mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
Merge pull request #26228 from DaanDeMeyer/resolve-cap
resolve: Skip stubs if running in a container with userns but without network namespace
This commit is contained in:
commit
745de3506a
@ -1717,7 +1717,16 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
* --directory=". */
|
||||
arg_directory = TAKE_PTR(arg_template);
|
||||
|
||||
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
|
||||
arg_caps_retain |= plus;
|
||||
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
|
||||
|
||||
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
|
||||
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
|
||||
* indicate that. */
|
||||
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
|
||||
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
|
||||
|
||||
arg_caps_retain &= ~minus;
|
||||
|
||||
/* Make sure to parse environment before we reset the settings mask below */
|
||||
r = parse_environment();
|
||||
|
@ -3,6 +3,7 @@
|
||||
#include <net/if_arp.h>
|
||||
#include <netinet/tcp.h>
|
||||
|
||||
#include "capability-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "missing_network.h"
|
||||
@ -1237,6 +1238,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty
|
||||
if (*event_source)
|
||||
return sd_event_source_get_io_fd(*event_source);
|
||||
|
||||
if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) {
|
||||
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.",
|
||||
dns_stub_listener_extra_port(l));
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (l->family == AF_INET)
|
||||
sa = (union sockaddr_union) {
|
||||
.in.sin_family = l->family,
|
||||
@ -1332,6 +1339,8 @@ int manager_dns_stub_start(Manager *m) {
|
||||
|
||||
if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
|
||||
log_debug("Not creating stub listener.");
|
||||
else if (!have_effective_cap(CAP_NET_BIND_SERVICE))
|
||||
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53.");
|
||||
else {
|
||||
static const struct {
|
||||
uint32_t addr;
|
||||
|
Loading…
Reference in New Issue
Block a user