| From eb82d2501fa7b122cef54c591f2b73b83d1c4335 Mon Sep 17 00:00:00 2001 |
| From: Christian Brauner <christian.brauner@ubuntu.com> |
| Date: Fri, 8 Feb 2019 15:11:46 +0100 |
| Subject: [PATCH] caps: check uid and euid |
| |
| When we are running inside of a user namespace getuid() will return a |
| non-zero uid. So let's check euid as well to make sure we correctly drop |
| capabilities |
| |
| Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> |
| --- |
| src/lxc/caps.c | 6 ++---- |
| 1 file changed, 2 insertions(+), 4 deletions(-) |
| |
| diff --git a/src/lxc/caps.c b/src/lxc/caps.c |
| index 86baee261..1a6211a48 100644 |
| --- a/src/lxc/caps.c |
| +++ b/src/lxc/caps.c |
| @@ -136,8 +136,7 @@ int lxc_ambient_caps_up(void) |
| int last_cap = CAP_LAST_CAP; |
| char *cap_names = NULL; |
| |
| - /* When we are root, we don't want to play with capabilities. */ |
| - if (!getuid()) |
| + if (!getuid() || geteuid()) |
| return 0; |
| |
| caps = cap_get_proc(); |
| @@ -204,8 +203,7 @@ int lxc_ambient_caps_down(void) |
| cap_t caps; |
| cap_value_t cap; |
| |
| - /* When we are root, we don't want to play with capabilities. */ |
| - if (!getuid()) |
| + if (!getuid() || geteuid()) |
| return 0; |
| |
| ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_CLEAR_ALL), |
| -- |
| 2.25.0.rc1.283.g88dfdc4193-goog |
| |