From: Tycho Andersen <tycho@tycho.ws>
Date: Fri, 26 Jan 2018 21:21:51 +0000 (+0000)
Subject: better unprivileged detection
X-Git-Tag: lxc-3.0.0.beta1~64^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4692c01af27c050f762026089efd17ddf717968b;p=thirdparty%2Flxc.git

better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged,
and doing things like moving the physical nics back to the host netns won't
work. Let's do the same thing LXD does if euid == 0: inspect
/proc/self/uid_map and see what that says.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
---

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index f8cf26fbf..f13213c44 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -427,8 +427,32 @@ extern int lxc_strmunmap(void *addr, size_t length);
 /* initialize rand with urandom */
 extern int randseed(bool);
 
-inline static bool am_unpriv(void) {
-	return geteuid() != 0;
+inline static bool am_unpriv(void)
+{
+	FILE *f;
+	uid_t user, host, count;
+	int ret;
+
+	if (geteuid() != 0)
+		return true;
+
+	/* Now: are we in a user namespace? Because then we're also
+	 * unprivileged.
+	 */
+	f = fopen("/proc/self/uid_map", "r");
+	if (!f) {
+		return false;
+	}
+
+	ret = fscanf(f, "%u %u %u", &user, &host, &count);
+	fclose(f);
+	if (ret != 3) {
+		return false;
+	}
+
+	if (user != 0 || host != 0 || count != UINT32_MAX)
+		return true;
+	return false;
 }
 
 /*