-
Notifications
You must be signed in to change notification settings - Fork 236
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't drop capabilities from bounding set on ARM #174
Comments
What does |
|
Spawning
|
Some more info: this is fairly easy to reproduce outside of flatpak:
While this is what I get if I revert commit b35f84a:
Note the |
Some more information before leaving this debug session for the day: Consistently with what I found that passing the Sleeping for a while right before dropping the caps in the second case, and then inspecting the processes this is what I got on ARM:
On Intel 64bit I get similar results, but the mask it's different (difference is that it also includes
I'm not entirely sure whether all this information will be useful to solve the problem I'm seeing right not, but I have to leave now and I hope this will ring any bell. Otherwise, I'll continue tomorrow. Thanks in advance for any help! |
I looked at this briefly and left confused as to how capabilities work in userns; I'd expected to see a full current set from capsh. I don't have a theory right now for why this would work on one architecture/kernel config and not another. Is bwrap full suid in both cases? |
Yes, it's full suid in both cases. I've definitely checked that (and made sure that would be the case after building from sources + installing) |
@cgwalters Thanks for the feedback. I checked your PR at #172 and I'm not sure that would fix the problem I'm seeing as bubblewrap would still be dropping the caps in the case I'm seeing unless About reverting b35f84a temporarily, the problem I've observed |
We finally figured out what the problem was with our ARM kernel. We need to cherry pick https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077 More details: #175 (comment) |
Some older kernels are buggy with respect to this; see https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=160da84dbb39443fdade7151bc63a88f8e953077 Fixes: #174 Closes: #175 Approved by: mariospr
As mentioned in #149 (comment), we recently upgraded bubblewrap to 1.7 on Endless and observed this error now whenever we try to run any flatpak on our ARM product (it's fine on amd64, fwiw):
Reading through man prctl, it's suggested that this EPERM error would mean that we don't have the CAP_SETPCAP capability in the calling thread, so one question is why that cap is not there on our ARM kernel (a question I'm actively trying to answer now already, but need some feedback of our kernel team first).
I was wondering if it would make sense to call
prctl(PR_CAPBSET_READ, CAP_SETPCAP)
indrop_cap_bounding_set()
, early returning if it returns zero, but then I've tried the following patch:...but flatpak run keeps failing anyway with the very same Dropping capability 0 from bounds: Operation not permitted error, so I'm extra confused now.
Also, I installed libcap-ng-utils and
setpcap
seems to be available:Again, this only fails on ARM, so I'm pasting here a link to our kernel configuration for that case, in case it helps understanding the issue: https://github.com/endlessm/linux-meson/blob/debian-master/debian/config/armhf/config.meson8b
Last, I've got a device with me where I can reliably reproduce the problem by doing
flatpak run <appid>
so I'd be more than happy to do any test that were needed.The text was updated successfully, but these errors were encountered: