better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 5eeb5b8feb7eca40974932ffdad2b80b3dcc33a8..87c5152961481f36d1647abae568e9b4a814b43b 100644 (file)
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -418,8 +418,32 @@ extern int lxc_strmunmap(void *addr, size_t length);
 //initialize rand with urandom
 extern int randseed(bool);
 
-inline static bool am_unpriv(void) {
-       return geteuid() != 0;
+inline static bool am_unpriv(void)
+{
+       FILE *f;
+       uid_t user, host, count;
+       int ret;
+
+       if (geteuid() != 0)
+               return true;
+
+       /* Now: are we in a user namespace? Because then we're also
+        * unprivileged.
+        */
+       f = fopen("/proc/self/uid_map", "r");
+       if (!f) {
+               return false;
+       }
+
+       ret = fscanf(f, "%u %u %u", &user, &host, &count);
+       fclose(f);
+       if (ret != 3) {
+               return false;
+       }
+
+       if (user != 0 || host != 0 || count != UINT32_MAX)
+               return true;
+       return false;
 }
 
 /*