lxccontainer: fix enter_net_ns helper to work when netns is inherited

If a network namespace is shared by setting lxc.namespace.share.net and
the container is unprivileged, then the network namespace should be
entered before entering the user namespace. However, if an unprivileged
user started a container, then the network namespace should be entered
after entering the user namespace. To solve this, we try to enter the
network namespace before entering the user namespace. If it did not
succeed, it will be tried again inside the uder namespace.

Signed-off-by: Jef Steelant <jef.steelant_ext@softathome.com>

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 0d71cfad80a827ae52c401841e87b150bf3260b2..0bc446cdb9edd61385d359e7a6db4282ad1bda0a 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2219,17 +2219,23 @@ WRAP_API_1(bool, lxcapi_clear_config_item, const char *)
 
 static inline bool enter_net_ns(struct lxc_container *c)
 {
+       bool net_ns_entered;
        pid_t pid = do_lxcapi_init_pid(c);
 
        if (pid < 0)
                return false;
 
+       net_ns_entered = switch_to_ns(pid, "net");
+
        if ((geteuid() != 0 || (c->lxc_conf && !list_empty(&c->lxc_conf->id_map))) &&
            (access("/proc/self/ns/user", F_OK) == 0))
                if (!switch_to_ns(pid, "user"))
                        return false;
 
-       return switch_to_ns(pid, "net");
+       if (!net_ns_entered)
+               return switch_to_ns(pid, "net");
+
+       return true;
 }
 
 /* Used by qsort and bsearch functions for comparing names. */