Bug 1666284

Summary: update to version 2.26 to support filesystem capabilities v3
Product: Red Hat Enterprise Linux 8 Reporter: Karsten Hopp <karsten>
Component: libcapAssignee: Karsten Hopp <karsten>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 8.1CC: lgriffin, mjahoda, omoris, sgrubb
Target Milestone: alphaKeywords: Rebase
Target Release: 8.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Rebase: Enhancements Only
Doc Text:
Important: if this rebase also contains *bug fixes* (or contains only bug fixes), select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 2.26 Highlights and notable enhancements: support for filesystem capabilities v3, namespaced fcaps
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:07:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Karsten Hopp 2019-01-15 12:28:31 UTC 
Description of problem:

Until recently it was not safe to use fcaps in unprivileged containers, but starting with Linux kernel version 4.14 it is possible to set fcaps in user namespaces.
This is something that is really useful for unprivileged containers.

Version-Release number of selected component (if applicable):
libcap-2.25-*
Comment 7 Ondrej Moriš 2019-08-16 16:21:01 UTC 
Karsten, I am trying to test it properly and here is what I got:

# rpm -q kernel libcap
kernel-4.18.0-128.el8.x86_64
libcap-2.26-1.el8.x86_64

# useradd testuser

# id testuser 
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser)

# mkdir /tmp/foo

# cp /usr/bin/ping /tmp/foo

# getcap -vn /tmp/foo/ping
/tmp/foo/ping

# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
ping: socket: Operation not permitted

# setcap cap_net_raw+eip /tmp/foo/ping 

# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip

# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.040 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 63ms
rtt min/avg/max/mdev = 0.023/0.034/0.041/0.010 ms

# setcap -r /tmp/foo/ping 

# setcap -n 1000 cap_net_raw+eip /tmp/foo/ping 

# getcap -vn /tmp/foo/ping;
/tmp/foo/ping = cap_net_raw+eip [rootid=1000]

# su -- testuser

$ unshare --map-root-user --user /bin/bash

# cat /proc/self/uid_map 
         0       1000          1

# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip

# /tmp/foo/ping -c 3 127.0.0.1
ping: socket: Operation not permitted

Am I doing something wrong? User testuser is mapped to root in created user namespace. Capability cap_net_raw is set to be used only in namespace owned by testuser. Using getcap from that user namespace shows that all is set correctly. But when /tmp/foo/ping is used from namespace operation is not permitted even though it should be. Or did I get it wrong?
Comment 14 errata-xmlrpc 2019-11-05 22:07:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3539