Remove unhelpful drop_caps() call in pasta_start_ns()

drop_caps() has a number of bugs which mean it doesn't do what you'd
expect.  However, even if we fixed those, the call in pasta_start_ns()
doesn't do anything useful:

* In the common case, we're UID 0 at this point.  In this case drop_caps()
  doesn't accomplish anything, because even with capabilities dropped, we
  are still privileged.
* When attaching to an existing namespace with --userns or --netns-only
  we might not be UID 0.  In this case it's too early to drop all
  capabilities: we need at least CAP_NET_ADMIN to configure the
  tap device in the namespace.

Remove this call - we will still drop capabilities a little later in
sandbox().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
David Gibson 2022-10-14 15:25:30 +11:00 committed by Stefano Brivio
parent 01b4e71f7a
commit 6909a8e339

View file

@ -224,8 +224,6 @@ void pasta_start_ns(struct ctx *c, int argc, char *argv[])
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
drop_caps();
NS_CALL(pasta_wait_for_ns, c); NS_CALL(pasta_wait_for_ns, c);
} }