mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
nspawn: Drop CAP_NET_BIND_SERVICE when in userns but not in netns
If we're in a user namespace but not unsharing the network namespace, we won't be able to bind any privileged ports even with CAP_NET_BIND_SERVICE, so let's drop it from the retained capabilities so services can condition themselves on that. (cherry picked from commit2642d22adc
) (cherry picked from commit3a49291f4b
) (cherry picked from commit5037e0d27b
)
This commit is contained in:
parent
70dcc16bc2
commit
92bed29fdd
@ -1712,7 +1712,16 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
* --directory=". */
|
||||
arg_directory = TAKE_PTR(arg_template);
|
||||
|
||||
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
|
||||
arg_caps_retain |= plus;
|
||||
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
|
||||
|
||||
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
|
||||
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
|
||||
* indicate that. */
|
||||
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
|
||||
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
|
||||
|
||||
arg_caps_retain &= ~minus;
|
||||
|
||||
/* Make sure to parse environment before we reset the settings mask below */
|
||||
r = parse_environment();
|
||||
|
Loading…
Reference in New Issue
Block a user