Skip to content

[pull] master from upstream #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

[pull] master from upstream #5

merged 1 commit into from
Oct 9, 2025

Conversation

@pull
Copy link
Contributor

@pull pull bot commented Oct 9, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@crobinso @sbrivio-rh
isolation: keep CAP_DAC_OVERRIDE initially
5da0316 
Reproducer that I'd expect to work:

  $ cd $HOME
  $ sudo passt --runas $UID --socket foo.sock
  Failed to bind UNIX domain socket: Permission denied

A more practical example is for libguestfs apps when run as user=root:

+ libguestfs connects to libvirt qemu:///system
+ libvirt qemu:///system defaults to user=qemu
  + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu
+ libguestfs instead requests the VM run as user=root
  + patches in progress but we are blocked by this issue
+ passt is launched as root, but because CAP_DAC_OVERRIDE has been
  dropped, passt fails to create socket in qemu owned
  /run/libvirt/qemu/passt

Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial.

This might look sketchy, but isolate_initial already keeps
CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off.

Link: libguestfs/libguestfs#218
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
@pull pull bot locked and limited conversation to collaborators Oct 9, 2025
@pull pull bot added the ⤵️ pull label Oct 9, 2025
@pull pull bot merged commit ad24f83 into master Oct 9, 2025
@pull pull bot deleted the upstream branch October 9, 2025 08:59
@kroese kroese restored the upstream branch October 9, 2025 09:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crobinso