From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Fri, 26 Jan 2024 16:20:27 +0000 (+0100)
Subject: tree-wide: use container_uses_namespace() in less trivial cases
X-Git-Tag: v6.0.0~27^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ac7c4895e3f8344c2f789706aca489b32039907;p=thirdparty%2Flxc.git

tree-wide: use container_uses_namespace() in less trivial cases

In our current codebase we have a logical pattern:
list_empty(&handler->conf->id_map)
*IF AND ONLY IF*
container does NOT use user namespace

Which is perfectly correct nowadays, but once we (hopefully)
get an "isolated user namespaces" stuff ready it won't be the case.
It will be perfectly fine to have a user namespace with empty
/proc/*/{u,g}id_map files. Nowadays it's also possible,
but this kind of a configuration close to useless and nobody
actually uses it.

No functional changes intended.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 23e92d6aa..b4ab0aa69 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -564,7 +564,7 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops,
 	 * monitor is root we can assume that it is privileged enough to remove
 	 * the cgroups it created when the container started.
 	 */
-	if (!list_empty(&handler->conf->id_map) && !handler->am_root) {
+	if (container_uses_namespace(handler, CLONE_NEWUSER) && !handler->am_root) {
 		struct generic_userns_exec_data wrap = {
 			.conf			= handler->conf,
 			.path_prune		= ops->container_limit_cgroup,
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c6c4279e2..d006bccc1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -620,7 +620,7 @@ int lxc_rootfs_prepare_parent(struct lxc_handler *handler)
 	int ret;
 	const char *path_source;
 
-	if (list_empty(&handler->conf->id_map))
+	if (!container_uses_namespace(handler, CLONE_NEWUSER))
 		return 0;
 
 	if (is_empty_string(rootfs->mnt_opts.userns_path))
@@ -4117,7 +4117,7 @@ static int lxc_rootfs_prepare_child(struct lxc_handler *handler)
 	int dfd_idmapped = -EBADF;
 	int ret;
 
-	if (list_empty(&handler->conf->id_map))
+	if (!container_uses_namespace(handler, CLONE_NEWUSER))
 		return 0;
 
 	if (is_empty_string(rootfs->mnt_opts.userns_path))
diff --git a/src/lxc/start.c b/src/lxc/start.c
index a34f76a60..33e4ac94a 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1400,7 +1400,7 @@ static int do_start(void *data)
 	 * we switched to root in the new user namespace further above. Only
 	 * drop groups if we can, so ensure that we have necessary privilege.
 	 */
-	if (list_empty(&handler->conf->id_map)) {
+	if (!container_uses_namespace(handler, CLONE_NEWUSER)) {
 		#if HAVE_LIBCAP
 		if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
 		#endif