From 5da0316f27c9b36b7ee4ba181d38a8dc358b2328 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Wed, 8 Oct 2025 11:01:33 -0400
Subject: [PATCH] isolation: keep CAP_DAC_OVERRIDE initially

Reproducer that I'd expect to work:

  $ cd $HOME
  $ sudo passt --runas $UID --socket foo.sock
  Failed to bind UNIX domain socket: Permission denied

A more practical example is for libguestfs apps when run as user=root:

+ libguestfs connects to libvirt qemu:///system
+ libvirt qemu:///system defaults to user=qemu
  + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu
+ libguestfs instead requests the VM run as user=root
  + patches in progress but we are blocked by this issue
+ passt is launched as root, but because CAP_DAC_OVERRIDE has been
  dropped, passt fails to create socket in qemu owned
  /run/libvirt/qemu/passt

Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial.

This might look sketchy, but isolate_initial already keeps
CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off.

Link: https://github.com/libguestfs/libguestfs/pull/218
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 isolation.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/isolation.c b/isolation.c
index bbcd23b7..b25f3498 100644
--- a/isolation.c
+++ b/isolation.c
@@ -188,6 +188,9 @@ void isolate_initial(int argc, char **argv)
 	 * We have to keep CAP_SETUID and CAP_SETGID at this stage, so
 	 * that we can switch user away from root.
 	 *
+	 * CAP_DAC_OVERRIDE may be required for socket setup when combined
+	 * with --runas.
+	 *
 	 * We have to keep some capabilities for the --netns-only case:
 	 *  - CAP_SYS_ADMIN, so that we can setns() to the netns.
 	 *  - Keep CAP_NET_ADMIN, so that we can configure interfaces
@@ -198,7 +201,7 @@ void isolate_initial(int argc, char **argv)
 	 * isolate_prefork().
 	 */
 	keep = BIT(CAP_NET_BIND_SERVICE) | BIT(CAP_SETUID) | BIT(CAP_SETGID) |
-	       BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN);
+	       BIT(CAP_SYS_ADMIN) | BIT(CAP_NET_ADMIN) | BIT(CAP_DAC_OVERRIDE);
 
 	/* Since Linux 5.12, if we want to update /proc/self/uid_map to create
 	 * a mapping from UID 0, which only happens with pasta spawning a child