passt/isolation.c, branch bug165c Plug A Simple Socket Transport isolation: keep CAP_DAC_OVERRIDE initially 2025-10-09T08:11:27+00:00 Cole Robinson crobinso@redhat.com 2025-10-08T15:01:33+00:00 5da0316f27c9b36b7ee4ba181d38a8dc358b2328 Reproducer that I'd expect to work: $ cd $HOME $ sudo passt --runas $UID --socket foo.sock Failed to bind UNIX domain socket: Permission denied A more practical example is for libguestfs apps when run as user=root: + libguestfs connects to libvirt qemu:///system + libvirt qemu:///system defaults to user=qemu + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu + libguestfs instead requests the VM run as user=root + patches in progress but we are blocked by this issue + passt is launched as root, but because CAP_DAC_OVERRIDE has been dropped, passt fails to create socket in qemu owned /run/libvirt/qemu/passt Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial. This might look sketchy, but isolate_initial already keeps CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off. Link: https://github.com/libguestfs/libguestfs/pull/218 Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Reproducer that I'd expect to work:

  $ cd $HOME
  $ sudo passt --runas $UID --socket foo.sock
  Failed to bind UNIX domain socket: Permission denied

A more practical example is for libguestfs apps when run as user=root:

+ libguestfs connects to libvirt qemu:///system
+ libvirt qemu:///system defaults to user=qemu
  + libvirt chowns /run/libvirt/qemu/passt dir to user=qemu
+ libguestfs instead requests the VM run as user=root
  + patches in progress but we are blocked by this issue
+ passt is launched as root, but because CAP_DAC_OVERRIDE has been
  dropped, passt fails to create socket in qemu owned
  /run/libvirt/qemu/passt

Fix it by not dropping CAP_DAC_OVERRIDE in isolate_initial.

This might look sketchy, but isolate_initial already keeps
CAP_SYS_ADMIN and CAP_NET_ADMIN, so we are probably no worse off.

Link: https://github.com/libguestfs/libguestfs/pull/218
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
codespell: Correct typos in comments and error message 2025-05-15T16:06:30+00:00 Laurent Vivier lvivier@redhat.com 2025-05-15T09:41:51+00:00 2046976866dd1f983cb0417a1d3ee3f64190805d This commit addresses several spelling errors identified by the `codespell` tool. The corrections apply to: - Code comments in `fwd.c`, `ip.h`, `isolation.c`, and `log.c`. - An error message string in `vhost_user.c`. Specifically, the following misspellings were corrected: - "adddress" to "address" - "capabilites" to "capabilities" - "Musn't" to "Mustn't" - "calculatd" to "calculated" - "Invalide" to "Invalid" Signed-off-by: Laurent Vivier <lvivier@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This commit addresses several spelling errors identified by the `codespell`
tool. The corrections apply to:
- Code comments in `fwd.c`, `ip.h`, `isolation.c`, and `log.c`.
- An error message string in `vhost_user.c`.

Specifically, the following misspellings were corrected:
- "adddress" to "address"
- "capabilites" to "capabilities"
- "Musn't" to "Mustn't"
- "calculatd" to "calculated"
- "Invalide" to "Invalid"

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
vhost-user: add vhost-user 2024-11-27T15:47:32+00:00 Laurent Vivier lvivier@redhat.com 2024-11-22T16:43:34+00:00 28997fcb29b560fc0dcfd91bad5eece3ded5eb72 add virtio and vhost-user functions to connect with QEMU. $ ./passt --vhost-user and # qemu-system-x86_64 ... -m 4G \ -object memory-backend-memfd,id=memfd0,share=on,size=4G \ -numa node,memdev=memfd0 \ -chardev socket,id=chr0,path=/tmp/passt_1.socket \ -netdev vhost-user,id=netdev0,chardev=chr0 \ -device virtio-net,mac=9a:2b:2c:2d:2e:2f,netdev=netdev0 \ ... Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> [sbrivio: as suggested by lvivier, include <netinet/if_ether.h> before including <linux/if_ether.h> as C libraries such as musl __UAPI_DEF_ETHHDR in <netinet/if_ether.h> if they already have a definition of struct ethhdr] Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
add virtio and vhost-user functions to connect with QEMU.

  $ ./passt --vhost-user

and

  # qemu-system-x86_64 ... -m 4G \
        -object memory-backend-memfd,id=memfd0,share=on,size=4G \
        -numa node,memdev=memfd0 \
        -chardev socket,id=chr0,path=/tmp/passt_1.socket \
        -netdev vhost-user,id=netdev0,chardev=chr0 \
        -device virtio-net,mac=9a:2b:2c:2d:2e:2f,netdev=netdev0 \
        ...

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
[sbrivio: as suggested by lvivier, include <netinet/if_ether.h>
 before including <linux/if_ether.h> as C libraries such as musl
 __UAPI_DEF_ETHHDR in <netinet/if_ether.h> if they already have
 a definition of struct ethhdr]
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
passt, util: Close any open file that the parent might have leaked 2024-08-08T19:31:25+00:00 Stefano Brivio sbrivio@redhat.com 2024-08-06T18:32:11+00:00 09603cab28f9883baf1d7b48bdc102d6641dc300 If a parent accidentally or due to implementation reasons leaks any open file, we don't want to have access to them, except for the file passed via --fd, if any. This is the case for Podman when Podman's parent leaks files into Podman: it's not practical for Podman to close unrelated files before starting pasta, as reported by Paul. Use close_range(2) to close all open files except for standard streams and the one from --fd. Given that parts of conf() depend on other files to be already opened, such as the epoll file descriptor, we can't easily defer this to a more convenient point, where --fd was already parsed. Introduce a minimal, duplicate version of --fd parsing to keep this simple. As we need to check that the passed --fd option doesn't exceed INT_MAX, because we'll parse it with strtol() but file descriptor indices are signed ints (regardless of the arguments close_range() take), extend the existing check in the actual --fd parsing in conf(), also rejecting file descriptors numbers that match standard streams, while at it. Suggested-by: Paul Holzinger <pholzing@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Paul Holzinger <pholzing@redhat.com> 
If a parent accidentally or due to implementation reasons leaks any
open file, we don't want to have access to them, except for the file
passed via --fd, if any.

This is the case for Podman when Podman's parent leaks files into
Podman: it's not practical for Podman to close unrelated files before
starting pasta, as reported by Paul.

Use close_range(2) to close all open files except for standard streams
and the one from --fd.

Given that parts of conf() depend on other files to be already opened,
such as the epoll file descriptor, we can't easily defer this to a
more convenient point, where --fd was already parsed. Introduce a
minimal, duplicate version of --fd parsing to keep this simple.

As we need to check that the passed --fd option doesn't exceed
INT_MAX, because we'll parse it with strtol() but file descriptor
indices are signed ints (regardless of the arguments close_range()
take), extend the existing check in the actual --fd parsing in conf(),
also rejecting file descriptors numbers that match standard streams,
while at it.

Suggested-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Paul Holzinger <pholzing@redhat.com>
treewide: Replace strerror() calls 2024-06-21T13:32:44+00:00 Stefano Brivio sbrivio@redhat.com 2024-06-17T09:55:04+00:00 dba7f0f5cee06dcfc205b0284ba19c2651f594c4 Now that we have logging functions embedding perror() functionality, we can make _some_ calls more terse by using them. In many places, the strerror() calls are still more convenient because, for example, they are used in flow debugging functions, or because the return code variable of interest is not 'errno'. While at it, convert a few error messages from a scant perror style to proper failure descriptions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
Now that we have logging functions embedding perror() functionality,
we can make _some_ calls more terse by using them. In many places,
the strerror() calls are still more convenient because, for example,
they are used in flow debugging functions, or because the return code
variable of interest is not 'errno'.

While at it, convert a few error messages from a scant perror style
to proper failure descriptions.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
treewide: Replace perror() calls with calls to logging functions 2024-06-21T13:32:43+00:00 Stefano Brivio sbrivio@redhat.com 2024-06-14T22:37:11+00:00 92a22fef93a528030669e357a32c19f143a2d3b5 perror() prints directly to standard error, but in many cases standard error might be already closed, or we might want to skip logging, based on configuration. Our logging functions provide all that. While at it, make errors more descriptive, replacing some of the existing basic perror-style messages. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
perror() prints directly to standard error, but in many cases standard
error might be already closed, or we might want to skip logging, based
on configuration. Our logging functions provide all that.

While at it, make errors more descriptive, replacing some of the
existing basic perror-style messages.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
vhost-user: compare mode MODE_PASTA and not MODE_PASST 2024-06-13T13:45:38+00:00 Laurent Vivier lvivier@redhat.com 2024-06-13T12:36:53+00:00 0c335d751a21d6b46bd78dd1118860e84021984b As we are going to introduce the MODE_VU that will act like the mode MODE_PASST, compare to MODE_PASTA rather than to add a comparison to MODE_VU when we check for MODE_PASST. Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
As we are going to introduce the MODE_VU that will act like
the mode MODE_PASST, compare to MODE_PASTA rather than to add
a comparison to MODE_VU when we check for MODE_PASST.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
cppcheck: Make many pointers const 2023-10-04T21:23:35+00:00 David Gibson david@gibson.dropbear.id.au 2023-09-29T05:50:19+00:00 6471c7d01b0aad9d144448290557fcd783562228 Newer versions of cppcheck (as of 2.12.0, at least) added a warning for pointers which could be declared to point at const data, but aren't. Based on that, make many pointers throughout the codebase const. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Newer versions of cppcheck (as of 2.12.0, at least) added a warning for
pointers which could be declared to point at const data, but aren't.
Based on that, make many pointers throughout the codebase const.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
isolation: keep CAP_SYS_PTRACE when required 2023-06-25T21:49:25+00:00 Paul Holzinger pholzing@redhat.com 2023-06-23T08:25:32+00:00 594dce66d3bbe30fa3f7ccce8b8eebb0bf3e7f2e When pasta is started from an existing userns and tries to join the netns from another process it fails to open /proc/$pid/ns/net due the missing CAP_SYS_PTRACE capability in the --netns-only case. A simple reproducer for this. First create a userns: $ unshare -r Then create a new netns inside it and try to join that netns with pasta. $ unshare -n sleep inf & $ pasta --config-net --netns /proc/$!/ns/net Signed-off-by: Paul Holzinger <pholzing@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
When pasta is started from an existing userns and tries to join the
netns from another process it fails to open /proc/$pid/ns/net due the
missing CAP_SYS_PTRACE capability in the --netns-only case.

A simple reproducer for this.
First create a userns:
$ unshare -r

Then create a new netns inside it and try to join that netns with pasta.
$ unshare -n sleep inf &
$ pasta --config-net --netns /proc/$!/ns/net

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
isolation: Initially Keep CAP_SETFCAP if running as UID 0 in non-init 2023-05-23T14:13:28+00:00 Stefano Brivio sbrivio@redhat.com 2023-05-21T13:03:31+00:00 770d1a4502dd214c75b1418b49c0f51fdbb2ad8e If pasta spawns a child process while running as UID 0, which is only allowed from a non-init namespace, we need to keep CAP_SETFCAP before pasta_start_ns() is called: otherwise, starting from Linux 5.12, we won't be able to update /proc/self/uid_map with the intended mapping (from 0 to 0). See user_namespaces(7). Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: David Gibson <david@gibson.dropbear.id.au> 
If pasta spawns a child process while running as UID 0, which is only
allowed from a non-init namespace, we need to keep CAP_SETFCAP before
pasta_start_ns() is called: otherwise, starting from Linux 5.12, we
won't be able to update /proc/self/uid_map with the intended mapping
(from 0 to 0). See user_namespaces(7).

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>