Reproducer that I'd expect to work:
$ cd $HOME
$ sudo passt --runas $UID --socket foo.sock
Failed to bind UNIX domain socket: Permission denied
A more practical example is for libguestfs apps when run as user=root:
+ libguestfs connects to libvirt qemu:///system
+ libvirt qemu:///system defaults to user=qemu
+ libvirt chowns /run/libvirt/qemu/passt dir to user=qemu
+ libguestfs instead requests the VM run as user=root
+ patches in progress but we are blocked by this issue
+ passt is launched as root, but because CAP_DAC_OVERRIDE has been
dropped, passt fails to create socket in qemu owned
/run/libvirt/qemu/passt
Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial.
This might look sketchy, but isolate_initial already keeps
CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off.
Reviewed-by: David Gibson
Signed-off-by: Cole Robinson
---
v2: improve commit message
isolation.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/isolation.c b/isolation.c
index bbcd23b..b25f349 100644
--- a/isolation.c
+++ b/isolation.c
@@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv)
* We have to keep CAP_SETUID and CAP_SETGID at this stage, so
* that we can switch user away from root.
*
+ * CAP_DAC_OVERRIDE may be required for socket setup when combined
+ * with --runas.
+ *
* We have to keep some capabilities for the --netns-only case:
* - CAP_SYS_ADMIN, so that we can setns() to the netns.
* - Keep CAP_NET_ADMIN, so that we can configure interfaces
@@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv)
* isolate_prefork().
*/
keep = BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) |
- BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN);
+ BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE);
/* Since Linux 5.12, if we want to update /proc/self/uid_map to create
* a mapping from UID 0, which only happens with pasta spawning a child
--
2.51.0