Bug 214705

Summary: execve(2) omits EACCES due to capabilities
Product: Documentation Reporter: Daniel Speyer (dspeyer)
Component: man-pagesAssignee: documentation_man-pages (documentation_man-pages)
Status: NEW ---    
Severity: normal CC: alx
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Subsystem:
Regression: No Bisected commit-id:
Attachments: attachment-26475-0.html

Description Daniel Speyer 2021-10-13 02:36:41 UTC 
The man page for execve lists only 4 reasons the syscall can fail with errno==EACCES.  In fact, there is at least one more.  If the binary being executed has a setfattr'ed capability such as CAP_IPC_LOCK which is not supported in the caller's kernel namespace (docker container), execve will fail with this error.

I just spent a great deal of frustrating effort searching for a non-existent elf interpreter or mount-noexec issue because I trusted this man page.
Comment 1 Alejandro Colomar 2021-10-15 22:10:08 UTC 
Hello Daniel,

Tracking the paths that can lead to an error is difficult.  Could you share the results of your investigation?  I'd like to check it in the source code.

Thanks,

Alex
Comment 2 Daniel Speyer 2021-10-16 18:16:54 UTC 
Created attachment 299229 [details]
attachment-26475-0.html

dspeyer@dspeyerheim:~$ sudo docker run -it ubuntu /bin/bash
root@8b839371814b:/# apt-get update > /dev/null
root@8b839371814b:/# apt-get install libcap2-bin -y >/dev/null
debconf: delaying package configuration, since apt-utils is not installed
root@8b839371814b:/# setcap cap_ipc_lock=+eip  /usr/bin/ls
root@8b839371814b:/# ls
bash: /usr/bin/ls: Operation not permitted

I've confirmed with a small c program that bash is passing on execve's
error message correctly, but copy pasting the c program would be
inconvenient right now.

On Fri, Oct 15, 2021 at 6:10 PM <bugzilla-daemon@bugzilla.kernel.org> wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=214705
>
> Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:
>
>            What    |Removed                     |Added
>
> ----------------------------------------------------------------------------
>                  CC|                            |alx.manpages@gmail.com
>
> --- Comment #1 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com)
> ---
> Hello Daniel,
>
> Tracking the paths that can lead to an error is difficult.  Could you
> share the
> results of your investigation?  I'd like to check it in the source code.
>
> Thanks,
>
> Alex
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You reported the bug.