1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

nspawn: Drop CAP_NET_BIND_SERVICE when in userns but not in netns

If we're in a user namespace but not unsharing the network namespace,
we won't be able to bind any privileged ports even with
CAP_NET_BIND_SERVICE, so let's drop it from the retained capabilities
so services can condition themselves on that.

(cherry picked from commit 2642d22adc)
(cherry picked from commit 3a49291f4b)
(cherry picked from commit 5037e0d27b)
This commit is contained in:
Daan De Meyer 2023-01-26 22:18:47 +01:00 committed by Luca Boccassi
parent 70dcc16bc2
commit 92bed29fdd

View File

@ -1712,7 +1712,16 @@ static int parse_argv(int argc, char *argv[]) {
* --directory=". */
arg_directory = TAKE_PTR(arg_template);
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
arg_caps_retain |= plus;
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
* indicate that. */
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
arg_caps_retain &= ~minus;
/* Make sure to parse environment before we reset the settings mask below */
r = parse_environment();