1666284 – update to version 2.26 to support filesystem capabilities v3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1666284 - update to version 2.26 to support filesystem capabilities v3

Summary: update to version 2.26 to support filesystem capabilities v3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libcap
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	alpha
Target Release:	8.1
Assignee:	Karsten Hopp
QA Contact:	Ondrej Moriš
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-15 12:19 UTC by Karsten Hopp
Modified:	2020-11-14 13:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Rebase: Enhancements Only
Doc Text:	Important: if this rebase also contains bug fixes (or contains only bug fixes), select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 2.26 Highlights and notable enhancements: support for filesystem capabilities v3, namespaced fcaps
Clone Of:
Environment:
Last Closed:	2019-11-05 22:07:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:3539	0	None	None	None	2019-11-05 22:07:09 UTC

Comment 1 Karsten Hopp 2019-01-15 12:28:31 UTC

Description of problem:

Until recently it was not safe to use fcaps in unprivileged containers, but starting with Linux kernel version 4.14 it is possible to set fcaps in user namespaces.
This is something that is really useful for unprivileged containers.

Version-Release number of selected component (if applicable):
libcap-2.25-*

Comment 7 Ondrej Moriš 2019-08-16 16:21:01 UTC

Karsten, I am trying to test it properly and here is what I got:

# rpm -q kernel libcap
kernel-4.18.0-128.el8.x86_64
libcap-2.26-1.el8.x86_64

# useradd testuser

# id testuser 
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser)

# mkdir /tmp/foo

# cp /usr/bin/ping /tmp/foo

# getcap -vn /tmp/foo/ping
/tmp/foo/ping

# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
ping: socket: Operation not permitted

# setcap cap_net_raw+eip /tmp/foo/ping 

# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip

# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.040 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 63ms
rtt min/avg/max/mdev = 0.023/0.034/0.041/0.010 ms

# setcap -r /tmp/foo/ping 

# setcap -n 1000 cap_net_raw+eip /tmp/foo/ping 

# getcap -vn /tmp/foo/ping;
/tmp/foo/ping = cap_net_raw+eip [rootid=1000]

# su -- testuser

$ unshare --map-root-user --user /bin/bash

# cat /proc/self/uid_map 
         0       1000          1

# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip

# /tmp/foo/ping -c 3 127.0.0.1
ping: socket: Operation not permitted

Am I doing something wrong? User testuser is mapped to root in created user namespace. Capability cap_net_raw is set to be used only in namespace owned by testuser. Using getcap from that user namespace shows that all is set correctly. But when /tmp/foo/ping is used from namespace operation is not permitted even though it should be. Or did I get it wrong?

Comment 14 errata-xmlrpc 2019-11-05 22:07:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3539

Note You need to log in before you can comment on or make changes to this bug.