]> git.ipfire.org Git - thirdparty/mkosi.git/commitdiff
Only do CAP_NET_ADMIN capability check when running as root
authorDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 25 Mar 2024 10:24:04 +0000 (11:24 +0100)
committerDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 25 Mar 2024 10:50:58 +0000 (11:50 +0100)
If we're not running as root, bubblewrap will unshare a user namespace
in which it gets a full set of capabilities, even if the user on the
host doesn't have them, so let's only do the CAP_NET_ADMIN check if
we're running as root.

mkosi/sandbox.py

index a89b53457792fe91b720a9c7abf6a505797a4180..35bd1f42ca2f3f0c0f5b3c24e7cefd82efafe7e9 100644 (file)
@@ -142,7 +142,11 @@ def sandbox_cmd(
 
     cmdline += [
         "bwrap",
-        *(["--unshare-net"] if not network and have_effective_cap(Capability.CAP_NET_ADMIN) else []),
+        *(
+            ["--unshare-net"]
+            if not network and (os.getuid() != 0 or have_effective_cap(Capability.CAP_NET_ADMIN))
+            else []
+        ),
         "--die-with-parent",
         "--proc", "/proc",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),