1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-20 14:03:39 +03:00

nspawn: Drop CAP_NET_BIND_SERVICE when in userns but not in netns

If we're in a user namespace but not unsharing the network namespace,
we won't be able to bind any privileged ports even with
CAP_NET_BIND_SERVICE, so let's drop it from the retained capabilities
so services can condition themselves on that.
This commit is contained in:
Daan De Meyer 2023-01-26 22:18:47 +01:00
parent 8f8d7dff54
commit 2642d22adc

View File

@ -1717,7 +1717,16 @@ static int parse_argv(int argc, char *argv[]) {
* --directory=". */ * --directory=". */
arg_directory = TAKE_PTR(arg_template); arg_directory = TAKE_PTR(arg_template);
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus; arg_caps_retain |= plus;
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
* indicate that. */
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
arg_caps_retain &= ~minus;
/* Make sure to parse environment before we reset the settings mask below */ /* Make sure to parse environment before we reset the settings mask below */
r = parse_environment(); r = parse_environment();