* Stefan Hajnoczi ([email protected]) wrote: > virtiofsd does not need CAP_DAC_READ_SEARCH because it already has > the more powerful CAP_DAC_OVERRIDE. Drop it from the list of > capabilities. > > This is important because container runtimes may not include > CAP_DAC_READ_SEARCH by default. This patch allows virtiofsd to reduce > its capabilities when running inside a Docker container. > > Note that CAP_DAC_READ_SEARCH may be necessary again in the future if > virtiofsd starts using open_by_handle_at(2). > > Signed-off-by: Stefan Hajnoczi <[email protected]>
Yeh that seems to make sense, and is probably worth having irrespective of the rest of the series. Reviewed-by: Dr. David Alan Gilbert <[email protected]> > --- > tools/virtiofsd/passthrough_ll.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/tools/virtiofsd/passthrough_ll.c > b/tools/virtiofsd/passthrough_ll.c > index 94e0de2d2b..50a164a599 100644 > --- a/tools/virtiofsd/passthrough_ll.c > +++ b/tools/virtiofsd/passthrough_ll.c > @@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in) > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, > CAP_CHOWN, > CAP_DAC_OVERRIDE, > - CAP_DAC_READ_SEARCH, > CAP_FOWNER, > CAP_FSETID, > CAP_SETGID, > -- > 2.26.2 > -- Dr. David Alan Gilbert / [email protected] / Manchester, UK _______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
