Only unshare network namespace if we have CAP_NET_ADMIN

diff --git a/mkosi/run.py b/mkosi/run.py
index 431fb70419ad1ffa71125c01b524d30784b0d81e..b5ee447484295759d515d42d8d15f9d07e42cd7d 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -247,6 +247,18 @@ def spawn(
         raise e
 
 
+def have_effective_cap(capability: str) -> bool:
+    for line in Path("/proc/self/status").read_text().splitlines():
+        if line.startswith("CapEff:"):
+            hexcap = line.removeprefix("CapEff:").strip()
+            break
+    else:
+        logging.warning(f"\"CapEff:\" not found in /proc/self/status, assuming we don't have {capability}")
+        return False
+
+    return capability.lower() in run(["capsh", f"--decode=0x{hexcap}"], stdout=subprocess.PIPE).stdout
+
+
 def bwrap(
     cmd: Sequence[PathString],
     *,
@@ -273,7 +285,7 @@ def bwrap(
         "--unshare-pid",
         "--unshare-ipc",
         "--unshare-cgroup",
-        *(["--unshare-net"] if not network else []),
+        *(["--unshare-net"] if not network and have_effective_cap("CAP_NET_ADMIN") else []),
         "--die-with-parent",
         "--proc", "/proc",
         "--dev", "/dev",