chown_mapped_root: don't try chgrp if we don't own the file

New kernels require that to have privilege over a file, your
userns must have the old and new groups mapped into your userns.
So if a file is owned by our uid but another groupid, then we
have to chgrp the file to our primary group before we can try
(in a new user namespace) to chgrp the file to a group id in the
namespace.

But in some cases (when cloning) the file may already be mapped
into the container.  Now we cannot chgrp the file to our own
primary group - and we don't have to.

So detect that case.  Only try to chgrp the file to our primary
group if the file is owned by our euid (i.e. not by the container)
and the owning group is not already mapped into the container by
default.

With this patch, I'm again able to both create and clone containers
with no errors again.

Reported-by: S.Çağlar Onur <caglar@10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bdd623a7f1e1403c1c7932cfcbd2ca6eb56766e4..213511f2f924875c28ea052a6f43a4de81ebf57e 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3565,9 +3565,14 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
                        return -1;
                }
 
-               // a trick for chgrp the file that is not owned by oneself
-               if (chown(path, -1, hostgid) < 0) {
-                       ERROR("Error chgrp %s", path);
+               /*
+                * A file has to be group-owned by a gid mapped into the
+                * container, or the container won't be privileged over it.
+                */
+               if (sb.st_uid == geteuid() &&
+                               mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 &&
+                               chown(path, -1, hostgid) < 0) {
+                       ERROR("Failed chgrping %s", path);
                        return -1;
                }