From 9ac7c4895e3f8344c2f789706aca489b32039907 Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Fri, 26 Jan 2024 17:20:27 +0100 Subject: [PATCH] tree-wide: use container_uses_namespace() in less trivial cases In our current codebase we have a logical pattern: list_empty(&handler->conf->id_map) *IF AND ONLY IF* container does NOT use user namespace Which is perfectly correct nowadays, but once we (hopefully) get an "isolated user namespaces" stuff ready it won't be the case. It will be perfectly fine to have a user namespace with empty /proc/*/{u,g}id_map files. Nowadays it's also possible, but this kind of a configuration close to useless and nobody actually uses it. No functional changes intended. Signed-off-by: Alexander Mikhalitsyn --- src/lxc/cgroups/cgfsng.c | 2 +- src/lxc/conf.c | 4 ++-- src/lxc/start.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index 23e92d6aa6..b4ab0aa697 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -564,7 +564,7 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, * monitor is root we can assume that it is privileged enough to remove * the cgroups it created when the container started. */ - if (!list_empty(&handler->conf->id_map) && !handler->am_root) { + if (container_uses_namespace(handler, CLONE_NEWUSER) && !handler->am_root) { struct generic_userns_exec_data wrap = { .conf = handler->conf, .path_prune = ops->container_limit_cgroup, diff --git a/src/lxc/conf.c b/src/lxc/conf.c index c6c4279e2f..d006bccc15 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -620,7 +620,7 @@ int lxc_rootfs_prepare_parent(struct lxc_handler *handler) int ret; const char *path_source; - if (list_empty(&handler->conf->id_map)) + if (!container_uses_namespace(handler, CLONE_NEWUSER)) return 0; if (is_empty_string(rootfs->mnt_opts.userns_path)) @@ -4117,7 +4117,7 @@ static int lxc_rootfs_prepare_child(struct lxc_handler *handler) int dfd_idmapped = -EBADF; int ret; - if (list_empty(&handler->conf->id_map)) + if (!container_uses_namespace(handler, CLONE_NEWUSER)) return 0; if (is_empty_string(rootfs->mnt_opts.userns_path)) diff --git a/src/lxc/start.c b/src/lxc/start.c index a34f76a609..33e4ac94aa 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -1400,7 +1400,7 @@ static int do_start(void *data) * we switched to root in the new user namespace further above. Only * drop groups if we can, so ensure that we have necessary privilege. */ - if (list_empty(&handler->conf->id_map)) { + if (!container_uses_namespace(handler, CLONE_NEWUSER)) { #if HAVE_LIBCAP if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE)) #endif