Bug 1666284
| Summary: | update to version 2.26 to support filesystem capabilities v3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Karsten Hopp <karsten> |
| Component: | libcap | Assignee: | Karsten Hopp <karsten> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | lgriffin, mjahoda, omoris, sgrubb |
| Target Milestone: | alpha | Keywords: | Rebase |
| Target Release: | 8.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Rebase: Enhancements Only | |
| Doc Text: |
Important: if this rebase also contains *bug fixes* (or contains only bug fixes), select the correct option from the Doc Type drop-down list.
Rebase package(s) to version:
2.26
Highlights and notable enhancements:
support for filesystem capabilities v3, namespaced fcaps
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:07:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 1
Karsten Hopp
2019-01-15 12:28:31 UTC
Karsten, I am trying to test it properly and here is what I got:
# rpm -q kernel libcap
kernel-4.18.0-128.el8.x86_64
libcap-2.26-1.el8.x86_64
# useradd testuser
# id testuser
uid=1000(testuser) gid=1000(testuser) groups=1000(testuser)
# mkdir /tmp/foo
# cp /usr/bin/ping /tmp/foo
# getcap -vn /tmp/foo/ping
/tmp/foo/ping
# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
ping: socket: Operation not permitted
# setcap cap_net_raw+eip /tmp/foo/ping
# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip
# su -c '/tmp/foo/ping -c 3 127.0.0.1' -- testuser
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.040 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 63ms
rtt min/avg/max/mdev = 0.023/0.034/0.041/0.010 ms
# setcap -r /tmp/foo/ping
# setcap -n 1000 cap_net_raw+eip /tmp/foo/ping
# getcap -vn /tmp/foo/ping;
/tmp/foo/ping = cap_net_raw+eip [rootid=1000]
# su -- testuser
$ unshare --map-root-user --user /bin/bash
# cat /proc/self/uid_map
0 1000 1
# getcap -vn /tmp/foo/ping
/tmp/foo/ping = cap_net_raw+eip
# /tmp/foo/ping -c 3 127.0.0.1
ping: socket: Operation not permitted
Am I doing something wrong? User testuser is mapped to root in created user namespace. Capability cap_net_raw is set to be used only in namespace owned by testuser. Using getcap from that user namespace shows that all is set correctly. But when /tmp/foo/ping is used from namespace operation is not permitted even though it should be. Or did I get it wrong?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3539 |