Unhelpful error message when attempting to unset Permitted capabilities
#84
Comments
|
Thanks for the report. I'm not planning to add additional heuristic and smartness to the methods here, as it can be surprising in other ways and even harder to discover. If there are very common usecases, we can consider adding ad-hoc functions under a new dedicated |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you attempt to set capabilities in the Permitted capabilities set to a strict subset of the current capabilities without first dropping them in the Effective set, then this library returns an unhelpful error message
CapsError("capset failure: Operation not permitted (os error 1)").Under the hood, this library sets exactly what you tell it to and otherwise preserves the current state. This causes issues when using
setto drop a lot of capabilities at once (for my application, I only need a few capabilities, so it's easier tosetwhat I need than toclearwhat I don't). If I immediately set the Permitted capabilities, then the syscall it produces tries to preserve the current Effective capabilities and set the Permitted capabilities, which produces an Effective set that is no longer a subset of the Permitted set (which isn't allowed, hence the error return).I'd prefer if calling
seton the Permitted capabilities could also intersect the provided capabilities with the current Effective set and only set those Effective capabilities, so you can just make one call tosetto drop the capabilities. However, that would be changing the API in ways that I'm not sure if you'd want, so if that's not allowed, then I'd prefer for this failure mode to get a more descriptive error message (likely has to be manually inserted as a check before we syscall into the kernel) and for documentation of this limitation could be put intoset(and other methods if they also have this behavior).The text was updated successfully, but these errors were encountered: