Reject sandbox modes != namespace when uid != 0 (!49) · Merge requests · virtio-fs / virtiofsd

German Maglione requested to merge ghm-virtio-fs/virtiofsd:libcapng_failed into main Nov 16, 2021

Inside drop_child_capabilities() there is a call to capng:apply() that clears the bounding set. It causes libcap-ng to fail when calling virtiofsd-rs with '--sandbox none' by an unprivileged user, because it doesn't have the CAP_SETPCAP capability.

Edited Dec 13, 2021 by Sergio Lopez

Reject sandbox modes != namespace when uid != 0

Merge request reports