this call - we will still drop capabilities a little later in sandbox(). Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson
Stefano Brivio
parent
01b4e71f7a
commit
6909a8e339
1 changed files with 0 additions and 2 deletions
2
pasta.c
2
pasta.c
|
|
@ -224,8 +224,6 @@ void pasta_start_ns(struct ctx *c, int argc, char *argv[])
|
|||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
drop_caps();
|
||||
|
||||
NS_CALL(pasta_wait_for_ns, c);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue