[lxc-devel] [lxc/stable-3.0] caps: check uid and euid
brauner on Github
lxc-bot at linuxcontainers.org
Fri Feb 8 14:15:33 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 525 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190208/63fe1d81/attachment.bin>
-------------- next part --------------
From 92deecddfc4082132a8908f66fcc282e24328074 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 8 Feb 2019 15:11:46 +0100
Subject: [PATCH] caps: check uid and euid
When we are running inside of a user namespace getuid() will return a
non-zero uid. So let's check euid as well to make sure we correctly drop
capabilities
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/caps.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 86baee261..1a6211a48 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -136,8 +136,7 @@ int lxc_ambient_caps_up(void)
int last_cap = CAP_LAST_CAP;
char *cap_names = NULL;
- /* When we are root, we don't want to play with capabilities. */
- if (!getuid())
+ if (!getuid() || geteuid())
return 0;
caps = cap_get_proc();
@@ -204,8 +203,7 @@ int lxc_ambient_caps_down(void)
cap_t caps;
cap_value_t cap;
- /* When we are root, we don't want to play with capabilities. */
- if (!getuid())
+ if (!getuid() || geteuid())
return 0;
ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_CLEAR_ALL),
More information about the lxc-devel
mailing list