File capabilities (setcap, getcap) missing in Turris OS 5
(Copying from forum entry with same topic, as this looks like the correct place to notify this.)
Hi! I recently upgraded my Omnia from Turris OS 3 to 5 (5.1.4 to be exact) and I noticed some breakage in containers. They seem to be caused by file capabilities not being enabled for file systems. For instance:
root@container:~# getcap /usr/bin/ping
Failed to get capabilities of file `/usr/bin/ping' (Operation not supported)
Container capabilities seem to be correct:
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
So the setfcap
capability should be available to it. In fact, if I run the container's getfcap
program from the host OS (with chroot
and ld.so
trickery) it yields the same error, so it doesn't look caused by the container itself.
This worked without issues in Turris OS 3. I guess that it's no big deal for OpenWRT/Turris OS itself (so it may be a good default for plain OWRT), but for containers it means that all kinds of contortions prone to security vulnerabilities are needed where previously a simple setcap
was sufficient (like in the ping
example, where it will probably end being made setuid root).
I think it would make sense to enable file capabilities for file systems in next OS updates (i.e. just enable support in the kernel).
Thank you very much for an excellent product and support!