From: Tycho Andersen <tycho@tycho.ws>
Date: Fri, 26 Jan 2018 21:21:51 +0000 (+0000)
Subject: better unprivileged detection
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0dfed0f902b9bc0df7518d32c217f89696de4d4b;p=thirdparty%2Flxc.git

better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 89225da1e..8859eeb74 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -272,8 +272,32 @@ extern void **lxc_append_null_to_array(void **array, size_t count);
 //initialize rand with urandom
 extern int randseed(bool);
 
-inline static bool am_unpriv(void) {
-	return geteuid() != 0;
+inline static bool am_unpriv(void)
+{
+	FILE *f;
+	uid_t user, host, count;
+	int ret;
+
+	if (geteuid() != 0)
+		return true;
+
+	/* Now: are we in a user namespace? Because then we're also
+	 * unprivileged.
+	 */
+	f = fopen("/proc/self/uid_map", "r");
+	if (!f) {
+		return false;
+	}
+
+	ret = fscanf(f, "%u %u %u", &user, &host, &count);
+	fclose(f);
+	if (ret != 3) {
+		return false;
+	}
+
+	if (user != 0 || host != 0 || count != UINT32_MAX)
+		return true;
+	return false;
 }
 
 /*