conf: fix CAP_NET_ADMIN-based mount handling

Fixes: e8b9c9ec6f ("unmounted proc/sys/net if dropping CAP_NET_ADMIN")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

src/lxc/conf.c

@@ -640,8 +640,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
 		{ 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
 	};
 
-	bool has_cap_net_admin = in_caplist(CAP_NET_ADMIN, &conf->caps);
+        bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
-	for (i = 0; default_mounts[i].match_mask; i++) {
+        for (i = 0; default_mounts[i].match_mask; i++) {
 		__do_free char *destination = NULL, *source = NULL;
 		int saved_errno;
 		unsigned long mflags;

src/lxc/conf.h

@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/vfs.h>
 
+#include "caps.h"
 #include "compiler.h"
 #include "config.h"
 #include "list.h"
@@ -502,8 +503,11 @@ __hidden extern int run_script_argv(const char *name, unsigned int hook_version,
 				    const char *script, const char *hookname, char **argsin);
 __hidden extern int in_caplist(int cap, struct lxc_list *caps);
 
-static inline int lxc_wants_cap(int cap, struct lxc_conf *conf)
+static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
 {
+	if (lxc_caps_last_cap() < cap)
+		return false;
+
 	if (!lxc_list_empty(&conf->keepcaps))
 		return !in_caplist(cap, &conf->keepcaps);