nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping

Even if there's no uid shift, we still won't be able to bind to privileged
ports in the host network namespace, so drop the capability regardless of
whether we have a uid shift or not.

(cherry picked from commit 945e1fd37b66ae3b1732b8fbcc247050c5141b85)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 05facd4d37b2d1ed5ec4441bd6d6ab2dfe761d27..ef15edbeacbc26cb98a0c380281f7bc7d8fe3974 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -5981,7 +5981,7 @@ static int run(int argc, char *argv[]) {
         /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
          * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
          * indicate that. */
-        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
+        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO)
                 arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
 
         r = cg_unified(); /* initialize cache early */