buildroot: don't explicitly add CAP_MAC_ADMIN

This is a left-over from the time when `systemd-nspawn` was used, which only retained a limited set of capabilities which did not include `CAP_MAC_ADMIN`[1]. Bubblewrap, on the other hand, retains all currently capabilities if the process is run as root[2]. [1] see e.g. src/nspawn/nspawn.c#L147 of commit c52950c [2] see commit abc56644566a6095bb72a5bf70fcee7dd90e9447
2022-04-19 18:03:12 +02:00 · 2022-04-19 18:03:12 +02:00 · 136e13eca1
commit 136e13eca1
parent 68481f48ae
1 changed files with 0 additions and 1 deletions
--- a/osbuild/buildroot.py
+++ b/osbuild/buildroot.py
@ -265,7 +265,6 @@ class BuildRoot(contextlib.AbstractContextManager):

        cmd = [
            "bwrap",
-            "--cap-add", "CAP_MAC_ADMIN",
            "--chdir", "/",
            "--die-with-parent",
            "--new-session",