ELI5 request: Why podman cannot spawn the pasta/rootlesskit/slirp4netns port mapper process with CAP_NET_BIND_SERVICE capability?

[mailinglists35]

In #3212, you suggest a workaround by using net.ipv4.ip_unprivileged_port_start
However, this seems(?) a wider relaxation of security than allowing a single binary to open privileged ports.

Since the issue is locked I cannot ask there for clarification. I am asking here again, @AkihiroSuda @rhatdan if you don't mind: Why do you suggest a worse workaround than allowing CAP_NET_BIND_SERVICE to podman+pasta/rootlesskit/slirp4netns?

Is that the answer actually a technical challenge/impossibility?

Can podman not drop this particular capability after entering the new namespace? Or it is not up to podman to be able to take this decision? OTOH, allowing a lower net.ipv4.ip_unprivileged_port_start has the same effect from a security point of view as allowing a single binary (pasta/rootlesskit) that happens to be able to link any unprivileged requesting process to a privileged port? is that the effect?

Thanks

$sudo setcap cap_net_bind_service=+ep /usr/bin/ncat

[db2dev@podman2 ~]$ sysctl net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 1024

[db2dev@podman2 ~]$ nc -vv -l 25
Ncat: Version 7.91 ( https://nmap.org/ncat )
NCAT DEBUG: Failed to resolve default IPv6 address: Name or service not known
Ncat: Listening on 0.0.0.0:25

[db2dev@podman2 ~]$ podman unshare nc -vv -l 25
Ncat: Version 7.91 ( https://nmap.org/ncat )
NCAT DEBUG: Failed to resolve default IPv6 address: Name or service not known
Ncat: bind to 0.0.0.0:25: Permission denied. QUITTING.

[Luap99]

Podman technically never explicitly drops capabilities, the thing is if you enter a new user namespace you gain all caps but only relative to the new userns. This means that it indirectly drops all the caps for the parent user namespace which means you now are no longer allowed to modify any of the namespaces created by the parent such as the host netns.

The podman user namespace is critical to podman's function as it allows us to mount images as rootless user and much more. Therefore the podman design is to basically allows join the userns right away.

The only way to make it work would be to spawn the rootless networking process from the hosts/init userns and not from the podman userns. This however is not technically possible without a major rewrite on how podman works, basically we would need two processes one that stays in the host userns and one that joins the podman userns and then have some form of API between them so we can tell the parent to launch which processes and so on. And I don't think anyone would want to do this.

[mailinglists35]

thank you