bunpen/seatd namespacing: clarify that CAP_NET_ADMIN requirement is surprising
This commit is contained in:
@@ -69,7 +69,7 @@ lib.mkMerge [
|
||||
serviceConfig.CapabilityBoundingSet = [
|
||||
# "CAP_CHOWN"
|
||||
"CAP_DAC_OVERRIDE" #< needed, to access /dev/tty
|
||||
"CAP_NET_ADMIN" #< needed by bwrap/bunpen, for some reason??
|
||||
"CAP_NET_ADMIN" #< needed by bwrap/bunpen to unshare net namespace (undocumented requirement?)
|
||||
"CAP_SYS_ADMIN" #< needed by bwrap/bunpen
|
||||
"CAP_SYS_TTY_CONFIG"
|
||||
];
|
||||
|
@@ -48,8 +48,8 @@ export fn namespace_restrict(what: *resources) void = {
|
||||
let raise_caps = rt::ext::CAPS_NONE;
|
||||
if ((what_to_unshare & rt::ext::clone_flag::NEWNS) != 0) {
|
||||
caps_add(&raise_caps, rt::ext::cap::SYS_ADMIN);
|
||||
// i can't find that unsharing the netns requires CAP_NET_ADMIN,
|
||||
// but empirically, it does (? e.g. seatd)
|
||||
// i can't find documentation that unsharing the netns requires CAP_NET_ADMIN,
|
||||
// but empirically, it does (? e.g. remove this and seatd fails)
|
||||
if ((what_to_unshare & rt::ext::clone_flag::NEWNET) != 0)
|
||||
caps_add(&raise_caps, rt::ext::cap::NET_ADMIN);
|
||||
};
|
||||
|
Reference in New Issue
Block a user