picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking 

Fixes: #11755
This commit is contained in:
Lennart Poettering 2019-03-15 15:31:44 +01:00
parent 3d6c367510
commit a3fc6b55ac
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/nspawn/nspawn.c
View File

@ -3648,14 +3648,20 @@ static int merge_settings(Settings *settings, const char *path) {
}
if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
uint64_t plus;
uint64_t plus, minus;
/* Note that we copy both the simple plus/minus caps here, and the full quintet from the
* Settings structure */
plus = settings->capability;
if (settings_private_network(settings))
plus |= UINT64_C(1) << CAP_NET_ADMIN;
minus = settings->drop_capability;
if ((arg_settings_mask & SETTING_NETWORK) == 0) {
if (settings_private_network(settings))
plus |= UINT64_C(1) << CAP_NET_ADMIN;
else
minus |= UINT64_C(1) << CAP_NET_ADMIN;
}
if (!arg_settings_trusted && plus != 0) {
if (settings->capability != 0)
@ -3663,7 +3669,7 @@ static int merge_settings(Settings *settings, const char *path) {
} else
arg_caps_retain |= plus;
arg_caps_retain &= ~settings->drop_capability;
arg_caps_retain &= ~minus;
/* Copy the full capabilities over too */
if (capability_quintet_is_set(&settings->full_capabilities)) {