search for: securebits

Hi all I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2 unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master:

...example: capbset_drop=CAP_SYS_RAWIO capbset_drop=CAP_SYS_RAWIO,CAP_NET_RAW I'm thinking that this option would drop the listed capabilities from the bounding set, as well as init's permitted, effective and inherited masks. I'd probably want to eventually also provide a way to set the securebits (they seem to operate in the same way?), though for now I'd rather tackle the capability masks directly. So the question is, should this go in the kernel proper such that it manipulates the init_cred structure, or should this be plumbed down in kinit (in klibc, which we use for bootup)?