tree-wide: use container_uses_namespace() in less trivial cases

In our current codebase we have a logical pattern: list_empty(&handler->conf->id_map) *IF AND ONLY IF* container does NOT use user namespace Which is perfectly correct nowadays, but once we (hopefully) get an "isolated user namespaces" stuff ready it won't be the case. It will be perfectly fine to have a user namespace with empty /proc/*/{u,g}id_map files. Nowadays it's also possible, but this kind of a configuration close to useless and nobody actually uses it. No functional changes intended. Signed-off-by: Alexander Mikhalitsyn <[email protected]>
gibmat · Jan 26, 2024 · 9ac7c48 · 9ac7c48
1 parent 64341ce
commit 9ac7c48
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
@@ -564,7 +564,7 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops,
 	 * monitor is root we can assume that it is privileged enough to remove
 	 * the cgroups it created when the container started.
 	 */
-	if (!list_empty(&handler->conf->id_map) && !handler->am_root) {
+	if (container_uses_namespace(handler, CLONE_NEWUSER) && !handler->am_root) {
 		struct generic_userns_exec_data wrap = {
 			.conf			= handler->conf,
 			.path_prune		= ops->container_limit_cgroup,

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
@@ -620,7 +620,7 @@ int lxc_rootfs_prepare_parent(struct lxc_handler *handler)
 	int ret;
 	const char *path_source;
 
-	if (list_empty(&handler->conf->id_map))
+	if (!container_uses_namespace(handler, CLONE_NEWUSER))
 		return 0;
 
 	if (is_empty_string(rootfs->mnt_opts.userns_path))
@@ -4117,7 +4117,7 @@ static int lxc_rootfs_prepare_child(struct lxc_handler *handler)
 	int dfd_idmapped = -EBADF;
 	int ret;
 
-	if (list_empty(&handler->conf->id_map))
+	if (!container_uses_namespace(handler, CLONE_NEWUSER))
 		return 0;
 
 	if (is_empty_string(rootfs->mnt_opts.userns_path))

diff --git a/src/lxc/start.c b/src/lxc/start.c
@@ -1400,7 +1400,7 @@ static int do_start(void *data)
 	 * we switched to root in the new user namespace further above. Only
 	 * drop groups if we can, so ensure that we have necessary privilege.
 	 */
-	if (list_empty(&handler->conf->id_map)) {
+	if (!container_uses_namespace(handler, CLONE_NEWUSER)) {
 		#if HAVE_LIBCAP
 		if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))
 		#endif