• [gentoo-user] setcap fails: (Operation not supported)

    From Grant Edwards@21:1/5 to All on Thu Sep 30 19:30:01 2021
    I'm trying to add NET_ADMIN capability to an executable that needs to
    create a tun inteface. AFACIT, this is the command to do that:

    $ sudo setcap cap_net_admin+ep example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    The only possible cause for that message Google has been able fo find
    is that the FS doesn't have xattr support. It's an ext4 filesystem,
    and I believe xattr support is enabled:

    $ rm -f xattr-test
    $ touch xattr-test
    $ setfattr -n user.test -v "hello" xattr-test
    $ getfattr -d xattr-test
    # file: xattr-test
    user.test="hello"

    (AFAICT, there's no way to disable xattr support in ext4.)

    I've also found sources that mention that in the kernel configuration
    under 'enable different security models' you have to enable the
    'capabilities' option. But, that option doesn't seem to exist in 5.10
    kernels. The only occurances of the string CAPAB in 5.10 Kconfig files
    is CPU_THUMB_CAPABLE

    What do I need to do to get setap to work?

    --
    Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Edwards@21:1/5 to Grant Edwards on Thu Sep 30 19:40:02 2021
    On 2021-09-30, Grant Edwards <grant.b.edwards@gmail.com> wrote:

    I'm trying to add NET_ADMIN capability to an executable that needs to
    create a tun inteface. AFACIT, this is the command to do that:

    $ sudo setcap cap_net_admin+ep example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    The only possible cause for that message Google has been able fo find
    is that the FS doesn't have xattr support.

    Is Posix ACL support required for setcap?

    I can't find any documentation of such a requirement, but it's the
    only other thing I can think of...

    --
    Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Edwards@21:1/5 to Grant Edwards on Thu Sep 30 20:00:01 2021
    On 2021-09-30, Grant Edwards <grant.b.edwards@gmail.com> wrote:
    On 2021-09-30, Grant Edwards <grant.b.edwards@gmail.com> wrote:

    I'm trying to add NET_ADMIN capability to an executable that needs to
    create a tun inteface. AFACIT, this is the command to do that:

    $ sudo setcap cap_net_admin+ep example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    The only possible cause for that message Google has been able fo find
    is that the FS doesn't have xattr support.

    Is Posix ACL support required for setcap?

    I can't find any documentation of such a requirement, but it's the
    only other thing I can think of...

    That's not it. I rebuilt my kernel with POSIX ACL support enabled for
    ext4, rebooted, and verified that ACLs now work.

    Still can't figure out how to get setcap to work

    # file example_app
    example_app: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped

    # setcap cap_net_admin,cap_net_raw+eip example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    --
    Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Udvare@21:1/5 to Grant Edwards on Thu Sep 30 22:50:03 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --O3bXusqoeyVopPPLyWOcrXHhzPP1t8OAC
    Content-Type: text/plain; charset=utf-8; format=flowed
    Content-Language: en-GB
    Content-Transfer-Encoding: quoted-printable

    On 30/09/2021 13:58, Grant Edwards wrote:
    On 2021-09-30, Grant Edwards <grant.b.edwards@gmail.com> wrote:
    On 2021-09-30, Grant Edwards <grant.b.edwards@gmail.com> wrote:

    I'm trying to add NET_ADMIN capability to an executable that needs to
    create a tun inteface. AFACIT, this is the command to do that:

    $ sudo setcap cap_net_admin+ep example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    The only possible cause for that message Google has been able fo find
    is that the FS doesn't have xattr support.

    Is Posix ACL support required for setcap?

    I can't find any documentation of such a requirement, but it's the
    only other thing I can think of...

    That's not it. I rebuilt my kernel with POSIX ACL support enabled for
    ext4, rebooted, and verified that ACLs now work.

    Still can't figure out how to get setcap to work

    # file example_app
    example_app: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped

    # setcap cap_net_admin,cap_net_raw+eip example_app
    Failed to set capabilities on file `example_app' (Operation not supported)

    --
    Grant


    Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled?


    --O3bXusqoeyVopPPLyWOcrXHhzPP1t8OAC--

    -----BEGIN PGP SIGNATURE-----

    wsF5BAABCAAjFiEEYK9084jvT0kxwI44Gv2a/BIMJt0FAmFWIRwFAwAAAAAACgkQGv2a/BIMJt3d 3A/8Dro5TdhjcRYBL6Ee1joDPMWduQHkKyao2KRzds51fxpF/82lPllji0ouv+xworvaNE4gHkPS CMCmokrK9a30HXG8ILIcUFjP/jEXbu5DvB2HmDjnbklZp9OI7Q3YIigIFeMQ3urkDEhiokmbwoyd qUmwhvtTRhxPmRVBUhkdYqzcPSdp63ooPa+8aaDMvNVOtuPoE2GUynQRjfMfosCTMwT75dICCqGi BKzmqYaxBQtQZvXENsVNqVQ5Zheh41Z4KKLTCPsfw5uYwFCziImZ0gb57WwTpbh23cFnz9tEjsLJ bMwrYCmnR166ZO11/93Bd4hbbrFh/ZcKguNYu8snleAEL5IUmLu5fIInXth++qBifHlonpeS6ZqG rs5eZNdWhST3Ey7pXeREVOtm3zlHlGvzNyFuybmZXu5AR5T+zLmdGqOV2VaeavrjJ96/WcgaSMy6 XIgr6VOoVZiosYtlK2OvP4Cz+r1g8tlYnuIBTxknuceVrhzwVvnCRyYeoXRdcif3K6kZNJOEC4fW ZTA1lPd4/QKTbBVi2TCzW3gq8H6rSDTxDTnTiFUaBGxR1ZCqnsIYF7ss4oIhoVzJDIarsS9ceRVd dTLjZQ5cziMKsaESUs9y3f77sOU/wxlzfDYB4kYLVotznSrjeuol93hQhOV++PNdDJKpUuWRjnzF 1DY=
    =KrUC
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Edwards@21:1/5 to Andrew Udvare on Fri Oct 1 00:10:02 2021
    On 2021-09-30, Andrew Udvare <audvare@gmail.com> wrote:
    On 30/09/2021 13:58, Grant Edwards wrote:

    Still can't figure out how to get setcap to work

    Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled?

    No, I don't.

    Google has found me information that indicates that SELinux and MAC
    (Mandatory Access Controls) require FS_SECURITY, but Google can't find
    any indication that FS_SECURITY is required for linux file
    capabilities.

    I should try enabling it and see...

    Several years ago, I know I could set capabilities on executables (on
    a different Gentoo machine), and I don't remember it being difficult
    to get working at all...

    --
    Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Edwards@21:1/5 to Laurence Perkins on Fri Oct 1 21:30:02 2021
    On 2021-10-01, Laurence Perkins <lperkins@openeye.net> wrote:

    Doesn't it require xattrs?

    Yes, I had xattrs enabled. That used to be enough to get setcap to work.

    It now also requires CONFIG_*_FS_SECURITY, which I didn't have enabled.

    --
    Grant

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)