From: Christian Brauner Date: Mon, 4 Jan 2021 10:21:53 +0000 (+0100) Subject: conf: fix CAP_NET_ADMIN-based mount handling X-Git-Tag: lxc-5.0.0~325^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d84b26bc8b531c8a8491b6c2061146d958acb63a;p=thirdparty%2Flxc.git conf: fix CAP_NET_ADMIN-based mount handling Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN") Signed-off-by: Christian Brauner --- diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 30870aa5b..3ddd30bf2 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha { 0, 0, NULL, NULL, NULL, 0, NULL, 0 } }; - bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps); - for (i = 0; default_mounts[i].match_mask; i++) { + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); + for (i = 0; default_mounts[i].match_mask; i++) { __do_free char *destination = NULL, *source = NULL; int saved_errno; unsigned long mflags; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 5a501b442..46bab5b30 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -15,6 +15,7 @@ #include #include +#include "caps.h" #include "compiler.h" #include "config.h" #include "list.h" @@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *script, const char *hookname, char **argsin); __hidden extern int in_caplist(int cap, struct lxc_list *caps); -static inline int lxc_wants_cap(int cap, struct lxc_conf *conf) +static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf) { + if (lxc_caps_last_cap() < cap) + return false; + if (!lxc_list_empty(&conf->keepcaps)) return !in_caplist(cap, &conf->keepcaps);