site  contact  subhomenews

libcap-ng and pflask recompiled for patched 5.4.84 kernel

December 17, 2020 — BarryK

Utility 'pflask' is used in EasyContainers to run containers with various reduced capabilities, what we call "crippled root".

It has 'libcap-ng' dependency, which is a problem as that is compiled for a 4.19.x kernel with un-patched Linux Capabilities. I have patched the 5.4.84 kernel in the EasyOS Buster-series with CAP_SYS_MOUNT capability separated from CAP_SYS_ADMIN. Note, have also done it for the 5.10 kernel, as reported here:

...however, the Buster-series is going to stay with the 5.4.x kernel.

A problem is that Linux Capabilities is different in the 5.10 kernel, a few extra have been added. Each capability has a number, in the 5.4 kernel it is 0 to 37, in the 5.8 and later kernel it is 0 to 40: look at /usr/include/linux/capability.h

In the 5.4.x kernel CAP_SYS_MOUNT has been added as #38, and in the 5.10 kernel as #41.

'libcap' (including 'capsh' utility), 'libcap-ng' and 'pflask' all have to be recompiled for each of these kernels.

I have installed '', running EasyOS and 5.4.84 kernel, and recompiled libcap-ng and pflask -- capsh was already ok (I had previously compiled it statically with musl, as it is used in the initrd).

Script 'ec-chroot' in /usr/local/easy_containers has been edited. It runs "capsh --supports=cap_sys_mount" to test if kernel has that patch. If so, for the choice of dropping CAP_SYS_ADMIN in the container, CAP_SYS_MOUNT is also dropped. 

Will have to go through the same exercise when move to the 5.10 kernel. 

Tags: easy