app-emulation/lxc/files/lxc-3.0.3-check-euid-for-caps.patch

From eb82d2501fa7b122cef54c591f2b73b83d1c4335 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 8 Feb 2019 15:11:46 +0100
Subject: [PATCH] caps: check uid and euid

When we are running inside of a user namespace getuid() will return a
non-zero uid. So let's check euid as well to make sure we correctly drop
capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/caps.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 86baee261..1a6211a48 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -136,8 +136,7 @@ int lxc_ambient_caps_up(void)
 	int last_cap = CAP_LAST_CAP;
 	char *cap_names = NULL;
 
-	/* When we are root, we don't want to play with capabilities. */
-	if (!getuid())
+	if (!getuid() || geteuid())
 		return 0;
 
 	caps = cap_get_proc();
@@ -204,8 +203,7 @@ int lxc_ambient_caps_down(void)
 	cap_t caps;
 	cap_value_t cap;
 
-	/* When we are root, we don't want to play with capabilities. */
-	if (!getuid())
+	if (!getuid() || geteuid())
 		return 0;
 
 	ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_CLEAR_ALL),
-- 
2.25.0.rc1.283.g88dfdc4193-goog