1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00

Merge pull request #26228 from DaanDeMeyer/resolve-cap

resolve: Skip stubs if running in a container with userns but without network namespace
This commit is contained in:
Lennart Poettering 2023-01-27 10:03:17 +01:00 committed by GitHub
commit 745de3506a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 1 deletions

View File

@ -1717,7 +1717,16 @@ static int parse_argv(int argc, char *argv[]) {
* --directory=". */
arg_directory = TAKE_PTR(arg_template);
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
arg_caps_retain |= plus;
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
* indicate that. */
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
arg_caps_retain &= ~minus;
/* Make sure to parse environment before we reset the settings mask below */
r = parse_environment();

View File

@ -3,6 +3,7 @@
#include <net/if_arp.h>
#include <netinet/tcp.h>
#include "capability-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "missing_network.h"
@ -1237,6 +1238,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty
if (*event_source)
return sd_event_source_get_io_fd(*event_source);
if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) {
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.",
dns_stub_listener_extra_port(l));
return 0;
}
if (l->family == AF_INET)
sa = (union sockaddr_union) {
.in.sin_family = l->family,
@ -1332,6 +1339,8 @@ int manager_dns_stub_start(Manager *m) {
if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
log_debug("Not creating stub listener.");
else if (!have_effective_cap(CAP_NET_BIND_SERVICE))
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53.");
else {
static const struct {
uint32_t addr;