File capabilities (setcap, getcap) missing in Turris OS 5

degauss · November 25, 2020, 5:40pm

Hi! I recently upgraded my Omnia from Turris OS 3 to 5 (5.1.4 to be exact) and I noticed some breakage in containers. They seem to be caused by file capabilities not being enabled for file systems. For instance:

root@container:~# getcap /usr/bin/ping
Failed to get capabilities of file `/usr/bin/ping' (Operation not supported)

This worked without issues in Turris OS 3. I guess that it’s no big deal for OpenWRT/Turris OS itself (so it may be a good default for plain OWRT), but for containers it means that all kinds of contortions prone to security vulnerabilities are needed where previously a simple setcap was sufficient (like in the ping example, where it will probably end being made setuid root).

I think it would make sense to enable file capabilities for file systems in next OS updates (i.e. just enable support in the kernel).

Thank you very much for an excellent product and support!

degauss · November 26, 2020, 1:14pm

BTW, container capabilities seem to be correct:

lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio

So the setfcap capability should be available to it. In fact, I run the container’s getfcap program from the host OS (with chroot and ld.so trickery) and it yields the same error, so it doesn’t look caused by the container itself. Cheers!

degauss · December 17, 2020, 8:58am

I created issue #223 in GitLab, following the advice from this post.