New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
capabilities: raise ambient capabilities #2332
capabilities: raise ambient capabilities #2332
Conversation
//cc @3XX0, you definitely need a custom mount binary though. :) But I could get the following hook to run successfully with this patch:
where
|
6938358
to
ad2ce6b
Compare
Seems to work fine with the nvidia hook after I relaxed our checks on uid 0 🎉
But yes, LXCFS on the other hand will need a helper binary since libmount checks for root privileges. |
ad2ce6b
to
beaa6cc
Compare
@3XX0, caps should now be lowered. :) Please test. :)
I'm wiping both ambient and effective. |
beaa6cc
to
2e4b638
Compare
If you want more fancy useages of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you think of any case where a site would want to run with non-root uid, but want hooks to be run without privilege? I can't, but if there is any such use case then we need to clearly document that they will have to somehow drop the caps. If not then no problem.
|
||
out: | ||
|
||
cap_free(cap_names); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this just be free(cap_names) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the manpage you're supposed to use cap_free()
:
cap_to_text() converts the capability state in working storage identified
by cap_p into a nul-terminated human-readable string. This function allo‐
cates any memory necessary to contain the string, and returns a pointer to
the string. If the pointer len_p is not NULL, the function shall also
return the full length of the string (not including the nul terminator) in
the location pointed to by len_p. The capability state in working stor‐
age, identified by cap_p, is completely represented in the character
string. When the capability state in working storage is no longer
required, the caller should free any releasable memory by calling
cap_free() with the returned string pointer as an argument.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hah - good call, thanks.
src/lxc/caps.c
Outdated
ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag); | ||
if (ret < 0) { | ||
if (errno == EINVAL) { | ||
INFO("Last supported cap was %d", cap - 1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't you want to store the fact that you found the last supported cap here?
Otherwise if lxc was compiled with a CAP_LAST_CAP > the kernel was, then you'll get EPERM below when you try to raise the ambient bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, excellent, missed that. Thanks, Serge!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>
2e4b638
to
611ddd3
Compare
Not really. :) |
Signed-off-by: Christian Brauner christian.brauner@ubuntu.com
Suggested-by: Jonathan Calmels jcalmels@nvidia.com