From b21f52b6d189a63441258250259a93ffd4c28283 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 5 Sep 2025 08:23:58 +0200
Subject: [PATCH 1/4] mkosi: Install libcap-progs in main and minimal image

Let's make sure tools like capsh are available on OpenSUSE images
as well.
---
 mkosi/mkosi.conf.d/opensuse/mkosi.conf                     | 1 +
 mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/mkosi/mkosi.conf.d/opensuse/mkosi.conf b/mkosi/mkosi.conf.d/opensuse/mkosi.conf
index 36eab78a8c..1655f972da 100644
--- a/mkosi/mkosi.conf.d/opensuse/mkosi.conf
+++ b/mkosi/mkosi.conf.d/opensuse/mkosi.conf
@@ -56,6 +56,7 @@ Packages=
         kmod
         knot
         libapparmor1
+        libcap-progs
         multipath-tools
         ncat
         open-iscsi
diff --git a/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf b/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf
index 5904812464..811b49276e 100644
--- a/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf
+++ b/mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf
@@ -10,6 +10,7 @@ Packages=
         grep
         hostname
         iproute2
+        libcap-progs
         ncat
         patterns-base-minimal_base
         sed

From f70754b34f8cce624beeb833d1b58a59896e81cf Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 4 Sep 2025 12:17:53 +0200
Subject: [PATCH 2/4] TEST-13-NSPAWN: Fix typo

---
 test/units/TEST-13-NSPAWN.nspawn.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh
index 37a24b579e..eccf183d22 100755
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1446,7 +1446,7 @@ testcase_unpriv_dir() {
     rm -rf "$root"
 }
 
-testcase_link_journa_hostl() {
+testcase_link_journal_host() {
     local root hoge i
 
     root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"

From 945e1fd37b66ae3b1732b8fbcc247050c5141b85 Mon Sep 17 00:00:00 2001
From: DaanDeMeyer <daan.j.demeyer@gmail.com>
Date: Tue, 26 Aug 2025 12:35:58 +0200
Subject: [PATCH 3/4] nspawn: Drop CAP_NET_BIND_SERVICE if in userns with
 identity mapping

Even if there's no uid shift, we still won't be able to bind to privileged
ports in the host network namespace, so drop the capability regardless of
whether we have a uid shift or not.
---
 src/nspawn/nspawn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 1142bc5745..ab8746c442 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -5950,7 +5950,7 @@ static int run(int argc, char *argv[]) {
         /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
          * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
          * indicate that. */
-        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
+        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO)
                 arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
 
         r = verify_arguments();

From cadeaef67cb0f11bd968cfd6a183bcbfc73b0c70 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 4 Sep 2025 12:48:35 +0200
Subject: [PATCH 4/4] test: Add test for nspawn's handling of
 cap_net_bind_service

---
 test/units/TEST-13-NSPAWN.nspawn.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh
index eccf183d22..fabb1a3d30 100755
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1470,4 +1470,22 @@ testcase_link_journal_host() {
     rm -fr "$root"
 }
 
+testcase_cap_net_bind_service() {
+    local root
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.cap-net-bind-service.XXX)"
+    create_dummy_container "$root"
+
+    # Check that CAP_NET_BIND_SERVICE is available without --private-users
+    systemd-nspawn --register=no --directory="$root" capsh --has-p=cap_net_bind_service
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=identity
+    (! systemd-nspawn --register=no --directory="$root" --private-users=identity capsh --has-p=cap_net_bind_service)
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=pick
+    (! systemd-nspawn --register=no --directory="$root" --private-users=pick capsh --has-p=cap_net_bind_service)
+
+    rm -fr "$root"
+}
+
 run_testcases