On 02/12/19 11:07, Dr. David Alan Gilbert wrote: > * Paolo Bonzini (pbonz...@redhat.com) wrote: >> Il ven 29 nov 2019, 19:54 Dr. David Alan Gilbert <dgilb...@redhat.com> ha >> scritto: >> >>>> Yes, it's per thread. The state can be built from >>>> capng_clear/capng_get_caps_process + capng_update, and left in there >>>> forever. There is also capng_save_state/capng_restore_state which, as >>>> far as I can see from the sources, can be used across threads. >>> >>> So, I think what you're saying is I need to: >>> a) Before we sandbox do the capng_get_caps_process >>> >> >> Why not after sandboxing? > > Because in our sandbox we don't have /proc and capng_get_caps_process > tries to read /proc/.../status and fails. The old libcap code doesn't > use /proc, it just uses capget (which the new one also uses).
"In the middle of sandboxing" would have been a more precise suggestion. In the virtio-9p proxy I set up the state right after the sandboxing capng_apply, so that there is no need to do capng_get_caps_process (the libcap virtio-9p also used cap_get_proc). So you could capng_save_state there. Paolo
