From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 25 Mar 2024 10:24:04 +0000 (+0100)
Subject: Only do CAP_NET_ADMIN capability check when running as root
X-Git-Tag: v23~65^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9e0a3d5b8f87383ccbe55751f9c098d82c348dd;p=thirdparty%2Fmkosi.git

Only do CAP_NET_ADMIN capability check when running as root

If we're not running as root, bubblewrap will unshare a user namespace
in which it gets a full set of capabilities, even if the user on the
host doesn't have them, so let's only do the CAP_NET_ADMIN check if
we're running as root.
---

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index a89b53457..35bd1f42c 100644
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -142,7 +142,11 @@ def sandbox_cmd(
 
     cmdline += [
         "bwrap",
-        *(["--unshare-net"] if not network and have_effective_cap(Capability.CAP_NET_ADMIN) else []),
+        *(
+            ["--unshare-net"]
+            if not network and (os.getuid() != 0 or have_effective_cap(Capability.CAP_NET_ADMIN))
+            else []
+        ),
         "--die-with-parent",
         "--proc", "/proc",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),