[PATCH 2/2] virSetUIDGIDWithCaps: Set bounding capabilities only with CAP_SETPCAP
Cole Robinson
crobinso at redhat.com
Mon Jul 26 00:04:01 UTC 2021
On 7/22/21 11:29 AM, Michal Privoznik wrote:
> In one of my previous patches I've tried to postpone dropping
> CAP_SETPCAP until the very end because it's needed for
> capng_apply(). What I did not realize back then was that we might
> not have the capability to begin with. Because of unknown reasons
> capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not
> for CAPNG_SELECT_CAPS.
>
> Reproducer is really simple: run libvirtd as a regular user.
> During its initialization, libvirtd will spawn some binaries
> (dnsmasq, qemu-*, etc.) and while doing so it will try to drop
> capabilities.
>
> Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we
> have the CAP_SETPCAP (which is tracked in need_setpcap variable).
>
> Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/util/virutil.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index aba0aea0ff..00cd56e2b2 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -1250,7 +1250,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
> * do this if we failed to get the capability above, so ignore the
> * return value.
> */
> - capng_apply(CAPNG_SELECT_BOUNDS);
> + if (!need_setpcap)
> + capng_apply(CAPNG_SELECT_BOUNDS);
>
> /* Drop the caps that allow setuid/gid (unless they were requested) */
> if (need_setgid)
>
Reviewed-by: Cole Robinson <crobinso at redhat.com>
- Cole
- Cole
More information about the libvir-list
mailing list