diff options
| author | Michael Meeks <michael.meeks@collabora.com> | 2021-01-04 11:49:58 +0000 |
|---|---|---|
| committer | Michael Meeks <michael.meeks@collabora.com> | 2021-01-04 15:05:36 +0000 |
| commit | 317dffb8176926cb6891fa8ca9cb332050fb3a60 (patch) | |
| tree | 3defda45026447c5586f8627e8919dd9a80c0b94 /debian | |
| parent | updated .gitignore for docker (diff) | |
| download | online-317dffb8176926cb6891fa8ca9cb332050fb3a60.tar.gz online-317dffb8176926cb6891fa8ca9cb332050fb3a60.zip | |
Optimize copy of jails to hard-linking with new capability.
In some cases we cannot do a fast bind-mount of the files we want
in our jail since we don't have cap_sys_admin for loolmount inside
eg. docker.
Thus we need to fallback to hard-linking, however various security
systems namespace parts of our tree, such that link() fails with
EXDEV even across the (apparently) same file-system.
As such we need to assemble a copy of what we want to hard-link
close to our jails. However, this needs to be owned by root / the
system to avoid having writable files shared between jails. Hence
we need cap_chown in addition to cap_fowner, to get ownership right
and then hard-link.
Change-Id: Iba0ef46ddbc1c03f3dc7177bc1ec1755624135db
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/loolwsd.postinst.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/debian/loolwsd.postinst.in b/debian/loolwsd.postinst.in index 05e0c02f98..fa924f0b4e 100644 --- a/debian/loolwsd.postinst.in +++ b/debian/loolwsd.postinst.in @@ -4,7 +4,7 @@ set -e case "$1" in configure) - setcap cap_fowner,cap_mknod,cap_sys_chroot=ep /usr/bin/loolforkit || true + setcap cap_fowner,cap_chown,cap_mknod,cap_sys_chroot=ep /usr/bin/loolforkit || true setcap cap_sys_admin=ep /usr/bin/loolmount || true adduser --quiet --system --group --home /opt/lool lool |