sandbox: Allow non-root users run the daemon without isolation (!136) · Merge requests · virtio-fs / virtiofsd

German Maglione requested to merge ghm-virtio-fs/virtiofsd:sandbox-none-non-root into main Sep 08, 2022

Although, virtiofsd expect to run as root, either as the real one, or the pseudo-root inside a user namespace, there are use cases there are use cases that need to be able to run virtiofsd as a non-privileged user outside a user namespace. In this mode many operations will not be available (e.g. chown).

There are some issues that are related to this MR: #8 (closed) and #43 (closed). Besides the request in #8 (closed) recently there was a request for this functionality in the matrix channel, I am creating this MR to have that discussion here.

Notes:

Some operations fails, like chown, but these also fail with --sandbox=namespace.
I want to move the capability-related code and enable_seccomp() call into sandbox.rs, so I don't need to "leak" the info about the sandbox type chosen by the user.

Edited Oct 19, 2022 by German Maglione

sandbox: Allow non-root users run the daemon without isolation

Merge request reports