Only do CAP_NET_ADMIN capability check when running as root

If we're not running as root, bubblewrap will unshare a user namespace
in which it gets a full set of capabilities, even if the user on the
host doesn't have them, so let's only do the CAP_NET_ADMIN check if
we're running as root.

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index a89b53457792fe91b720a9c7abf6a505797a4180..35bd1f42ca2f3f0c0f5b3c24e7cefd82efafe7e9 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -142,7 +142,11 @@ def sandbox_cmd(
 
     cmdline += [
         "bwrap",
-        *(["--unshare-net"] if not network and have_effective_cap(Capability.CAP_NET_ADMIN) else []),
+        *(
+            ["--unshare-net"]
+            if not network and (os.getuid() != 0 or have_effective_cap(Capability.CAP_NET_ADMIN))
+            else []
+        ),
         "--die-with-parent",
         "--proc", "/proc",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),