diff options
| author | Torsten Hilbrich <torsten.hilbrich@secunet.com> | 2019-11-12 08:36:06 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-11-15 10:13:51 +0100 |
| commit | 7be830c6e8cd3852e3468203812445115f5ea183 (patch) | |
| tree | 1cf4abae7ed2bdbd55909ac6329c5c35ce613bb8 | |
| parent | 7edd8fb198f3e8a95677df8a8f5016ed40dcff54 (diff) | |
| download | systemd-7be830c6e8cd3852e3468203812445115f5ea183.tar.gz systemd-7be830c6e8cd3852e3468203812445115f5ea183.tar.bz2 systemd-7be830c6e8cd3852e3468203812445115f5ea183.zip | |
nspawn: Allow Capability= to overrule private network setting
The commit:
a3fc6b55ac nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking
turned off the CAP_NET_ADMIN capability whenever no private networking
feature was enabled. This broke configurations where the CAP_NET_ADMIN
capability was explicitly requested in the configuration.
Changing the order of evalution here to allow the Capability= setting
to overrule this implicit setting:
Order of evaluation:
1. if no private network setting is enabled, CAP_NET_ADMIN is removed
2. if a private network setting is enabled, CAP_NET_ADMIN is added
3. the settings of Capability= are added
4. the settings of DropCapability= are removed
This allows the fix for #11755 to be retained and to still allow the
admin to specify CAP_NET_ADMIN as additional capability.
Fixes: a3fc6b55acd3f37e50915304d87bed100efa9d9d
Fixes: #13995
| -rw-r--r-- | src/nspawn/nspawn.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index ea781e2b38..6286a28f1d 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3770,6 +3770,7 @@ static int merge_settings(Settings *settings, const char *path) { if ((arg_settings_mask & SETTING_CAPABILITY) == 0) { uint64_t plus, minus; + uint64_t network_minus = 0; /* Note that we copy both the simple plus/minus caps here, and the full quintet from the * Settings structure */ @@ -3781,14 +3782,16 @@ static int merge_settings(Settings *settings, const char *path) { if (settings_private_network(settings)) plus |= UINT64_C(1) << CAP_NET_ADMIN; else - minus |= UINT64_C(1) << CAP_NET_ADMIN; + network_minus |= UINT64_C(1) << CAP_NET_ADMIN; } if (!arg_settings_trusted && plus != 0) { if (settings->capability != 0) log_warning("Ignoring Capability= setting, file %s is not trusted.", path); - } else + } else { + arg_caps_retain &= ~network_minus; arg_caps_retain |= plus; + } arg_caps_retain &= ~minus; |