nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking

Fixes: #11755

1 files changed, 10 insertions, 4 deletions

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5c6d71871d..b2cf419484 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3648,14 +3648,20 @@ static int merge_settings(Settings *settings, const char *path) {
         }
 
         if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
-                uint64_t plus;
+                uint64_t plus, minus;
 
                 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
                  * Settings structure */
 
                 plus = settings->capability;
-                if (settings_private_network(settings))
-                        plus |= UINT64_C(1) << CAP_NET_ADMIN;
+                minus = settings->drop_capability;
+
+                if ((arg_settings_mask & SETTING_NETWORK) == 0) {
+                        if (settings_private_network(settings))
+                                plus |= UINT64_C(1) << CAP_NET_ADMIN;
+                        else
+                                minus |= UINT64_C(1) << CAP_NET_ADMIN;
+                }
 
                 if (!arg_settings_trusted && plus != 0) {
                         if (settings->capability != 0)
@@ -3663,7 +3669,7 @@ static int merge_settings(Settings *settings, const char *path) {
                 } else
                         arg_caps_retain |= plus;
 
-                arg_caps_retain &= ~settings->drop_capability;
+                arg_caps_retain &= ~minus;
 
                 /* Copy the full capabilities over too */
                 if (capability_quintet_is_set(&settings->full_capabilities)) {