virSetUIDGIDWithCaps: Set bounding capabilities only with CAP_SETPCAP

In one of my previous patches I've tried to postpone dropping CAP_SETPCAP until the very end because it's needed for capng_apply(). What I did not realize back then was that we might not have the capability to begin with. Because of unknown reasons capng_apply() pollutes logs only for CAPNG_SELECT_BOUNDS and not for CAPNG_SELECT_CAPS. Reproducer is really simple: run libvirtd as a regular user. During its initialization, libvirtd will spawn some binaries (dnsmasq, qemu-*, etc.) and while doing so it will try to drop capabilities. Anyway, let's call capng_apply(CAPNG_SELECT_BOUNDS) only if we have the CAP_SETPCAP (which is tracked in need_setpcap variable). Fixes: 438b50dda8a863fdc988e9ab612f097cc1626e8a Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1924218 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
2025-02-07 04:07:17 +00:00 · 2021-07-22 14:26:00 +02:00 · 2021-07-22 14:26:00 +02:00 · a2476f37a7
commit a2476f37a7
parent b69affe3c1
1 changed files with 2 additions and 1 deletions
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@ -1250,7 +1250,8 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *groups, int ngroups,
     * do this if we failed to get the capability above, so ignore the
     * return value.
     */
-    capng_apply(CAPNG_SELECT_BOUNDS);
+    if (!need_setpcap)
+        capng_apply(CAPNG_SELECT_BOUNDS);

    /* Drop the caps that allow setuid/gid (unless they were requested) */
    if (need_setgid)