snap-confine cannot perform namespace capture even with CAP_SYS_ADMIN
Bug #1657099 reported by
Zygmunt Krynicki
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
On Fedora snap-confine is using Linux capabilities and doesn't run as root. This apparently prevents it from performing one specific mount operation, the one that captures the mount namespace of a running process and preserves it in a file. The particular operation is similar to mount --bind /proc/$PID/ns/mnt /run/ns/
It would be good to inspect the kernel and see if that specific operation is covered by the appropriate capability or if we really need to run as regular root to do this.
This bug is a clone of the following github issue: https:/
| description: | updated |
| tags: | added: cross-distro |
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #1 |
| Changed in snapd: | |
| status: | New → Won't Fix |
To post a comment you must log in.
I'm marking this as WONTFIX for now as we abandoned the capability-based code for now. We can re-examine this as the interest arises.