From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 12 Apr 2021 07:47:59 +0000 (+0200)
Subject: conf: don't report success when idmaptools lack all privilege
X-Git-Tag: lxc-5.0.0~212^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a864a2e10537310c0455f843f4bfaff8dd90d222;p=thirdparty%2Flxc.git

conf: don't report success when idmaptools lack all privilege

Fixes: #3777
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 37918dac7..6a0d54b83 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2816,6 +2816,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap)
 	    lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) &&
 	    lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED))
 		return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path);
+
+	return 0;
 #else
 	/*
 	 * If we cannot check for file capabilities we need to give the benefit
@@ -2823,9 +2825,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap)
 	 * file capabilities are set.
 	 */
 	DEBUG("Cannot check for file capabilities as full capability support is missing. Manual intervention needed");
-#endif
-
 	return 1;
+#endif
 }
 
 static int lxc_map_ids_exec_wrapper(void *args)