conf: fix CAP_NET_ADMIN-based mount handling

Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 30870aa5b34847015534a834134c5006418844f5..3ddd30bf202395b314810ac225f7b125a42608ed 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
                { 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
        };
 
-       bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
-       for (i = 0; default_mounts[i].match_mask; i++) {
+        bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
+        for (i = 0; default_mounts[i].match_mask; i++) {
                __do_free char *destination = NULL, *source = NULL;
                int saved_errno;
                unsigned long mflags;

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 5a501b442aa8fda4a625b934c96f3cdff0463b8e..46bab5b3039776896cd92509adb5e834900aac4f 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/vfs.h>
 
+#include "caps.h"
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
@@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version,
                                    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
 
-static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
 {
+       if (lxc_caps_last_cap() < cap)
+               return false;
+
        if (!lxc_list_empty(&conf->keepcaps))
                return !in_caplist(cap, &conf->keepcaps);