better unprivileged detection

In particular, if we are already in a user namespace we are unprivileged, and doing things like moving the physical nics back to the host netns won't work. Let's do the same thing LXD does if euid == 0: inspect /proc/self/uid_map and see what that says. Signed-off-by: Tycho Andersen <tycho@tycho.ws>

better unprivileged detection
4692c01a · Tycho Andersen · 9650c735 · 4692c01a
Commit 4692c01a authored Jan 26, 2018 by Tycho Andersen
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 2 deletions

utils.h src/lxc/utils.h +26 -2

No files found.
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -427,8 +427,32 @@ extern int lxc_strmunmap(void *addr, size_t length);
 /* initialize rand with urandom */
 extern int randseed(bool);
-inline static bool am_unpriv(void) {
+inline static bool am_unpriv(void)
-	return geteuid() != 0;
+{
+	FILE *f;
+	uid_t user, host, count;
+	int ret;
+	if (geteuid() != 0)
+		return true;
+	/* Now: are we in a user namespace? Because then we're also
+	 * unprivileged.
+	 */
+	f = fopen("/proc/self/uid_map", "r");
+	if (!f) {
+		return false;
+	}
+	ret = fscanf(f, "%u %u %u", &user, &host, &count);
+	fclose(f);
+	if (ret != 3) {
+		return false;
+	}
+	if (user != 0 || host != 0 || count != UINT32_MAX)
+		return true;
+	return false;
 }
 /*