From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 10 Aug 2023 10:47:13 +0000 (+0200)
Subject: Only unshare network namespace if we have CAP_NET_ADMIN
X-Git-Tag: v15.1~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1779%2Fhead;p=thirdparty%2Fmkosi.git

Only unshare network namespace if we have CAP_NET_ADMIN
---

diff --git a/mkosi/run.py b/mkosi/run.py
index 431fb7041..b5ee44748 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -247,6 +247,18 @@ def spawn(
         raise e
 
 
+def have_effective_cap(capability: str) -> bool:
+    for line in Path("/proc/self/status").read_text().splitlines():
+        if line.startswith("CapEff:"):
+            hexcap = line.removeprefix("CapEff:").strip()
+            break
+    else:
+        logging.warning(f"\"CapEff:\" not found in /proc/self/status, assuming we don't have {capability}")
+        return False
+
+    return capability.lower() in run(["capsh", f"--decode=0x{hexcap}"], stdout=subprocess.PIPE).stdout
+
+
 def bwrap(
     cmd: Sequence[PathString],
     *,
@@ -273,7 +285,7 @@ def bwrap(
         "--unshare-pid",
         "--unshare-ipc",
         "--unshare-cgroup",
-        *(["--unshare-net"] if not network else []),
+        *(["--unshare-net"] if not network and have_effective_cap("CAP_NET_ADMIN") else []),
         "--die-with-parent",
         "--proc", "/proc",
         "--dev", "/dev",