Check for CAP_SYS_ADMIN instead of root

Even if we're running as root, we might not have CAP_SYS_ADMIN, so
let's always check for CAP_SYS_ADMIN.

Author: DaanDeMeyer

mkosi/__init__.py

@@ -114,6 +114,7 @@
     workdir,
 )
 from mkosi.sandbox import (
+    CAP_SYS_ADMIN,
     CLONE_NEWNS,
     MOUNT_ATTR_NODEV,
     MOUNT_ATTR_NOEXEC,
@@ -123,6 +124,7 @@
     MS_SLAVE,
     __version__,
     acquire_privileges,
+    have_effective_cap,
     join_new_session_keyring,
     mount,
     mount_rbind,
@@ -4888,12 +4890,11 @@ def run_build(
     metadata_dir: Path,
     package_dir: Optional[Path] = None,
 ) -> None:
-    if os.getuid() != 0:
+    if not have_effective_cap(CAP_SYS_ADMIN):
         acquire_privileges()
-
-    unshare(CLONE_NEWNS)
-
-    if os.getuid() == 0:
+        unshare(CLONE_NEWNS)
+    else:
+        unshare(CLONE_NEWNS)
         mount("", "/", "", MS_SLAVE | MS_REC, "")
 
     # For extra safety when running as root, remount a bunch of directories read-only unless the output

mkosi/sandbox.py

@@ -452,7 +452,7 @@ def become_user(uid: int, gid: int) -> None:
 
 
 def acquire_privileges(*, become_root: bool = False) -> bool:
-    if os.getuid() == 0 or (not become_root and have_effective_cap(CAP_SYS_ADMIN)):
+    if have_effective_cap(CAP_SYS_ADMIN) and (os.getuid() == 0 or not become_root):
         return False
 
     if become_root: