conf: fix CAP_NET_ADMIN-based mount handling

Fixes: e8b9c9ec ("unmounted proc/sys/net if dropping CAP_NET_ADMIN") Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: fix CAP_NET_ADMIN-based mount handling
d84b26bc · Christian Brauner · 309ae287 · d84b26bc · d84b26bc
Unverified Commit d84b26bc authored Jan 04, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

conf.c src/lxc/conf.c +2 -2

conf.h src/lxc/conf.h +5 -1

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 		{ 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
 	};
-	bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
+        bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
-	for (i = 0; default_mounts[i].match_mask; i++) {
+        for (i = 0; default_mounts[i].match_mask; i++) {
 		__do_free char *destination = NULL, *source = NULL;
 		int saved_errno;
 		unsigned long mflags;

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/vfs.h>
+#include "caps.h"
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
@@ -515,8 +516,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version,
 				    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
-static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
 {
+	if (lxc_caps_last_cap() < cap)
+		return false;
 	if (!lxc_list_empty(&conf->keepcaps))
 		return !in_caplist(cap, &conf->keepcaps);