return last_cap;
}
+
+/*
+ * check if we have the caps needed to start a container. returns 1 on
+ * success, 0 on error. (I'd prefer this be a bool, but am afraid that
+ * might fail to build on some distros).
+ */
+int lxc_caps_check(void)
+{
+ uid_t uid = getuid();
+ cap_t caps;
+ cap_flag_value_t value;
+ int i, ret;
+
+ cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
+
+#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
+
+ if (!uid)
+ return 1;
+
+ caps = cap_get_proc();
+ if (!caps) {
+ ERROR("failed to cap_get_proc: %m");
+ return 0;
+ }
+
+ for (i=0; i<NUMCAPS; i++) {
+ ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
+ if (ret) {
+ ERROR("Failed to cap_get_flag: %m");
+ return 0;
+ }
+ if (!value) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
extern int lxc_caps_down(void);
extern int lxc_caps_up(void);
extern int lxc_caps_init(void);
+extern int lxc_caps_check(void);
extern int lxc_caps_last_cap(void);
return -1;
}
+extern int lxc_caps_check(void);
+
struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf)
{
struct lxc_handler *handler;
+ if (!lxc_caps_check()) {
+ ERROR("Not running with sufficient privilege");
+ return NULL;
+ }
+
handler = malloc(sizeof(*handler));
if (!handler)
return NULL;
projects / thirdparty / lxc.git / commitdiff
