better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged, and doing things like moving the physical nics back to the host netns won't work. Let's do the same thing LXD does if euid == 0: inspect /proc/self/uid_map and see what that says. Signed-off-by: Tycho Andersen <tycho@tycho.ws>

better unprivileged detection
0dfed0f9 · Tycho Andersen · Christian Brauner · 02b05b04 · 0dfed0f9
Unverified Commit 0dfed0f9 authored Jan 26, 2018 by Tycho Andersen Committed by Christian Brauner Feb 07, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 2 deletions

utils.h src/lxc/utils.h +26 -2

No files found.
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -272,8 +272,32 @@ extern void **lxc_append_null_to_array(void **array, size_t count);
 //initialize rand with urandom
 extern int randseed(bool);
-inline static bool am_unpriv(void) {
+inline static bool am_unpriv(void)
-	return geteuid() != 0;
+{
+	FILE *f;
+	uid_t user, host, count;
+	int ret;
+	if (geteuid() != 0)
+		return true;
+	/* Now: are we in a user namespace? Because then we're also
+	 * unprivileged.
+	 */
+	f = fopen("/proc/self/uid_map", "r");
+	if (!f) {
+		return false;
+	}
+	ret = fscanf(f, "%u %u %u", &user, &host, &count);
+	fclose(f);
+	if (ret != 3) {
+		return false;
+	}
+	if (user != 0 || host != 0 || count != UINT32_MAX)
+		return true;
+	return false;
 }
 /*