!kyXJonZuBXCGzVwuSn:nixos.org

Systems Programming

301 Members
Kernel, stdenv, low-level hacking, patchelf, … 75 Servers

Load older messages

SenderMessageTime
10 Jul 2022
@kity:kity.wtfproblemsgood work figuring that out anyways17:06:34
@k900:0upti.meK900 (Old)So I hope someone does it before I get some more spare brain power17:06:55
12 Jul 2022
@qubasa:gchq.icuQubasa changed their profile picture.21:32:14
20 Jul 2022
@qubasa:gchq.icuQubasa changed their profile picture.16:08:10
26 Jul 2022
@tinybronca:sibnsk.netunderpantsgnome changed their display name from tinybronca to tailrec.14:40:37
@tinybronca:sibnsk.netunderpantsgnome changed their display name from tailrec to tinybronca.15:43:23
30 Jul 2022
@qubasa:gchq.icuQubasa changed their profile picture.22:34:32
31 Jul 2022
@minion3665:matrix.orgMinion3665 joined the room.10:11:34
1 Aug 2022
@better_sleeping:converser.eubetter_sleeping joined the room.09:11:11
@better_sleeping:converser.eubetter_sleeping left the room.09:11:25
3 Aug 2022
@zeorin:matrix.orgXandor Schiefer joined the room.12:55:05
@jcie74:matrix.orgpie_Is there a tool that will tell me why the kernel is denying me something or do I have to learn ftrace.22:55:55
4 Aug 2022
@qubasa:gchq.icuQubasaNormally ls -la on the file in question is enough 09:37:17
@linus:schreibt.jetztLinux Hackerman pie_: it depends on what it's denying you 10:18:30
@jcie74:matrix.orgpie_When I run ip link add "w0" type wireguard in a systemd service that has cap_net_admin (afaict) in a privileged container, I get RTNETLINK answers: Operation not permitted15:24:22
@jcie74:matrix.orgpie_(Same thing I posted in the systemd channel)15:24:29
@jcie74:matrix.orgpie_ * When I run ip link add dev w0 type wireguard in a systemd service that has cap_net_admin (afaict) in a privileged container, I get RTNETLINK answers: Operation not permitted 15:25:19
@k900:0upti.meK900 (Old) I don't think you're allowed to create Wireguard interfaces without being actually root 15:28:56
@k900:0upti.meK900 (Old)Actually maybe you can do it in a netns?15:31:39
@jcie74:matrix.orgpie_the service is running as root in the cotainer15:32:44
@jcie74:matrix.orgpie_ * the service is running as root in the container15:32:46
@jcie74:matrix.orgpie_also I dont know if nixos-container root-login is a real container shell but I can do the ip link add just fine there15:33:09
5 Aug 2022
@jcie74:matrix.orgpie_

apparently I dont actually have the capabilities systemd show says I have:

bash-5.1# capsh --print
Current: =ep cap_net_admin,cap_ipc_lock,cap_sys_module,cap_sys_rawio,cap_sys_pacct,cap_sys_time,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore-ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap
Ambient set =
Current IAB: !cap_net_admin,!cap_ipc_lock,!cap_sys_module,!cap_sys_rawio,!cap_sys_pacct,!cap_sys_time,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=
Guessed mode: HYBRID (4)

Well, it is called "bounding" set?:

# systemctl show wireguard-w0 -p CapabilityBoundingSet | cat
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore
00:44:40
@jcie74:matrix.orgpie_

more clearly:

bash-5.1# capsh --has-p=cap_net_admin --has-p=cap_syslog
cap[cap_net_admin] not permitted
00:48:40
@jcie74:matrix.orgpie_
In reply to @jcie74:matrix.org
Is there a tool that will tell me why the kernel is denying me something or do I have to learn ftrace.
re: something could have told me "lol bro you dont actually have the cap" xP 		00:53:16
@jcie74:matrix.orgpie_If you actually know what you're doing, well yeah, you chck capsh00:53:31
@jcie74:matrix.orgpie_ * If you actually know what you're doing, well yeah, you check capsh00:53:36
@jcie74:matrix.orgpie_when a constant is memorable so you google it https://www.google.com/search?q=capbnd+00000000fdecafff -> http://k.japko.eu/systemd-nspawn-ping-debug.html03:02:17
@jcie74:matrix.orgpie_The problem ended up being that contrary to my expectations, nspawn screws with capabilities even if you dont set any flags. --capabilities=all fixed it05:00:08
6 Aug 2022
@woobilicious:matrix.orgwoobiliciousworking on a stats library for linux: https://github.com/YellowOnion/bcachefs/commit/2438d6a0ba6fca4e459b08df472e6cd16fd50e17 :-)03:39:35

Show newer messages

Back to Room ListRoom Version: 6