From e59d293a6c43e2e60a1cc7fb92de0837c901551e Mon Sep 17 00:00:00 2001
From: Ryan Bottriell <ryan@bottriell.ca>
Date: Fri, 21 Jun 2024 13:36:31 -0700
Subject: [PATCH] Require universal filesystem access for spfs-enter

On a modern 'fedora 40' linux distro, the enter process fails on any
attempt to modify the runtime or create directories in the repository in
my home directory. The error is EACCESS, which denotes that the process
doesn't have search permission on one of the directories involved. The
CAP_DAC_OVERRIDE privilege is needed in this configuraiton to allow the
enter process (running as root) full access to the file system.

Signed-off-by: Ryan Bottriell <ryan@bottriell.ca>
---
 Makefile.linux | 2 +-
 spfs.spec      | 2 +-
 spk.spec       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile.linux b/Makefile.linux
index 304554b028..d8dd836720 100644
--- a/Makefile.linux
+++ b/Makefile.linux
@@ -51,7 +51,7 @@ setcap:
 	sudo setcap 'cap_net_admin+ep' '$(DESTDIR)$(bindir)/spfs-monitor'
 	sudo setcap 'cap_chown,cap_fowner+ep' '$(DESTDIR)$(bindir)/spfs-render'
 	sudo setcap 'cap_sys_chroot,cap_sys_admin+ep' '$(DESTDIR)$(bindir)/spfs-join'
-	sudo setcap 'cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep' '$(DESTDIR)$(bindir)/spfs-enter'
+	sudo setcap 'cap_dac_override,cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep' '$(DESTDIR)$(bindir)/spfs-enter'
 	sudo setcap 'cap_sys_admin+ep' '$(DESTDIR)$(bindir)/spfs-fuse'
 
 .PHONY: check-copyrights
diff --git a/spfs.spec b/spfs.spec
index 3295d04651..f568b6cf0a 100644
--- a/spfs.spec
+++ b/spfs.spec
@@ -48,7 +48,7 @@ done
 %caps(cap_net_admin+ep) /usr/local/bin/spfs-monitor
 %caps(cap_chown,cap_fowner+ep) /usr/local/bin/spfs-render
 %caps(cap_sys_chroot,cap_sys_admin+ep) /usr/local/bin/spfs-join
-%caps(cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep) /usr/local/bin/spfs-enter
+%caps(cap_dac_override,cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep) /usr/local/bin/spfs-enter
 %caps(cap_sys_admin+ep) /usr/local/bin/spfs-fuse
 
 %post
diff --git a/spk.spec b/spk.spec
index ae08588b25..382f6e5e9d 100644
--- a/spk.spec
+++ b/spk.spec
@@ -58,7 +58,7 @@ mv %{buildroot}/usr/local/bin/spk %{buildroot}/usr/local/bin/spk-%{version}
 %caps(cap_net_admin+ep) /usr/local/bin/spfs-monitor
 %caps(cap_chown,cap_fowner+ep) /usr/local/bin/spfs-render
 %caps(cap_sys_chroot,cap_sys_admin+ep) /usr/local/bin/spfs-join
-%caps(cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep) /usr/local/bin/spfs-enter
+%caps(cap_dac_override,cap_setuid,cap_chown,cap_mknod,cap_sys_admin,cap_fowner+ep) /usr/local/bin/spfs-enter
 %caps(cap_sys_admin+ep) /usr/local/bin/spfs-fuse
 
 %post