* Paolo Bonzini (pbonz...@redhat.com) wrote: > On 29/11/19 10:34, Daniel P. Berrangé wrote: > >> y) Should we flip over to only using one or the other - what > >> are the advantages? > > In libvirt we use libcap-ng. We picked this originally as its API > > design allows you do write simpler code than libcap in some cases > > You can see some docs & examples here: > > > > https://people.redhat.com/sgrubb/libcap-ng/ > > > > So I vote for changing the 9p code to use libcap-ng. > > It's not entirely trivial because fsdev-proxy-helper wants to keep the > effective set and clear the permitted set; in libcap-ng you can only > apply both sets at once, and you cannot choose only one of them in > capng_clear/capng_get_caps_process. But it's doable, I'll take a look.
I'm having some difficulties making the same conversion for virtiofsd; all it wants to do is drop (and later recover) CAP_FSETID from it's effective set; so I'm calling capng_get_caps_process (it used to be cap_get_proc). While libcap survives just using the capget syscall, libcap-ng wants to read /proc/<TID>/status - and that's a problem because we're in a sandbox without /proc mounted at that point. Dave > In the meanwhile, if someone else wants to look at the CI I would > appreciate that. > > Paolo > > -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
