From 23371e3b3a8fcd0b048fd2b4b58b98f10526613c Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 10 Aug 2023 12:47:13 +0200
Subject: [PATCH] Only unshare network namespace if we have CAP_NET_ADMIN

---
 mkosi/run.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/mkosi/run.py b/mkosi/run.py
index 431fb7041..b5ee44748 100644
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -247,6 +247,18 @@ def spawn(
         raise e
 
 
+def have_effective_cap(capability: str) -> bool:
+    for line in Path("/proc/self/status").read_text().splitlines():
+        if line.startswith("CapEff:"):
+            hexcap = line.removeprefix("CapEff:").strip()
+            break
+    else:
+        logging.warning(f"\"CapEff:\" not found in /proc/self/status, assuming we don't have {capability}")
+        return False
+
+    return capability.lower() in run(["capsh", f"--decode=0x{hexcap}"], stdout=subprocess.PIPE).stdout
+
+
 def bwrap(
     cmd: Sequence[PathString],
     *,
@@ -273,7 +285,7 @@ def bwrap(
         "--unshare-pid",
         "--unshare-ipc",
         "--unshare-cgroup",
-        *(["--unshare-net"] if not network else []),
+        *(["--unshare-net"] if not network and have_effective_cap("CAP_NET_ADMIN") else []),
         "--die-with-parent",
         "--proc", "/proc",
         "--dev", "/dev",
-- 
2.47.2