On 7/22/21 11:29 AM, Michal Privoznik wrote: > In one of my previous patches I've tried to postpone dropping > CAP_SETPCAP until the very end because it's needed for > capng_apply(). What I did not realize back then was that we might > not have the capability to begin with. Because of unknown reasons > capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not > for CAPNG_SELECT_CAPS. > > Reproducer is really simple: run libvirtd as a regular user. > During its initialization, libvirtd will spawn some binaries > (dnsmasq, qemu-*, etc.) and while doing so it will try to drop > capabilities. > > Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we > have the CAP_SETPCAP (which is tracked in need_setpcap variable). > > Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a > Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218 > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/util/virutil.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/util/virutil.c b/src/util/virutil.c > index aba0aea0ff..00cd56e2b2 100644 > --- a/src/util/virutil.c > +++ b/src/util/virutil.c > @@ -1250,7 +1250,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups, > * do this if we failed to get the capability above, so ignore the > * return value. > */ > - capng_apply(CAPNG_SELECT_BOUNDS); > + if (!need_setpcap) > + capng_apply(CAPNG_SELECT_BOUNDS); > > /* Drop the caps that allow setuid/gid (unless they were requested) */ > if (need_setgid) > Reviewed-by: Cole Robinson <crobinso@xxxxxxxxxx> - Cole - Cole
