Re: [PATCH v2] isolation: keep CAP_DAC_OVERRIDE initially

On Wed, 8 Oct 2025 11:01:33 -0400 Cole Robinson wrote:

Reproducer that I'd expect to work:

$ cd $HOME $ sudo passt --runas $UID --socket foo.sock Failed to bind UNIX domain socket: Permission denied

A more practical example is for libguestfs apps when run as user=root:

+ libguestfs connects to libvirt qemu:///system + libvirt qemu:///system defaults to user=qemu + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu + libguestfs instead requests the VM run as user=root + patches in progress but we are blocked by this issue + passt is launched as root, but because CAP_DAC_OVERRIDE has been dropped, passt fails to create socket in qemu owned /run/libvirt/qemu/passt

Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial.

This might look sketchy, but isolate_initial already keeps CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off.

Reviewed-by: David Gibson Signed-off-by: Cole Robinson --- v2: improve commit message

Applied, thanks, and welcome to the git log! -- Stefano