Hi Ludovic!
Ludovic Courtès writes:
> Howdy!
>
> Maxim Cournoyer skribis:
[...]
>> I reviewed how that works, and it'd be easy; I just didn't see the
>> incentive yet (there's no composition needed for the service, and it'd
>> make the definition slightly less readable). If you tell me
>> mark+forkexec-constructor/container is going the way of the Dodo though,
>> that's a good enough incentive :-).
That turns out to be bit problematic; dbus-daemon must not run in its
own user namespace (CLONE_NEWUSER) as it wants to validate user/group
IDs. That's probably the reason it was working with
'make-forkexec-constructor/container', as this was dropping the user and
net namespaces, contrary to least-authority, which uses them all.
The problem then seems to be that since we need CAP_SYS_ADMIN when
dropping the user namespace, as CLONE_NEWUSER is what gives us
superpowers. Per 'man user_namespaces':
The child process created by clone(2) with the CLONE_NEWUSER flag starts
out with a complete set of capabilities in the new user namespace.
Which means that if we combine something like (untested):
--8<---cut here---start->8---
(make-forkexec-constructor
(least-authority
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
#:user "nobody"
#:group "nobody"))
--8<---cut here---end--->8---
the make-forkexec-constructor will switch to the non-privileged user
before the clone call is made, and it will fail with EPERM.
When using 'make-forkexec-constructor/container', the clone(2) call
happens before switching user, thus as 'root' in Shepherd, which
explains why it works.
I'm not sure how it could be fixed; it seems the user changing business
would need to be handled by the least-authority-wrapper code? And the
make-forkexec-constructor would probably need to detect that command is
a pola wrapper and then avoid changing the user/group itself to not
interfere.
To be continued!
Maxim