From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: thuth@redhat.com, "Daniel P. Berrangé" <berrange@redhat.com>,
qemu-devel@nongnu.org, vgoyal@redhat.com
Subject: Re: libcap vs libcap-ng mess
Date: Fri, 29 Nov 2019 18:01:03 +0000 [thread overview]
Message-ID: <20191129180103.GA2840@work-vm> (raw)
In-Reply-To: <98520a07-cf5d-a2a9-cfa4-944839b94c7c@redhat.com>
* Paolo Bonzini (pbonzini@redhat.com) wrote:
> On 29/11/19 10:34, Daniel P. Berrangé wrote:
> >> y) Should we flip over to only using one or the other - what
> >> are the advantages?
> > In libvirt we use libcap-ng. We picked this originally as its API
> > design allows you do write simpler code than libcap in some cases
> > You can see some docs & examples here:
> >
> > https://people.redhat.com/sgrubb/libcap-ng/
> >
> > So I vote for changing the 9p code to use libcap-ng.
>
> It's not entirely trivial because fsdev-proxy-helper wants to keep the
> effective set and clear the permitted set; in libcap-ng you can only
> apply both sets at once, and you cannot choose only one of them in
> capng_clear/capng_get_caps_process. But it's doable, I'll take a look.
I'm having some difficulties making the same conversion for virtiofsd;
all it wants to do is drop (and later recover) CAP_FSETID
from it's effective set; so I'm calling capng_get_caps_process
(it used to be cap_get_proc). While libcap survives just using the
capget syscall, libcap-ng wants to read /proc/<TID>/status - and
that's a problem because we're in a sandbox without /proc mounted
at that point.
Dave
> In the meanwhile, if someone else wants to look at the CI I would
> appreciate that.
>
> Paolo
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2019-11-29 18:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-28 19:04 libcap vs libcap-ng mess Dr. David Alan Gilbert
2019-11-29 9:34 ` Daniel P. Berrangé
2019-11-29 10:46 ` Paolo Bonzini
2019-11-29 10:51 ` Dr. David Alan Gilbert
2019-11-29 18:01 ` Dr. David Alan Gilbert [this message]
2019-11-29 18:12 ` Paolo Bonzini
2019-11-29 18:20 ` Dr. David Alan Gilbert
2019-11-29 18:27 ` Paolo Bonzini
2019-11-29 18:54 ` Dr. David Alan Gilbert
2019-11-29 23:19 ` Paolo Bonzini
2019-12-02 10:07 ` Dr. David Alan Gilbert
2019-12-02 10:33 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191129180103.GA2840@work-vm \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.