Re: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially

On Tue, 7 Oct 2025 12:43:30 -0400 Cole Robinson wrote:

On 10/7/25 12:02 PM, Stefano Brivio wrote:

...

[Cc: Yumei as this is somewhat related to https://archives.passt.top/passt-dev/20250926011714.5978-1-yuhuang@redhat.co..., and David as he wrote most of this part]

On Tue, 7 Oct 2025 08:16:39 -0400 Cole Robinson wrote:

...

Reproducer that I'd expect to work

$ cd $HOME $ sudo passt --runas $UID --socket foo.sock Failed to bind UNIX domain socket: Permission denied

A more practical example is for libguestfs apps when run as user=root.

+ libguestfs connects to libvirt qemu:///system + libvirt qemu:///system defaults to user=qemu. + chowns passt runtime dir to user=qemu + libguestfs instead requests the VM run as user=root + patches in progress but we are blocked by this issue + passt is launched as root, but can't open socket in passt dir.

Obviously libvirt needs improvements too. But it seems like this is a defect as well.

Thanks for the patch! I think it's absolutely unproblematic to keep CAP_DAC_OVERRIDE for a moment at the beginning. Did you figure out exactly why it's needed by the way?

Last line in the list above should read:

+ passt is launched as root, but can't open socket in passt dir because it's owned by qemu.qemu

...at this point, can you perhaps come up with a complete commit message also including the details Rich explained / reported? No need to repost. On the other hand it's a single patch so if you have a moment you might as well...

...

...

Signed-off-by: Cole Robinson

Should we add:

Link: https://github.com/libguestfs/libguestfs/pull/218

? Or it's misleading, or you omitted it for any other reason?

Works for me! I did not intentionally omit it

Thanks, Cole

-- Stefano