In our current codebase we have a logical pattern:
list_empty(&handler->conf->id_map)
*IF AND ONLY IF*
container does NOT use user namespace
Which is perfectly correct nowadays, but once we (hopefully)
get an "isolated user namespaces" stuff ready it won't be the case.
It will be perfectly fine to have a user namespace with empty
/proc/*/{u,g}id_map files. Nowadays it's also possible,
but this kind of a configuration close to useless and nobody
actually uses it.
No functional changes intended.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
* monitor is root we can assume that it is privileged enough to remove
* the cgroups it created when the container started.
*/
- if (!list_empty(&handler->conf->id_map) && !handler->am_root) {
+ if (container_uses_namespace(handler, CLONE_NEWUSER) && !handler->am_root) {
struct generic_userns_exec_data wrap = {
.conf = handler->conf,
.path_prune = ops->container_limit_cgroup,
int ret;
const char *path_source;
- if (list_empty(&handler->conf->id_map))
+ if (!container_uses_namespace(handler, CLONE_NEWUSER))
return 0;
if (is_empty_string(rootfs->mnt_opts.userns_path))
int dfd_idmapped = -EBADF;
int ret;
- if (list_empty(&handler->conf->id_map))
+ if (!container_uses_namespace(handler, CLONE_NEWUSER))
return 0;
if (is_empty_string(rootfs->mnt_opts.userns_path))
* we switched to root in the new user namespace further above. Only
* drop groups if we can, so ensure that we have necessary privilege.
*/
- if (list_empty(&handler->conf->id_map)) {
+ if (!container_uses_namespace(handler, CLONE_NEWUSER)) {
#if HAVE_LIBCAP
if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
#endif
projects / thirdparty / lxc.git / commitdiff
