nspawn: Drop CAP_NET_BIND_SERVICE if in userns with identity mapping (#38723)

Even if there's no uid shift, we still won't be able to bind to privileged ports in the host network namespace, so drop the capability regardless of whether we have a uid shift or not.
2026-04-14 08:25:20 +09:00 · 2025-09-05 09:08:44 +02:00
parent a8211e88c7 cadeaef67c
commit f743084035
4 changed files with 22 additions and 2 deletions
--- a/mkosi/mkosi.conf.d/opensuse/mkosi.conf
+++ b/mkosi/mkosi.conf.d/opensuse/mkosi.conf
@@ -56,6 +56,7 @@ Packages=
        kmod
        knot
        libapparmor1
+        libcap-progs
        multipath-tools
        ncat
        open-iscsi
--- a/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf
+++ b/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf
@@ -10,6 +10,7 @@ Packages=
        grep
        hostname
        iproute2
+        libcap-progs
        ncat
        patterns-base-minimal_base
        sed
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -5950,7 +5950,7 @@ static int run(int argc, char *argv[]) {
        /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
         * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
         * indicate that. */
-        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
+        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO)
                arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);

        r = verify_arguments();
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1446,7 +1446,7 @@ testcase_unpriv_dir() {
    rm -rf "$root"
 }

-testcase_link_journa_hostl() {
+testcase_link_journal_host() {
    local root hoge i

    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"
@@ -1470,4 +1470,22 @@ testcase_link_journa_hostl() {
    rm -fr "$root"
 }

+testcase_cap_net_bind_service() {
+    local root
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.cap-net-bind-service.XXX)"
+    create_dummy_container "$root"
+
+    # Check that CAP_NET_BIND_SERVICE is available without --private-users
+    systemd-nspawn --register=no --directory="$root" capsh --has-p=cap_net_bind_service
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=identity
+    (! systemd-nspawn --register=no --directory="$root" --private-users=identity capsh --has-p=cap_net_bind_service)
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=pick
+    (! systemd-nspawn --register=no --directory="$root" --private-users=pick capsh --has-p=cap_net_bind_service)
+
+    rm -fr "$root"
+}
+
 run_testcases