isolation: keep CAP_SYS_PTRACE when required

When pasta is started from an existing userns and tries to join the
netns from another process it fails to open /proc/$pid/ns/net due the
missing CAP_SYS_PTRACE capability in the --netns-only case.

A simple reproducer for this.
First create a userns:
$ unshare -r

Then create a new netns inside it and try to join that netns with pasta.
$ unshare -n sleep inf &
$ pasta --config-net --netns /proc/$!/ns/net

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/isolation.c b/isolation.c
index 19932bf..1866724 100644
--- a/isolation.c
+++ b/isolation.c
@@ -202,9 +202,11 @@ void isolate_initial(void)
 	 * a mapping from UID 0, which only happens with pasta spawning a child
 	 * from a non-init user namespace (pasta can't run as root), we need to
 	 * retain CAP_SETFCAP too.
+	 * We also need to keep CAP_SYS_PTRACE in order to join an existing netns
+	 * path under /proc/$pid/ns/net which was created in the same userns.
 	 */
 	if (!ns_is_init() && !geteuid())
-		keep |= BIT(CAP_SETFCAP);
+		keep |= BIT(CAP_SETFCAP) | BIT(CAP_SYS_PTRACE);
 
 	drop_caps_ep_except(keep);
 }