From 952ab618268b4af2773ed9d8fade817363c28a5c Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 4 Jan 2021 11:21:53 +0100 Subject: [PATCH] conf: fix CAP_NET_ADMIN-based mount handling Fixes: e8b9c9ec6fb9 ("unmounted proc/sys/net if dropping CAP_NET_ADMIN") Signed-off-by: Christian Brauner --- src/lxc/conf.c | 4 ++-- src/lxc/conf.h | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 5f11f82e7..ae4972551 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha { 0, 0, NULL, NULL, NULL, 0, NULL, 0 } }; - bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps); - for (i = 0; default_mounts[i].match_mask; i++) { + bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); + for (i = 0; default_mounts[i].match_mask; i++) { __do_free char *destination = NULL, *source = NULL; int saved_errno; unsigned long mflags; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 611224003..664533b8e 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -15,6 +15,7 @@ #include #include +#include "caps.h" #include "compiler.h" #include "config.h" #include "list.h" @@ -502,8 +503,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version, const char *script, const char *hookname, char **argsin); __hidden extern int in_caplist(int cap, struct lxc_list *caps); -static inline int lxc_wants_cap(int cap, struct lxc_conf *conf) +static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf) { + if (lxc_caps_last_cap() < cap) + return false; + if (!lxc_list_empty(&conf->keepcaps)) return !in_caplist(cap, &conf->keepcaps);