cli: Gate IPC namespace entrance on CAP_SYS_ADMIN#2117
Open
cgwalters wants to merge 1 commit intobootc-dev:mainfrom
Open
cli: Gate IPC namespace entrance on CAP_SYS_ADMIN#2117cgwalters wants to merge 1 commit intobootc-dev:mainfrom
cgwalters wants to merge 1 commit intobootc-dev:mainfrom
Conversation
Collaborator
Author
|
In theory we could try to move some other things we do at install time here...or...perhaps safer, consolidate this with a single "re-exec self" dance. I kind of lean to the latter, it has a lower blast radius. But I think this change will work fine for now. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request refactors the IPC namespace joining logic into a dedicated function and introduces a CAP_SYS_ADMIN capability check to allow unprivileged execution of basic CLI commands. A regression test was added to ensure bootc --help works for non-root users. Feedback was provided to include logging when the IPC namespace join is skipped to improve observability.
cgwalters
force-pushed
the
fix-pid1-ns-v2
branch
2 times, most recently
from
0bc4bc0 to
19d990f
Compare
Extract the IPC namespace joining logic into a join_host_ipc_namespace() helper that checks the effective capability set for CAP_SYS_ADMIN first, since setns() requires it. Without the capability we skip the operation entirely. Fixes: bootc-dev#2090 Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters
force-pushed
the
fix-pid1-ns-v2
branch
from
19d990f to
7376e0a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Extract the IPC namespace joining logic into a join_host_ipc_namespace() helper that checks for CAP_SYS_ADMIN first, since setns() requires it. Without the capability we skip the operation entirely.
Fixes: #2090
Assisted-by: OpenCode (Claude Opus 4)