[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 7/8] virtiofsd: drop CAP_DAC_READ_SEARCH
From: |
Dr. David Alan Gilbert (git) |
Subject: |
[PULL 7/8] virtiofsd: drop CAP_DAC_READ_SEARCH |
Date: |
Fri, 28 Aug 2020 13:45:08 +0100 |
From: Stefan Hajnoczi <stefanha@redhat.com>
virtiofsd does not need CAP_DAC_READ_SEARCH because it already has
the more powerful CAP_DAC_OVERRIDE. Drop it from the list of
capabilities.
This is important because container runtimes may not include
CAP_DAC_READ_SEARCH by default. This patch allows virtiofsd to reduce
its capabilities when running inside a Docker container.
Note that CAP_DAC_READ_SEARCH may be necessary again in the future if
virtiofsd starts using open_by_handle_at(2).
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200727190223.422280-2-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
tools/virtiofsd/passthrough_ll.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index a9feb90fd0..784330e0e4 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in)
if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE,
CAP_CHOWN,
CAP_DAC_OVERRIDE,
- CAP_DAC_READ_SEARCH,
CAP_FOWNER,
CAP_FSETID,
CAP_SETGID,
--
2.26.2
- [PULL 0/8] migration and virtiofsd queue, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 1/8] migration: unify the framework of socket-type channel, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 2/8] migration: add vsock as data channel support, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 3/8] migration: improve error reporting of block driver state name, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 4/8] migration: tls: fix memory leak in migration_tls_get_creds, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 6/8] virtiofsd: Remove "norace" from cmdline help and docs, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 5/8] virtiofsd: Disable remote posix locks by default, Dr. David Alan Gilbert (git), 2020/08/28
- [PULL 7/8] virtiofsd: drop CAP_DAC_READ_SEARCH,
Dr. David Alan Gilbert (git) <=
- [PULL 8/8] virtiofsd: probe unshare(CLONE_FS) and print an error, Dr. David Alan Gilbert (git), 2020/08/28
- Re: [PULL 0/8] migration and virtiofsd queue, Peter Maydell, 2020/08/28