Re: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially

8 Oct 2025


      On 10/7/25 12:49 PM, Stefano Brivio wrote:
...
On Tue, 7 Oct 2025 12:43:30 -0400
Cole Robinson  wrote:
...
On 10/7/25 12:02 PM, Stefano Brivio wrote:
...
[Cc: Yumei as this is somewhat related to
 https://archives.passt.top/passt-dev/20250926011714.5978-1-yuhuang@redhat.co...,
 and David as he wrote most of this part]
On Tue,  7 Oct 2025 08:16:39 -0400
Cole Robinson  wrote:
...
Reproducer that I'd expect to work
$ cd $HOME
  $ sudo passt --runas $UID --socket foo.sock
  Failed to bind UNIX domain socket: Permission denied
A more practical example is for libguestfs apps when run as user=root.
+ libguestfs connects to libvirt qemu:///system
+ libvirt qemu:///system defaults to user=qemu.
  + chowns passt runtime dir to user=qemu
+ libguestfs instead requests the VM run as user=root
  + patches in progress but we are blocked by this issue
+ passt is launched as root, but can't open socket in passt dir.
Obviously libvirt needs improvements too.
But it seems like this is a defect as well.
Thanks for the patch! I think it's absolutely unproblematic to keep
CAP_DAC_OVERRIDE for a moment at the beginning. Did you figure out
exactly why it's needed by the way?
Last line in the list above should read:
+ passt is launched as root, but can't open socket in passt dir
  because it's owned by qemu.qemu
...at this point, can you perhaps come up with a complete commit message
also including the details Rich explained / reported?
No need to repost. On the other hand it's a single patch so if you
have a moment you might as well...
v2 sent now

Thanks,
Cole