isolation: keep CAP_SYS_PTRACE when required

When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger <[email protected]> Signed-off-by: Stefano Brivio <[email protected]>
alvistack · Jun 25, 2023 · 594dce6 · 594dce6
1 parent 5b646b9
commit 594dce6
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/isolation.c b/isolation.c
@@ -202,9 +202,11 @@ void isolate_initial(void)
 	 * a mapping from UID 0, which only happens with pasta spawning a child
 	 * from a non-init user namespace (pasta can't run as root), we need to
 	 * retain CAP_SETFCAP too.
+	 * We also need to keep CAP_SYS_PTRACE in order to join an existing netns
+	 * path under /proc/$pid/ns/net which was created in the same userns.
 	 */
 	if (!ns_is_init() && !geteuid())
-		keep |= BIT(CAP_SETFCAP);
+		keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
 
 	drop_caps_ep_except(keep);
 }