Files
apple--containerization/scripts/patches/virtiofsd-skip-cap-drop-with-sandbox-none.patch
wehub-resource-sync 680845cb1c
Linux build / Determine Swift version (push) Waiting to run
Linux build / Linux compile check (push) Blocked by required conditions
Build containerization / Verify commit signatures (push) Has been skipped
Build containerization / containerization (push) Successful in 0s
chore: import upstream snapshot with attribution
2026-07-13 12:25:30 +08:00

42 lines
1.9 KiB
Diff

# virtiofsd patch — skip capability drop when --sandbox=none.
#
# virtiofsd 1.13.3 unconditionally calls capng::apply (capset(2)) at
# startup when running as root. Inside apple/container's --virtualization
# dev container the default seccomp profile blocks capset(2), so virtiofsd
# fails with "failed to sync capabilities with the kernel" and
# process::exit(1)s before binding its socket.
#
# We already pass --sandbox=none to virtiofsd from VirtiofsdProcess (same
# rationale as why cloud-hypervisor runs with --seccomp false in the same
# environment). This patch extends the existing upstream gate ("We don't
# modify the capabilities if the user call us without any sandbox") so
# that --sandbox=none also skips cap drop at uid==0, matching the user's
# explicit opt-out from the sandbox.
#
# Applied automatically by `make build-virtiofsd` before `cargo build`.
# Targets virtiofsd 1.13.3 (.local/virtiofsd).
diff --git a/src/main.rs b/src/main.rs
index 176e178..27dce55 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -858,8 +858,17 @@ fn main() {
// We don't modify the capabilities if the user call us without
// any sandbox (i.e. --sandbox=none) as unprivileged user
+ //
+ // CONTAINERIZATION-PATCH: also skip cap drop with --sandbox=none even
+ // when running as root. Inside apple/container's --virtualization dev
+ // container the seccomp profile blocks capset(2), so capng::apply
+ // fails with "failed to sync capabilities with the kernel" and
+ // virtiofsd process::exit(1)s before binding its socket. The
+ // user explicitly opted out of the sandbox; respect that and don't
+ // touch caps either. Same class of issue as why CH runs with
+ // --seccomp false in the same env.
let uid = unsafe { libc::geteuid() };
- if uid == 0 {
+ if uid == 0 && !matches!(opt.sandbox, SandboxMode::None) {
drop_capabilities(fs_cfg.inode_file_handles, opt.modcaps);
}