mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 14:55:37 +03:00
Merge pull request #26228 from DaanDeMeyer/resolve-cap
resolve: Skip stubs if running in a container with userns but without network namespace
This commit is contained in:
commit
745de3506a
@ -1717,7 +1717,16 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
* --directory=". */
|
* --directory=". */
|
||||||
arg_directory = TAKE_PTR(arg_template);
|
arg_directory = TAKE_PTR(arg_template);
|
||||||
|
|
||||||
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0)) & ~minus;
|
arg_caps_retain |= plus;
|
||||||
|
arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
|
||||||
|
|
||||||
|
/* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
|
||||||
|
* permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
|
||||||
|
* indicate that. */
|
||||||
|
if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
|
||||||
|
arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
|
||||||
|
|
||||||
|
arg_caps_retain &= ~minus;
|
||||||
|
|
||||||
/* Make sure to parse environment before we reset the settings mask below */
|
/* Make sure to parse environment before we reset the settings mask below */
|
||||||
r = parse_environment();
|
r = parse_environment();
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
#include <net/if_arp.h>
|
#include <net/if_arp.h>
|
||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
|
|
||||||
|
#include "capability-util.h"
|
||||||
#include "errno-util.h"
|
#include "errno-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "missing_network.h"
|
#include "missing_network.h"
|
||||||
@ -1237,6 +1238,12 @@ static int manager_dns_stub_fd_extra(Manager *m, DnsStubListenerExtra *l, int ty
|
|||||||
if (*event_source)
|
if (*event_source)
|
||||||
return sd_event_source_get_io_fd(*event_source);
|
return sd_event_source_get_io_fd(*event_source);
|
||||||
|
|
||||||
|
if (!have_effective_cap(CAP_NET_BIND_SERVICE) && dns_stub_listener_extra_port(l) < 1024) {
|
||||||
|
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating extra stub listener on port %hu.",
|
||||||
|
dns_stub_listener_extra_port(l));
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (l->family == AF_INET)
|
if (l->family == AF_INET)
|
||||||
sa = (union sockaddr_union) {
|
sa = (union sockaddr_union) {
|
||||||
.in.sin_family = l->family,
|
.in.sin_family = l->family,
|
||||||
@ -1332,6 +1339,8 @@ int manager_dns_stub_start(Manager *m) {
|
|||||||
|
|
||||||
if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
|
if (m->dns_stub_listener_mode == DNS_STUB_LISTENER_NO)
|
||||||
log_debug("Not creating stub listener.");
|
log_debug("Not creating stub listener.");
|
||||||
|
else if (!have_effective_cap(CAP_NET_BIND_SERVICE))
|
||||||
|
log_warning("Missing CAP_NET_BIND_SERVICE capability, not creating stub listener on port 53.");
|
||||||
else {
|
else {
|
||||||
static const struct {
|
static const struct {
|
||||||
uint32_t addr;
|
uint32_t addr;
|
||||||
|
Loading…
Reference in New Issue
Block a user