[merged] Don't call capset() unless we need to #122
Closed
Commits on Dec 1, 2016
-
Don't call capset() unless we need to
Fedora runs rpm-ostree (which uses bwrap) in systemd-nspawn (in mock via `--new-chroot`). nspawn by default installs a seccomp policy that denies `capset()`. This started failing with bubblewrap-0.1.4: https://pagure.io/releng/issue/6550 The process currently runs as *real* uid 0, outside of a user namespace. (It's honestly a bit nonsensical for nspawn to give a process `CAP_SYS_ADMIN` outside of a userns, but use seccomp to deny `capset()`, but let's leave that aside for now.) Due to the way this code was structured, we set `is_privileged = TRUE` simply because we have uid 0, even in the Fedora case where we *aren't* privileged. Fix this so we only set is_privileged if `uid != euid`, hence we won't try to gain/drop any capabilities, which fixes compatibility with what nspawn is doing. In theory of course we *could* drop privileges in a userns scenario, but we'd only be dropping privs in our userns...eh.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.