From d84b26bc8b531c8a8491b6c2061146d958acb63a Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 4 Jan 2021 11:21:53 +0100 Subject: [PATCH] conf: fix CAP_NET_ADMIN-based mount handling Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN") Signed-off-by: Christian Brauner --- src/lxc/conf.c | 4 ++-- src/lxc/conf.h | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 30870aa5b..3ddd30bf2 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha { 0, 0, NULL, NULL, NULL, 0, NULL, 0 } }; - bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps); - for (i = 0; default_mounts[i].match_mask; i++) { + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); + for (i = 0; default_mounts[i].match_mask; i++) { __do_free char *destination = NULL, *source = NULL; int saved_errno; unsigned long mflags; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 5a501b442..46bab5b30 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -15,6 +15,7 @@ #include #include +#include "caps.h" #include "compiler.h" #include "config.h" #include "list.h" @@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *script, const char *hookname, char **argsin); __hidden extern int in_caplist(int cap, struct lxc_list *caps); -static inline int lxc_wants_cap(int cap, struct lxc_conf *conf) +static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf) { + if (lxc_caps_last_cap() < cap) + return false; + if (!lxc_list_empty(&conf->keepcaps)) return !in_caplist(cap, &conf->keepcaps); -- 2.47.2