Reproducer that I'd expect to work: $ cd $HOME $ sudo passt --runas $UID --socket foo.sock Failed to bind UNIX domain socket: Permission denied A more practical example is for libguestfs apps when run as user=root: + libguestfs connects to libvirt qemu:///system + libvirt qemu:///system defaults to user=qemu + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu + libguestfs instead requests the VM run as user=root + patches in progress but we are blocked by this issue + passt is launched as root, but because CAP_DAC_OVERRIDE has been dropped, passt fails to create socket in qemu owned /run/libvirt/qemu/passt Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial. This might look sketchy, but isolate_initial already keeps CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off. Reviewed-by: David Gibson Signed-off-by: Cole Robinson --- v2: improve commit message isolation.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/isolation.c b/isolation.c index bbcd23b..b25f349 100644 --- a/isolation.c +++ b/isolation.c @@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv) * We have to keep CAP_SETUID and CAP_SETGID at this stage, so * that we can switch user away from root. * + * CAP_DAC_OVERRIDE may be required for socket setup when combined + * with --runas. + * * We have to keep some capabilities for the --netns-only case: * - CAP_SYS_ADMIN, so that we can setns() to the netns. * - Keep CAP_NET_ADMIN, so that we can configure interfaces @@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv) * isolate_prefork(). */ keep = BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) | - BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN); + BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE); /* Since Linux 5.12, if we want to update /proc/self/uid_map to create * a mapping from UID 0, which only happens with pasta spawning a child -- 2.51.0