bunpen/seatd namespacing: clarify that CAP_NET_ADMIN requirement is surprising

This commit is contained in:
2024-09-07 17:14:50 +00:00
parent 7ce82ca735
commit f68fbb0e0b
2 changed files with 3 additions and 3 deletions

View File

@@ -69,7 +69,7 @@ lib.mkMerge [
serviceConfig.CapabilityBoundingSet = [
# "CAP_CHOWN"
"CAP_DAC_OVERRIDE" #< needed, to access /dev/tty
"CAP_NET_ADMIN" #< needed by bwrap/bunpen, for some reason??
"CAP_NET_ADMIN" #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?)
"CAP_SYS_ADMIN" #< needed by bwrap/bunpen
"CAP_SYS_TTY_CONFIG"
];

View File

@@ -48,8 +48,8 @@ export fn namespace_restrict(what: *resources) void = {
let raise_caps = rt::ext::CAPS_NONE;
if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) {
caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN);
// i can't find that unsharing the netns requires CAP_NET_ADMIN,
// but empirically, it does (? e.g. seatd)
// i can't find documentation that unsharing the netns requires CAP_NET_ADMIN,
// but empirically, it does (? e.g. remove this and seatd fails)
if ((what_to_unshare & rt::ext::clone_flag::NEWNET) != 0)
caps_add(&raise_caps, rt::ext::cap::NET_ADMIN);
};