From 945e1fd37b66ae3b1732b8fbcc247050c5141b85 Mon Sep 17 00:00:00 2001 From: DaanDeMeyer Date: Tue, 26 Aug 2025 12:35:58 +0200 Subject: [PATCH] nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping Even if there's no uid shift, we still won't be able to bind to privileged ports in the host network namespace, so drop the capability regardless of whether we have a uid shift or not. --- src/nspawn/nspawn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1142bc57458..ab8746c442b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -5950,7 +5950,7 @@ static int run(int argc, char *argv[]) { /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to * indicate that. */ - if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0) + if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO) arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE); r = verify_arguments(); -- 2.47.3