New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syscall: SysProcAttr.AmbientCaps fails when creating a new user namespace and creator is not root #23152
Comments
I do have a changeset that solves this issue: |
CC @stapelberg |
I indeed missed this use case when originally introducing the change. I can confirm that the proposed change does not break things for me, so LGTM from my end. |
@Omnifarious Would you be willing to submit the change through the contribution process, which is described at https://golang.org/doc/contribute.html? Thanks. |
Realistically speaking, there is no way I'll ever take the time to do all of that. This is the only thing I currently anticipate ever contributing to Go. It's about 40 lines of code. It simply adds capabilities that someone wants to be in the ambient set to the inheritable set. I expect, in fact, that I've done it wrong, even though the code works for my particular case. |
So, I had a bunch of time on my hands, and went through the process described there. What do I use for a Change-ID? Never mind. I forgot the weird Gerrit process from I tried to set it up a few years ago at a place I worked. We gave up and just used GitHub instead because Gerrit was heavy and didn't make a lot of sense to the developers. |
Thanks for taking the time. The change-id will be filled in automatically when you mail out the change. You can also submit your change as a pull request, which will automatically import it into gerrit. |
Change https://golang.org/cl/100315 mentions this issue: |
Having this would also alleviate the need for #12125 since it would allow the execed process to retain the capabilities needed to do the bind mounts. Is there anything one can do to help moving this forward? |
Change https://golang.org/cl/156577 mentions this issue: |
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version
)?1.9.2
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?Linux - amd64
What did you do?
I ran this code as a non-root user and the process had no capabilities.
If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
What did you expect to see?
I expected the shell started in my new namespace to have certain capabilities.
What did you see instead?
An error from cmd.Start() when calling prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, ...) stating that there was an EPERM error.
The text was updated successfully, but these errors were encountered: