better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 89225da1e869d494409171cbf2fa66e5b19fd951..8859eeb74597872cb6369f86ce52248952fc5f93 100644 (file)
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -272,8 +272,32 @@ extern void **lxc_append_null_to_array(void **array, size_t count);
 //initialize rand with urandom
 extern int randseed(bool);
 
-inline static bool am_unpriv(void) {
-       return geteuid() != 0;
+inline static bool am_unpriv(void)
+{
+       FILE *f;
+       uid_t user, host, count;
+       int ret;
+
+       if (geteuid() != 0)
+               return true;
+
+       /* Now: are we in a user namespace? Because then we're also
+        * unprivileged.
+        */
+       f = fopen("/proc/self/uid_map", "r");
+       if (!f) {
+               return false;
+       }
+
+       ret = fscanf(f, "%u %u %u", &user, &host, &count);
+       fclose(f);
+       if (ret != 3) {
+               return false;
+       }
+
+       if (user != 0 || host != 0 || count != UINT32_MAX)
+               return true;
+       return false;
 }
 
 /*