shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-26 08:55:18 +03:00
Code

nspawn: Drop CAP_NET_BIND_SERVICE when in userns but not in netns

Browse Source 
If we're in a user namespace but not unsharing the network namespace,
we won't be able to bind any privileged ports even with
CAP_NET_BIND_SERVICE, so let's drop it from the retained capabilities
so services can condition themselves on that.

(cherry picked from commit 2642d22adc)
This commit is contained in:
Daan De Meyer 2023-01-26 22:18:47 +01:00 committed by Luca Boccassi
parent ce56d12f01
commit 3a49291f4b
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/nspawn/nspawn.c
View File

@ -1716,7 +1716,16 @@ static int parse_argv(int argc, char *argv[]) {
* --directory=". */
arg_directory = TAKE_PTR(arg_template);
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
arg_caps_retain |= plus;
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
* indicate that. */
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
arg_caps_retain &= ~minus;
/* Make sure to parse environment before we reset the settings mask below */
r = parse_environment();