Also drop caps in unpriv containers

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 320b6c94c807c843b59e6e353e4ab5698e53355d..6450c5ef4d0674886d0f0dd885d577a215f8d9f3 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4234,20 +4234,18 @@ int lxc_setup(struct lxc_handler *handler)
                return -1;
        }
 
-       if (lxc_list_empty(&lxc_conf->id_map)) {
-               if (!lxc_list_empty(&lxc_conf->keepcaps)) {
-                       if (!lxc_list_empty(&lxc_conf->caps)) {
-                               ERROR("Simultaneously requested dropping and keeping caps");
-                               return -1;
-                       }
-                       if (dropcaps_except(&lxc_conf->keepcaps)) {
-                               ERROR("failed to keep requested caps");
-                               return -1;
-                       }
-               } else if (setup_caps(&lxc_conf->caps)) {
-                       ERROR("failed to drop capabilities");
+       if (!lxc_list_empty(&lxc_conf->keepcaps)) {
+               if (!lxc_list_empty(&lxc_conf->caps)) {
+                       ERROR("Simultaneously requested dropping and keeping caps");
                        return -1;
                }
+               if (dropcaps_except(&lxc_conf->keepcaps)) {
+                       ERROR("failed to keep requested caps");
+                       return -1;
+               }
+       } else if (setup_caps(&lxc_conf->caps)) {
+               ERROR("failed to drop capabilities");
+               return -1;
        }
 
        NOTICE("'%s' is setup.", name);