In order to execute
must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))
I need to grant SYS_CHROOT capability to the process as follows :
// Temporarily add SYS_CHROOT capability
if err := c.SetFlag(cap.Effective, true, cap.SYS_CHROOT); err != nil {
log.Fatalf("Failed to set capability: %v", err)
}
// Re-check the capabilities (SYS_CHROOT should now be effective)
c = cap.GetProc()
log.Printf("this process has these caps: %s", c)
// Check if the capability is granted
if on, _ := c.GetFlag(cap.Permitted, cap.SYS_CHROOT); !on {
log.Fatalf("Insufficient privilege to execute syscall.Chroot - required capability not granted")
}
// Execute the syscall.Chroot operation
must(syscall.Chroot("/home/nora/Bureau/Perso/os/ubuntu-base-14.04-core-amd64"))
// Remove SYS_CHROOT capability
if err := c.SetFlag(cap.Effective, false, cap.SYS_CHROOT); err != nil {
log.Fatalf("Failed to remove capability: %v", err)
}
But I get exit:status 1 Insufficient privilege to execute syscall.Chroot - required capability not granted, which means the process hasn't been granted chroot capabilities. Any clue on what could be the problem ?
The
c.SetFlag(...)
call only raises the effective bit in thec
capabilitySet
. You also need to apply thatcap.Set
to the process withc.SetProc()
: