diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix index 9994f0fe7..33df34551 100644 --- a/hosts/common/programs/seatd.nix +++ b/hosts/common/programs/seatd.nix @@ -67,7 +67,7 @@ lib.mkMerge [ # ]; serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" #< needed, to access /dev/tty - "CAP_NET_ADMIN" #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?) + # "CAP_NET_ADMIN" #< only needed by bwrap "CAP_SETPCAP" #< TODO: this is a limitation of bunpen, which wants to add caps from bounding to inheritable, and drop from ambient "CAP_SYS_ADMIN" #< needed by bwrap/bunpen "CAP_SYS_TTY_CONFIG" diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha index 5da16e2dc..f3ecb1e51 100644 --- a/pkgs/additional/bunpen/restrict/namespace.ha +++ b/pkgs/additional/bunpen/restrict/namespace.ha @@ -43,19 +43,13 @@ export fn namespace_restrict(what: *resources) void = { let unshare_keep_users = what_to_unshare & ~rt::ext::clone_flag::NEWUSER; if (try_unshare(unshare_keep_users)) { what_to_unshare = 0; - } else { - log::println("[namespace] failed to unshare w/o user namespace. raising caps and trying again"); + } else if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) { + log::println("[namespace] failed to unshare w/o user namespace. raising CAP_SYS_ADMIN and trying again"); + let raise_caps = rt::ext::CAPS_NONE; - if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) { - caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN); - // i can't find documentation that unsharing the netns requires CAP_NET_ADMIN, - // but empirically, it does (? e.g. remove this and seatd fails) - if ((what_to_unshare & rt::ext::clone_flag::NEWNET) != 0) - caps_add(&raise_caps, rt::ext::cap::NET_ADMIN); - }; - if (try_unshare_with(unshare_keep_users, raise_caps)) { + caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN); + if (try_unshare_with(unshare_keep_users, raise_caps)) what_to_unshare = 0; - }; }; };