From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 9 Nov 2021 17:27:40 +0000 (+0100)
Subject: nspawn: don't muck with caps if no network setting is used in settings file
X-Git-Tag: v250-rc1~321^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F21283%2Fhead;p=thirdparty%2Fsystemd.git

nspawn: don't muck with caps if no network setting is used in settings file

Our goal here (as in the previous commits) is to ensure that a settings
file loaded in --settings=override mode is truly a NOP. Previously this
was not the case as we'd drop CAP_NET_ADMIN from the caps if the
settings file didn't enable networking.

With this change we'll drop it only if explicitly turned off in the
settings file, and otherwise let the built-in defaults and cmdline
params reign supreme as documented.

Fixes: #20055
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 9adc166aa9c..66daeb4f649 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4337,7 +4337,8 @@ static int merge_settings(Settings *settings, const char *path) {
                 plus = settings->capability;
                 minus = settings->drop_capability;
 
-                if ((arg_settings_mask & SETTING_NETWORK) == 0) {
+                if ((arg_settings_mask & SETTING_NETWORK) == 0 &&
+                    settings_network_configured(settings)) {
                         if (settings_private_network(settings))
                                 plus |= UINT64_C(1) << CAP_NET_ADMIN;
                         else