Re: [PATCH 07/10] isolation: Replace drop_caps() with a version that actually does something

On Tue, 11 Oct 2022 16:40:15 +1100 David Gibson wrote:

@@ -251,7 +275,19 @@ int isolate_prefork(struct ctx *c) return -errno; }

- drop_caps(); /* Relative to the new user namespace this time. */ + /* Drop capabilites in our new userns */ + if (c->mode == MODE_PASTA) { + /* Keep CAP_SYS_ADMIN, so that we can setns() to the + * netns when we need to act upon it + */ + ns_caps |= 1UL << CAP_SYS_ADMIN; + /* Keep CAP_NET_BIND_SERVICE, so we can splice + * outbound connections to low port numbers + */ + ns_caps |= 1UL << CAP_NET_BIND_SERVICE; + } + + drop_caps_ep_except(ns_caps);

Hmm, I didn't really look into this yet, but there seems to be an issue with filesystem-bound network namespaces now. Running something like: pasta --config-net --netns /run/user/1000/netns/netns-6466ff4b-1efc-2b58-685b-cbc12feb9ccc (from Podman), this happens: readlink("/proc/self/exe", "/usr/local/bin/passt.avx2", 4095) = 25 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1< [pid 1763223] setns(7, CLONE_NEWNET) = -1 EPERM (Operation not permitted) [pid 1763223] exit(0) = ? [pid 1763222] <... clone resumed>) = 1763223 [pid 1763223] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1763223, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- waitid(P_ALL, 0, NULL, WNOHANG|WEXITED, NULL) = 0 waitid(P_ALL, 0, NULL, WNOHANG|WEXITED, NULL) = -1 ECHILD (No child processes) rt_sigreturn({mask=[]}) = 1763223 sendto(5, "<3> Couldn't switch to pasta nam"..., 40, 0, NULL, 0) = 40 write(2, "Couldn't switch to pasta namespa"..., 35Couldn't switch to pasta namespaces) = 35 write(2, "\n", 1 -- Stefano