| Message ID | 20200722130206.224898-2-stefanha@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | virtiofsd: allow virtiofsd to run in a container | expand |
* Stefan Hajnoczi (stefanha@redhat.com) wrote: > virtiofsd does not need CAP_DAC_READ_SEARCH because it already has > the more powerful CAP_DAC_OVERRIDE. Drop it from the list of > capabilities. > > This is important because container runtimes may not include > CAP_DAC_READ_SEARCH by default. This patch allows virtiofsd to reduce > its capabilities when running inside a Docker container. > > Note that CAP_DAC_READ_SEARCH may be necessary again in the future if > virtiofsd starts using open_by_handle_at(2). > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Yeh that seems to make sense, and is probably worth having irrespective of the rest of the series. Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > --- > tools/virtiofsd/passthrough_ll.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c > index 94e0de2d2b..50a164a599 100644 > --- a/tools/virtiofsd/passthrough_ll.c > +++ b/tools/virtiofsd/passthrough_ll.c > @@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in) > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, > CAP_CHOWN, > CAP_DAC_OVERRIDE, > - CAP_DAC_READ_SEARCH, > CAP_FOWNER, > CAP_FSETID, > CAP_SETGID, > -- > 2.26.2 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 94e0de2d2b..50a164a599 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in) if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, CAP_CHOWN, CAP_DAC_OVERRIDE, - CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_SETGID,
virtiofsd does not need CAP_DAC_READ_SEARCH because it already has the more powerful CAP_DAC_OVERRIDE. Drop it from the list of capabilities. This is important because container runtimes may not include CAP_DAC_READ_SEARCH by default. This patch allows virtiofsd to reduce its capabilities when running inside a Docker container. Note that CAP_DAC_READ_SEARCH may be necessary again in the future if virtiofsd starts using open_by_handle_at(2). Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> --- tools/virtiofsd/passthrough_ll.c | 1 - 1 file changed, 1 deletion(-)