nspawn: rework how we determine private networking settings

Make sure we acquire CAP_NET_ADMIN if we require virtual networking. Make sure we imply virtual ethernet correctly when bridge is request. Fixes: #1511 Fixes: #1554 Fixes: #1590
2024-11-01 17:51:22 +03:00 · 2015-10-22 00:59:18 +02:00 · 2015-10-22 00:59:18 +02:00 · 0e2656744f
commit 0e2656744f
parent a2c90f05f1
3 changed files with 36 additions and 8 deletions
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@ -85,6 +85,26 @@ Settings* settings_free(Settings *s) {
        return NULL;
 }

+bool settings_private_network(Settings *s) {
+        assert(s);
+
+        return
+                s->private_network > 0 ||
+                s->network_veth > 0 ||
+                s->network_bridge ||
+                s->network_interfaces ||
+                s->network_macvlan ||
+                s->network_ipvlan;
+}
+
+bool settings_network_veth(Settings *s) {
+        assert(s);
+
+        return
+                s->network_veth > 0 ||
+                s->network_bridge;
+}
+
 DEFINE_CONFIG_PARSE_ENUM(config_parse_volatile_mode, volatile_mode, VolatileMode, "Failed to parse volatile mode");

 int config_parse_expose_port(
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@ -75,6 +75,9 @@ typedef struct Settings {
 int settings_load(FILE *f, const char *path, Settings **ret);
 Settings* settings_free(Settings *s);

+bool settings_network_veth(Settings *s);
+bool settings_private_network(Settings *s);
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);

 const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, unsigned length);
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2912,11 +2912,17 @@ static int load_settings(void) {
        }

        if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
+                uint64_t plus;

-                if (!arg_settings_trusted && settings->capability != 0)
-                        log_warning("Ignoring Capability= setting, file %s is not trusted.", p);
-                else
-                        arg_retain |= settings->capability;
+                plus = settings->capability;
+                if (settings_private_network(settings))
+                        plus |= (1ULL << CAP_NET_ADMIN);
+
+                if (!arg_settings_trusted && plus != 0) {
+                        if (settings->capability != 0)
+                                log_warning("Ignoring Capability= setting, file %s is not trusted.", p);
+                } else
+                        arg_retain |= plus;

                arg_retain &= ~settings->drop_capability;
        }
@ -2972,6 +2978,9 @@ static int load_settings(void) {
                if (!arg_settings_trusted)
                        log_warning("Ignoring network settings, file %s is not trusted.", p);
                else {
+                        arg_network_veth = settings_private_network(settings);
+                        arg_private_network = settings_private_network(settings);
+
                        strv_free(arg_network_interfaces);
                        arg_network_interfaces = settings->network_interfaces;
                        settings->network_interfaces = NULL;
@ -2987,10 +2996,6 @@ static int load_settings(void) {
                        free(arg_network_bridge);
                        arg_network_bridge = settings->network_bridge;
                        settings->network_bridge = NULL;
-
-                        arg_network_veth = settings->network_veth > 0 || settings->network_bridge;
-
-                        arg_private_network = true; /* all these settings imply private networking */
                }
        }