From: DaanDeMeyer Date: Tue, 26 Aug 2025 10:35:58 +0000 (+0200) Subject: nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping X-Git-Tag: v258-rc4~7^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=945e1fd37b66ae3b1732b8fbcc247050c5141b85;p=thirdparty%2Fsystemd.git nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping Even if there's no uid shift, we still won't be able to bind to privileged ports in the host network namespace, so drop the capability regardless of whether we have a uid shift or not. --- diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1142bc57458..ab8746c442b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5950,7 +5950,7 @@ static int run(int argc, char *argv[]) { /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to * indicate that. */ - if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0) + if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO) arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE); r = verify_arguments();