shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
Code

nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking

Browse Source 
Fixes: #11755
This commit is contained in:
Lennart Poettering 2019-03-15 15:31:44 +01:00
parent 3d6c367510
commit a3fc6b55ac
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/nspawn/nspawn.c
View File

@ -3648,14 +3648,20 @@ static int merge_settings(Settings *settings, const char *path) {
} }
if ((arg_settings_mask & SETTING_CAPABILITY) == 0) { if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
uint64_t plus; uint64_t plus, minus;
/* Note that we copy both the simple plus/minus caps here, and the full quintet from the /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
* Settings structure */ * Settings structure */
plus = settings->capability; plus = settings->capability;
if (settings_private_network(settings)) minus = settings->drop_capability;
plus |= UINT64_C(1) << CAP_NET_ADMIN;
if ((arg_settings_mask & SETTING_NETWORK) == 0) {
if (settings_private_network(settings))
plus |= UINT64_C(1) << CAP_NET_ADMIN;
else
minus |= UINT64_C(1) << CAP_NET_ADMIN;
}
if (!arg_settings_trusted && plus != 0) { if (!arg_settings_trusted && plus != 0) {
if (settings->capability != 0) if (settings->capability != 0)
@ -3663,7 +3669,7 @@ static int merge_settings(Settings *settings, const char *path) {
} else } else
arg_caps_retain |= plus; arg_caps_retain |= plus;
arg_caps_retain &= ~settings->drop_capability; arg_caps_retain &= ~minus;
/* Copy the full capabilities over too */ /* Copy the full capabilities over too */
if (capability_quintet_is_set(&settings->full_capabilities)) { if (capability_quintet_is_set(&settings->full_capabilities)) {