summaryrefslogtreecommitdiffstats
path: root/src/nspawn
diff options
context:
space:
mode:
authorTorsten Hilbrich <torsten.hilbrich@secunet.com>2019-11-12 08:36:06 +0100
committerLennart Poettering <lennart@poettering.net>2019-11-15 10:13:51 +0100
commit7be830c6e8cd3852e3468203812445115f5ea183 (patch)
tree1cf4abae7ed2bdbd55909ac6329c5c35ce613bb8 /src/nspawn
parentcore: do not propagate polkit error to caller (diff)
downloadsystemd-7be830c6e8cd3852e3468203812445115f5ea183.tar.xz
systemd-7be830c6e8cd3852e3468203812445115f5ea183.zip
nspawn: Allow Capability= to overrule private network setting
The commit: a3fc6b55ac nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking turned off the CAP_NET_ADMIN capability whenever no private networking feature was enabled. This broke configurations where the CAP_NET_ADMIN capability was explicitly requested in the configuration. Changing the order of evalution here to allow the Capability= setting to overrule this implicit setting: Order of evaluation: 1. if no private network setting is enabled, CAP_NET_ADMIN is removed 2. if a private network setting is enabled, CAP_NET_ADMIN is added 3. the settings of Capability= are added 4. the settings of DropCapability= are removed This allows the fix for #11755 to be retained and to still allow the admin to specify CAP_NET_ADMIN as additional capability. Fixes: a3fc6b55acd3f37e50915304d87bed100efa9d9d Fixes: #13995
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index ea781e2b38..6286a28f1d 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3770,6 +3770,7 @@ static int merge_settings(Settings *settings, const char *path) {
if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
uint64_t plus, minus;
+ uint64_t network_minus = 0;
/* Note that we copy both the simple plus/minus caps here, and the full quintet from the
* Settings structure */
@@ -3781,14 +3782,16 @@ static int merge_settings(Settings *settings, const char *path) {
if (settings_private_network(settings))
plus |= UINT64_C(1) << CAP_NET_ADMIN;
else
- minus |= UINT64_C(1) << CAP_NET_ADMIN;
+ network_minus |= UINT64_C(1) << CAP_NET_ADMIN;
}
if (!arg_settings_trusted && plus != 0) {
if (settings->capability != 0)
log_warning("Ignoring Capability= setting, file %s is not trusted.", path);
- } else
+ } else {
+ arg_caps_retain &= ~network_minus;
arg_caps_retain |= plus;
+ }
arg_caps_retain &= ~minus;