680845cb1c
Linux build / Determine Swift version (push) Waiting to run
Linux build / Linux compile check (push) Blocked by required conditions
Build containerization / Verify commit signatures (push) Has been skipped
Build containerization / containerization (push) Successful in 0s
42 lines
1.9 KiB
Diff
42 lines
1.9 KiB
Diff
# virtiofsd patch — skip capability drop when --sandbox=none.
|
|
#
|
|
# virtiofsd 1.13.3 unconditionally calls capng::apply (capset(2)) at
|
|
# startup when running as root. Inside apple/container's --virtualization
|
|
# dev container the default seccomp profile blocks capset(2), so virtiofsd
|
|
# fails with "failed to sync capabilities with the kernel" and
|
|
# process::exit(1)s before binding its socket.
|
|
#
|
|
# We already pass --sandbox=none to virtiofsd from VirtiofsdProcess (same
|
|
# rationale as why cloud-hypervisor runs with --seccomp false in the same
|
|
# environment). This patch extends the existing upstream gate ("We don't
|
|
# modify the capabilities if the user call us without any sandbox") so
|
|
# that --sandbox=none also skips cap drop at uid==0, matching the user's
|
|
# explicit opt-out from the sandbox.
|
|
#
|
|
# Applied automatically by `make build-virtiofsd` before `cargo build`.
|
|
# Targets virtiofsd 1.13.3 (.local/virtiofsd).
|
|
|
|
diff --git a/src/main.rs b/src/main.rs
|
|
index 176e178..27dce55 100644
|
|
--- a/src/main.rs
|
|
+++ b/src/main.rs
|
|
@@ -858,8 +858,17 @@ fn main() {
|
|
|
|
// We don't modify the capabilities if the user call us without
|
|
// any sandbox (i.e. --sandbox=none) as unprivileged user
|
|
+ //
|
|
+ // CONTAINERIZATION-PATCH: also skip cap drop with --sandbox=none even
|
|
+ // when running as root. Inside apple/container's --virtualization dev
|
|
+ // container the seccomp profile blocks capset(2), so capng::apply
|
|
+ // fails with "failed to sync capabilities with the kernel" and
|
|
+ // virtiofsd process::exit(1)s before binding its socket. The
|
|
+ // user explicitly opted out of the sandbox; respect that and don't
|
|
+ // touch caps either. Same class of issue as why CH runs with
|
|
+ // --seccomp false in the same env.
|
|
let uid = unsafe { libc::geteuid() };
|
|
- if uid == 0 {
|
|
+ if uid == 0 && !matches!(opt.sandbox, SandboxMode::None) {
|
|
drop_capabilities(fs_cfg.inode_file_handles, opt.modcaps);
|
|
}
|
|
|